This is our first release of a new era — courtesy of our patrons and their financial support.

Thank you @mike.contribsys.com, @baweaver.bsky.social, @honeybadger.io, @fastruby.io, & @appsignal.com! Hanami 2.3 couldn’t have happened without you.

We’d love for you to join them. sponsor.hanamirb.org

It’s a meetup, surely they can accommodate you? I’d personally love to see the whole thing, that’s for sure!

Worlds collide!

One takeaway is that the open source world is an amazing place! It's marvelous how well this usually works. This is distributed trust at scale via education and support (rather than control). All the work to help people learn security and provide best practices mostly seems to work. Wonderful!

Companies should scan their open source. Full adoption of trusted publishing could have foiled NPM’s Shai Halud. Fighting about shared ownership models is horribly destructive when it makes the people leave that understand these problems. That’s the real security vulnerability.

If all you need to make your supply chain secure is CLAs for devs and a non-profit administrative staff holding keys to the world, remember that most package managers still run untrusted code on install, packages go live with minimal scanning, and best practice publishing security adoption is low.

You might wonder, “how can a group of friends be sufficient for global enterprise software supply chain security?” The answer for me is that these people were there BECAUSE it was so important. RubyGems.org has had no major outage in 14 years. This is not a fluke.

The team that managed rubygems was formed by building social connections with people that cared enough to work on rubygems in their free time. It is at its core a trust based team of equals. This is why corporate takeovers that take advantage of that trust hurt so much. Trust is all we had.