[HN Gopher] Ruby Shield: Shopify donates $1M to stewards of ruby...
___________________________________________________________________
Ruby Shield: Shopify donates $1M to stewards of rubygems, bundler
Author : jacques_chester
Score : 318 points
Date : 2022-07-06 17:12 UTC (5 hours ago)
(HTM) web link (rubycentral.org)
(TXT) w3m dump (rubycentral.org)
| brianwawok wrote:
| To put in perspective, Shopify has a market cap of 41B. This is
| 0.00002 of that.
|
| The average net worth of an American is 122k[0]. So this is like
| the average American donating $2.44 to a cause.
|
| [0] https://www.fool.com/research/average-net-worth-americans
| ufuk wrote:
| You do realize that market cap is not real money, right? That's
| like saying that an average American who earns 30K USD/year
| over 33 years will earn 1M USD and thus they should be
| considered a millionaire.
| brianwawok wrote:
| You do realize I compared market cap to networth? And
| networth is not money?
|
| Most of an individuals networth is likely tied up in their
| primary residence and highly illiquid.
|
| If you want, you can repeat my math comparing personal income
| to corporate income. The difference you will find out is not
| substantial.
| rglullis wrote:
| I'm guessing you wouldn't mind sharing receipts of your
| donations that certainly amount to much more than 0.002% of
| your net worth?
| lolinder wrote:
| Your comparison is still flawed. Market cap is the value of
| the company in the eyes of its investors, which in theory
| factors in current assets, current profits, _and_ future
| expectation of profits. You compared that to the net worth
| of a single individual, which accounts for nothing but
| current assets.
|
| That said, you weren't all that far off. Based on Shopify's
| revenue of $4.6 billion and an average household income of
| $67k, this is equivalent to a donation of $14.57.
|
| I still argue that the presence of this kind of negativity
| in every thread about corporate donations is toxic.
| Corporations don't donate to FOSS nearly as often as they
| should, and there's no harm in giving them some credit on
| the rare occasions when it happens.
| [deleted]
| [deleted]
| prophesi wrote:
| Shopify's revenue last year was $4.6m last year, and that's
| before expenses, so I'd say it's quite a meaningful
| contribution. But regardless, a $1m donated to OSS is still
| $1m.
| wenc wrote:
| Shopify's revenue in 2021 was $4.6b.
| prophesi wrote:
| Welp, you can disregard my comment then lol
| rco8786 wrote:
| You must be fun at parties
| kyleee wrote:
| technically true, but does it have the same impact as a
| donation of $2.44?
| ipaddr wrote:
| Great question.
|
| They have different impacts. That million allows shopify to
| get features it wants and aligns the project to it's goals.
| That $2.44 comes without those strings.
|
| You can afford more developers with a million but you end up
| building something shopify supports which pulls existing
| resources away from current priorities.
|
| It can boost or even kill a project.
| rafaelfranca wrote:
| If you read the post you will see this is a donation
| without strings as well.
| ipaddr wrote:
| I'm not sure the post cover this. The intent is without
| strings but the truth is it buys a bigger voice and
| platform.
|
| Did you hear about the $2.44 I gave? No you didn't..
| there was no press release or hn article.
| rafaelfranca wrote:
| There is a section in the post exactly about that. Let me
| quote here:
|
| > What influence does this partnership give Shopify over
| Ruby Central? > This was an important consideration in
| Ruby Central moving forward the partnership. After
| discussion with Shopify and amongst the Ruby Central
| directors, the agreement was formulated as a donation
| without strings. Both parties have made it clear that
| usage of the donation is at the discretion of Ruby
| Central. As a good steward of the Ruby community, Ruby
| Central plans to disclose how the funds were used both
| for full transparency on the partnership as well as to
| highlight the work that was done.
| gkoberger wrote:
| So? $1M is $1M.
| asciiresort wrote:
| > So this is like the average American donating $2.44 to a
| cause.
|
| You're making this sound like a bad thing. It's a kind gesture
| nonetheless.
| scubbo wrote:
| /u/ufuk has already pointed how this comparison is flawed, but
| even if it were not - now do the same comparison of how much
| other companies donate to OSS projects.
| jmcgough wrote:
| More big companies that use open source should do this or
| something similar. The dividends to security, developer
| productivity, etc are probably extremely high, particularly for a
| company with hundreds or thousands of engineers already. It's
| such an efficient use of money to give it to the people who
| already have the expertise to do the work.
| farleykr wrote:
| Do you think that would cause things to veer back toward a paid
| model or do you see a third way between straight up FOSS and
| paid software?
| jacques_chester wrote:
| It seems like my peers at other such companies are being
| modest, so I will speak up on their behalf.
|
| Microsoft and Google have jointly funded the OpenSSF Alpha-
| Omega project to the tune of $5M. In turn Alpha-Omega has
| granted $300k for Node.js security[0] and $400k each to the
| Python Software Foundation and the Eclipse Foundation for
| security work[1]. Google are also forming an "Open Source
| Maintenance Crew"[2], a group of engineers dedicated solely to
| helping OSS projects improve security. Meanwhile Google,
| Microsoft, VMware, Intel, Ericsson and Amazon have contributed
| $30M ($10M from Amazon alone![5]) to the OpenSSF[3] towards a
| $150M plan to address OSS ecosystem security more broadly[4].
| This will begin to bear substantial fruit over the next few
| years.
|
| For Shopify, Ruby Central is close to our history and our
| heart; it makes both logical and moral sense for us to give
| back generously. But that by no means diminishes that many
| companies are starting to step up in a big way across the
| board. It is an exciting and promising time for open source
| security.
|
| [0] https://openssf.org/blog/2022/04/18/openssf-selects-node-
| js-...
|
| [1] https://openssf.org/blog/2022/06/20/openssf-funds-python-
| and...
|
| [2] https://blog.google/technology/safety-security/shared-
| succes...
|
| [3] https://openssf.org/press-release/2022/05/12/the-linux-
| found...
|
| [4] https://openssf.org/oss-security-mobilization-plan/
|
| [5] https://aws.amazon.com/blogs/opensource/aws-investing-an-
| add...
| cosmiccatnap wrote:
| They have also laid off a bunch of their employees today...
| tra3 wrote:
| Link?
|
| I see a reference to them firing 50 people since April. They
| are still hiring aggressively, I'm talking to one of their
| recruiters next week.
| cosmiccatnap wrote:
| I bet you that you won't. Hope I'm wrong. They just split
| their stock and it's continuing to tank. Had a friend get his
| interview canceled today because they removed the position,
| said it was for financial reasons.
| ibawt wrote:
| https://www.theglobeandmail.com/business/article-shopify-
| com...
| asciiresort wrote:
| Therefore they should not sponsor this project from which the
| company derived value?
| brasic wrote:
| This is such great news for ruby. Here's hoping with these
| resources rubygems and bundler can add improved support for
| signature verification. Rubygems supports gem signing but without
| a good scheme for trust, key rotation, etc it is not particularly
| usable. Sprucing this aspect of the ecosystem up would go a long
| way towards allowing ruby to maintain its historical role at the
| vanguard of language specific package management.
|
| Another thing I would love to see is the ability to incorporate a
| signed attestation that a gem was built from a given signed
| commit. A common dirty trick by supply-chain blackhats is to
| publish a gem which contains code other than that of the
| corresponding tag in source control. Given that rubygems has no
| means to browse package contents other than downloading and
| extracting the tarballs for manual inspection this means that
| people typically reference changelog or diff links on source
| control hosts, despite the fact that those diffs will only be
| accurate for gems published by good-faith actors following
| platform norms.
|
| There are a number of ways to fix this and I sure hope one of
| them gets implemented.
| ironick09 wrote:
| You should send your suggestions to Ruby Central.
| jacques_chester wrote:
| brasic is also welcome to participate in the OpenSSF Securing
| Software Repos working group, where we collectively discuss
| these kinds of efforts across multiple ecosystems. The best
| place to get started is the OpenSSF "Get Involved" page:
| https://openssf.org/getinvolved/
| brasic wrote:
| Thanks!
| sandGorgon wrote:
| google should do the same for pypy and other python related
| projects.
|
| going all the way to tensorflow, google ought to have a lot of
| interest in the ecosystem to mature.
|
| but event the top story today -
| https://news.ycombinator.com/item?id=32002057 - were primarily
| Microsoft engineers
| xutopia wrote:
| Shopify is such a good citizen.
| elevenoh wrote:
| [deleted]
| Tabular-Iceberg wrote:
| Judging from the little I can see in spite of the paywall, it
| doesn't seem like Shopify did anything particularly nefarious
| for Trudeau.
|
| Unless there's more to the story I don't think it's fair to
| assign guilt by association because someone else did
| nefarious things in Trudeau's name.
| charlesbarbier wrote:
| Trudeau government tyranny? Give me a break
| elevenoh wrote:
| jacques_chester wrote:
| We work hard to be. We posted an accompanying blog post about
| how we see our place in OSS:
| https://shopify.engineering/shopify-open-source-philosophy
| ayewo wrote:
| Your HN handle been a pretty vocal ambassador of
| Pivotal/VMware Tanzu on a lot of threads that the employee-
| employer association has become permanent in my lizard brain,
| which is why I had to do a double-take when I read your
| comment [plus the fact that I'm up a bit late ...]
|
| It only just dawned on me that you might have switched your
| employer allegiance to Shopify :)
| jacques_chester wrote:
| I was vocally at Pivotal->VMware for a total of 7 years, so
| a reasonable enough association to form. I've been at
| Shopify for a little over a year now.
| ayewo wrote:
| I see. Belated congrats on the new gig!
| belfalas wrote:
| Nice! I especially like "it improves engineering skills" - if
| an organizations engineers are never doing anything new their
| skills stagnate.
| dominotw wrote:
| helps that ceo understands what these things are and why they
| are useful.
| jacques_chester wrote:
| I had a small part in this and I'd be happy to answer questions
| about it.
| CharlesW wrote:
| How did the conversation about doing this start? Who made the
| case and sold it internally?
| jacques_chester wrote:
| > _How did the conversation about doing this start? Who made
| the case and sold it internally?_
|
| I made the initial pitch that we should support Ruby Central,
| but it took off very quickly once senior leadership saw the
| pitch. Once we got the go-ahead it was mostly worked out by
| Mike Dalessio (aka flavorjones) and Rafael Franca for Shopify
| and Evan Phoenix for Ruby Central.
| Tabular-Iceberg wrote:
| How do investors feel about this?
|
| Being a dev myself and knowing how the sausage is made and
| how FOSS is the casing that holds it all together, this
| investment makes perfect sense. But I can also see how
| investment types would complain, it doesn't exactly look
| like an investment in the books.
| jrockway wrote:
| This amount of money is well within what you'd expect to
| pay for various proprietary software packages. You can
| probably add up all unused-but-not-deleted VMs, S3
| buckets, and their payroll/vacation tracking software and
| you're at 1 million dollars.
|
| I've started responding to "hey, do you want to talk to
| sales?" messages with "sure", just to see what stuff
| costs in the real world. Everything is 5 or 6 figures,
| even static website hosting. I wouldn't pay $20,000 a
| month to host a static website, but someone must be,
| because that's what people are asking for on these calls.
| I can see a world where you say yes to even a few of
| these vendors, and the cost of securing the entire Ruby
| ecosystem looks like a rounding error in comparison.
|
| At the end of the day, I doubt the investors care. If
| they want to cut costs, there are much better ways.
| canucklady wrote:
| Shopify is _the_ Canadian meme stock. When I worked there
| everyone I met knew about them, not because of the
| product, but because the news loved to talk about Canada
| 's one domestic tech success in the last 10 years. During
| the pandemic they briefly became Canada's most valuable
| company, and then lost all their gains for the past 2
| years, then did a stock split because it was trendy with
| retail investors.
|
| They have a ton of terrific engineers but the nouveau
| riche people from the IPO are largely insufferable, and
| the amount of reverence for tobi inside and outside of
| the company is just unhinged.
| mstipetic wrote:
| Shopify has more than 5 billion usd in revenue. I don't
| think investors care much
| [deleted]
| [deleted]
| jeromegv wrote:
| Shopify is built with Ruby. The whole tech stack depends
| on it. Paying for that software is one way or another is
| a normal business expense.
| Tabular-Iceberg wrote:
| >Paying for that software is one way or another is a
| normal business expense.
|
| It should be, but conventional bookkeeping hasn't really
| kept up with the economic realities of this industry.
| Same reason why they fail to account tech debt as a
| liability, refactoring as amortization and debugging as
| interest payments.
| vlunkr wrote:
| Hopefully by this point investors know that Shopify both
| relies on and contributes to lots of FOSS.
| flavorjones wrote:
| (I helped make the case internally at Shopify.) The key
| points we emphasized are in the Ruby Shield announcement, but
| to summarize:
|
| - Attacks on supply chains are way up
|
| - Use of open-source software is way up
|
| - Shopify is already contributing engineering time to bundler
| and rubygems.org
|
| - And there is additional shovel-ready work that Ruby Central
| could execute on with a financial contribution.
|
| Proactive security work now reduces the chances of a
| successful supply chain attack and the costs associated with
| recovery, investigation, and mitigation in addition to
| reputational damage.
|
| There are secondary benefits, too: when we're confident in
| the supply chain, we can more confidently update our
| dependencies in a timely fashion, meaning our developers have
| access to the newest library features; and we're able to
| patch known vulnerabilities faster. We invest a lot in
| feedback loops internally, and this is just another facet of
| that build/measure/learn cycle.
| jack_riminton wrote:
| Can you go into which particular aspects of security in Ruby,
| from Shopify's perspective, needs improving and how?
| jacques_chester wrote:
| I can give a limited answer based on my own day-to-day work.
| I work in Ruby Dependency Security, which is the team who are
| most involved in helping out with rubygems.org and RubyGems
| work. Our biggest effort lately has been about rolling out
| MFA requirements for owners of top-most-downloaded gems. What
| I'd like to do afterwards is focus on gem signing using
| sigstore, which would make it a "one click" experience for
| authors. We did some work on it earlier this year[0] but
| chose to focus on MFA as our first big push. We also aim to
| devote a substantial fraction of our time to chopping wood
| and carrying water: looking at honeybadger exception reports,
| etc.
|
| In terms of the long run there's a whole bunch that can be
| done to continuously harden every aspect of the Ruby supply
| chain. One thing we've been involved in founding is the
| OpenSSF Securing Software Repos working group[1], which has
| meant that RubyGems maintainers are now talking directly with
| folks from PyPI, npm, Maven Central, Cargo and others. We all
| face shared threats (eg, dependency confusion, resurrection
| attacks etc), so getting together to work collectively and
| share ideas has been super awesome.
|
| [0] https://github.com/rubygems/rfcs/pull/37
|
| [1] https://github.com/ossf/wg-securing-software-repos
| johnasmith wrote:
| Shopify CEO Tobias Lutke was a core Rails developer. He's tightly
| connected to the Ruby & Rails communities.
| ezekiel11 wrote:
| yet ruby on rails and ruby is in decline. its getting harder to
| hire younger developers in this field, many don't even know what
| Ruby is or cares for it.
|
| Seems like its another PHP type of situation, one which companies
| will move away from in the coming years. Not the fault of the
| ecosystem or language but simply because it gets expensive and
| the talent pool shrinks, not a good driver for business decision
| makers to back.
|
| edit: i really dont understand the downvotes here I am simply
| mentioning the changing requirements in many companies that used
| to be on RoR that cannot find enough senior developers with the
| budget they are used to, to the point that they are moving to a
| new platform. theres just not enough RoR jobs and not enough RoR
| senior devs in the marketplace today and it will be far more
| bleak in the near future. there's not a lot of new minds coming
| into RoR and thats the talent pool you are gonna be stuck with if
| you keep the trajectory. Ask any new graduate and what tech stack
| language they are using, I'm willing to bet it isn't Ruby or RoR.
| Their attention is in Javascript or Python or more niche
| languages like Rust/Elixir/Clojure
| thallium205 wrote:
| If it's not the fault of the ecosystem or the language then why
| is it in decline?
| notpachet wrote:
| I actually think it's both.
|
| The language: Tech companies are becoming more aware of the
| dangers posed by maintaining and updating large codebases
| written in an untyped language. I know there's a lot of work
| still being done in Rubyland on this problem but it feels
| like the horse left the barn long ago. A lot of Rubyists seem
| aesthetically opposed to types, including influential
| language stewards. Sorbet is arguably the Typescript of
| Rubyland, but it doesn't feel like it's taking off to nearly
| the same degree. (My theory is that the expressiveness
| required to support a language as flexible as Ruby results in
| poor developer ergonomics in terms of the necessary type
| annotations.)
|
| The ecosystem: Rails is still king, for better and for worse.
| Back when Rails was in its prime, there weren't as many CRUD
| web use cases that required marshalling lots of async i/o.
| Now it's a pretty ubiquitous requirement. You need to fetch
| data from upstream A and upstream B, then combine them to
| send back to the client. With Rails, the de facto way to do
| this is to make these requests serially, which isn't very
| scalable. Hell, even a single call to a slow remote host can
| easily end up saturating all of your web workers. Like the
| types issue, there's a lot of work happening trying to make
| it easier to perform non-blocking i/o in Ruby/Rails, but it
| seems like too little too late.
| LAC-Tech wrote:
| _The language: Tech companies are becoming more aware of
| the dangers posed by maintaining and updating large
| codebases written in an untyped language._
|
| Ruby is not untyped. It's dynamically typed.
|
| FORTH is untyped.
| zdragnar wrote:
| To wit, a personal anecdote:
|
| My tiny company is torn between throwing out our ruby code
| and trying to hire more ruby developers. Our senior ruby
| guy is leaving, and the one senior candidate we had
| accepted, then later rejected, our offer. Of the other
| interviews we have had, candidates were asking for too much
| (i.e. over $200k base salary) and often barely qualified as
| a senior, or were simply too inexperienced to replace the
| person who was leaving.
|
| I'm about one more round of interviews from throwing in the
| towel and doing a hulkamania hackathon in a new language.
| The existing code really isn't great either (deprecated
| gems, lots of accidental complexity, etc) so it is _almost_
| tempting to think it would work.
| notpachet wrote:
| Would it be possible to wall off the legacy Ruby code
| behind a stable interface and switch to writing new
| features in a different language? Then instead of
| hulkmania you could perhaps whittle away at the legacy
| stuff incrementally.
| zdragnar wrote:
| That would require having competing ORMs (rails plus
| whatever library or ad-hoc we roll in the new code)
| working against the same database.
|
| Unfortunately, it's a pretty complex system, and the
| changes we have slated don't really leave room for
| updating one endpoint at a time. Even if it were simpler,
| I don't recall anyone ever contemplating having two ORMs
| running against the same database without a shudder of
| horror.
| JohnBooty wrote:
| Yeah, it's been hard to find Ruby/Rails devs for... as
| long as I can remember. 2015 at least. Not sure if it's
| become harder.
|
| What about hiring experienced devs and simply giving them
| an intro Ruby + Rails course? (which could be as simple
| as say, giving them 2-3 weeks to go through some self-
| directed learning)
|
| I think companies often do this badly: they hire non-Ruby
| devs and expect them to learn by osmosis, which usually
| results devs simply writing a bunch of bad code - for
| example, Rails code that fights against core Rails
| assumptions and looks like Java/PHP/etc.
|
| However, I also think it's pretty easy to get it right.
| If the company and developer have a good attitude about
| getting the dev immersed in Ruby/Rails a bit before
| turning them loose on the main codebase. I'm implementing
| a curriculum like that now in my current role.
| ayewo wrote:
| > I'm implementing a curriculum like that now in my
| current role.
|
| Will you be making this public or internal it will
| remain?
| mulmen wrote:
| 200k for a senior engineer doesn't sound like too much.
| If anything it sounds like a bargain.
| zdragnar wrote:
| It's a very high salary for the geographic market we're
| in, and we are far too small a company to compete
| directly with FAANGs.
|
| Even having worked for west coast companies, I've never
| gotten $200k base salary- adjusted for my region, most
| pay in the $150-175 range, and I've got quite a few years
| under my belt.
| ezekiel11 wrote:
| codex_irl wrote:
| What's the company? (if you don't mind sharing)
|
| I have been working with ruby for 10 years, kind of /
| sort of thinking of jumping ship to a new company / job
| soon.
| adverbly wrote:
| Same thing happening to Java. Lack of a strong enough pull to
| get people into it.
|
| If you are learning something new or just graduating, you're
| way more likely to learn rust/python/javascript as those
| languages offer something unique (low level speed/machine
| learning/browser stuff).
|
| Rails used to be miles ahead of the competition, but the
| competition has largely caught up. Rails is still probably
| the best choice(in my opinion at least) for building a
| feature-rich webapp backend quickly unless you've got some
| crazy unrealistic performance requirements(spoiler: most
| engineers love to pretend they do, but they probably don't)
|
| But these days there are frameworks everywhere so you can
| write your backend in whatever you're most comfortable with.
| ezekiel11 wrote:
| attention is in decline. developers are paying more attention
| to other languages that yields greater number of employment
| options.
|
| it should be that RoR devs get increasing rates as they
| become rarer but its not, demand is also dwindling as
| enterprises feel uneasy about banking the future on a smaller
| talent pool.
| LAC-Tech wrote:
| _shrugs_ rails is not hot anymore but I don 't see ruby going
| anywhere. It's still the best thing out there for scripting.
| tomc1985 wrote:
| There are plenty of experienced Rails devs out there. They
| don't need to be younger.
| ezekiel11 wrote:
| I don't think you understood what I wrote.
| chrisseaton wrote:
| What's the relevance of anyone's age?
___________________________________________________________________
(page generated 2022-07-06 23:01 UTC)