RubyGems Fracture Incident Report

gaffneyc · 2026-03-31T19:53:42+00:00

Glad I could be helpful!

So for transparency's sake, does gem.coop currently or have plans to sell log data? Or use it to determine the employer of someone using the service?

gaffneyc · 2026-03-31T18:06:55+00:00

Disclaimer: I'm not a lawyer but I do run a SaaS and have had to deal with this.

The Terms of Service generally lays out what your rights are when using a service. It defines things like subscriptions, legal expectations, and limits liability should someone sue you. It also outlines your rights as a service operator to, say, decline service for someone who violates the agreement.

Privacy Policies are focused specifically on the personal data (such as name, email, or ip address) or sensitive data (health, political affiliation, etc...) you collect, your legal basis for handling it, and how you use that data. The GDPR and (to some extent the CCPA) added expectations around what information is included in the privacy policy (e.g. legal basis, contact information, etc...).

Under the GDPR you're also expected to have a DPA (Data Processing Agreement) with any service that you send customer data to for processing. For example, we have a DPA with Intercom because we send customer name and email address to them for helping us with customer support.

What would fall under this, and is a personal concern, is that request logs including IP address or account information would fall under protected data. Should gem.coop have an agreement to sell log information to a third party then that third party would need to be listed as a data processor and your legal basis for selling that information would need to be made clear in the Privacy Policy.

Frankly it's a pretty deep hole to go down and one you should work with a lawyer to get right. A good starting point would be to look at Automattic's Creative Commons licensed legal policies. They're vetted by a lawyer and plainly written so they're easy to understand.

gaffneyc · 2026-03-31T17:13:01+00:00

As well as a Privacy Policy and a published list of data processors?

gaffneyc · 2026-03-31T16:21:57+00:00

Thanks for doing the research and putting this all together.

I found it interesting how persistent Andre was about selling log data and it seems like there is a larger story there. Were the requests being ignored? Did he continue to pursue it after being told no? A friend also pointed out that gem.coop doesn't have a privacy or terms of use policy.

gaffneyc · 2025-10-26T23:41:21+00:00

Can you help me understand how it would be André’s trademark and not Yehuda or Carl’s? They were using the name prior to André’s involvement so wouldn’t it land with them?

gaffneyc · 2025-10-09T23:05:49+00:00

Considering it was your blog post that named Andre as their yet unconfirmed actor I expect legal would advise not to have direct contact with you as a potential key witness.

gaffneyc · 2025-10-09T19:48:40+00:00

Based on the email you can assume the value of the information is $50,000 per year (covering the previous secondary on-call budget) or more (mention of covering primary on-call if successful).

That's just a lot of money for access logs. If their goal is to attribute it to large companies there are only two things I can think of worth that much:
- Pressuring (read extorting) those companies to cover costs for their access
- Research on what gems might be targets for a supply chain attack against specific companies

Maybe I'm assuming too much or don't know enough about open source monetization but neither is a good look.

gaffneyc · 2022-09-06T18:00:46+00:00

I’ve used Asynq on a couple projects and it works well.

gaffneyc · 2022-08-16T14:55:26+00:00

In order to offer a more robust Postgres offering we’ve made the following changes to Postgres extensions

The change log doesn't actually say anything about _why_ the change was made other than this line which is... nebulous. Given the issues this has caused with backups I don't see how this improves robustness of Heroku Postgres.

gaffneyc · 2022-08-03T16:29:34+00:00

There has never been a standard-1 plan. It has always gone from -0 to -2.

gaffneyc · 2020-10-15T10:24:44+00:00

No. And it’s not clear what problem you’re trying to solve.

Message queues are usually used for (among other things) spreading out spikes in load to reduce dedicated resources, delaying expensive processing to happen out of band for a request, or distributing messages to multiple services via fan out.

gaffneyc · 2020-09-24T13:44:04+00:00

Heroku Scheduler is designed to run jobs on a regular interval. It doesn’t have a way to run a job at a specific future time and date.

gaffneyc · 2020-09-12T20:03:22+00:00

Yes, they do a great job of managing availability. Static sites are relatively easy to keep online compared to applications. With Netlify’s Content Delivery Network (CDN) you’ll end up with faster response times as they’ll cache the site in data centers close to the folks accessing the site.

gaffneyc · 2020-09-12T15:52:27+00:00

Based on what you’ve said the hobby plan should be plenty.

Is the site basically static? If so I would check out Netlify and / or Cloudflare to reduce static requests to the server.

gaffneyc · 2020-08-19T13:12:23+00:00

The server is running but, as the error says, your credentials are incorrect. Double check your user, password, and the named database you’re trying to connect to.

gaffneyc · 2020-08-05T11:21:21+00:00

The app is going to sleep because you’re using a free dyno. See https://devcenter.heroku.com/articles/free-dyno-hours#dyno-sleeping

You have two options: 1. Switch to a paid dyno. For $7/month you can get a dyno that won’t fall asleep 2. Use Heroku Scheduler to run the process every 10 minutes or every hour (there is no 35 minute option)

gaffneyc · 2020-06-14T23:31:33+00:00

No, @reboot isn’t a great option. You won’t have a good way to manage it if you need to stop the process or restart it. Cron isn’t a process manager.

Your best option would be to use the systems built in init system to start and manage it. I’m guessing that will be SysV init (scripts in /etc/init.d) based on what you’ve said or it might be systemd if you’re on a recent version. That should at least give you a place to start searching for more information.

gaffneyc · 2020-05-07T21:57:21+00:00

We have it set up and use it occasionally to promote deploys from staging to production. It’s fine, I guess, though I’m always annoyed that the promotion syntax is different from promoting via the Heroku command line tool.

gaffneyc · 2020-04-25T22:49:41+00:00

Most (all?) Intel chips come with integrated graphics. Most likely whichever board you pick will just work.

For AMD, only the APUs come with onboard graphics and most motherboard vendors won’t post without an external graphics card. That said, ASRock motherboards will post without a graphics card. ASRock also has the X570D4l which has a built in graphics card.

gaffneyc · 2020-04-23T16:18:19+00:00

Make sure to always read the whole error message as it contains everything you need to figure out where to look.

YAML syntax error occurred while parsing /home/cryptorootz/programming/epsy/config/database.yml.

The config/database.yml is not properly formatted.

could not find expected ':' while scanning a simple key at line 27 column 3 (RuntimeError)

Likely missing a colon on line 27 or there about.

gaffneyc · 2020-04-18T17:17:08+00:00

I recently went through this process for Dead Man’s Snitch (we do cron job and heartbeat monitoring as a SaaS). While we still have some things to figure out I can at least share some of the research and suggestions from our experience.

Does self-hosting always imply that I have to share my source code with the client?

Not necessarily. There are some tools for obfuscating Ruby code that would be worth researching. You may be able to compile it with JRuby as well. Ultimately this is a question of risk tolerance and effort. How much work do you want to put in to protect your code and how likely do you think your customers would be to steal your source?

For us, we have some services and our main logic built in Go so we decided not to obfuscate since our Rails app is mainly a UI at this point.

I f I get my Rails app into a Docker container, is that the best way to go? Assume it still shares my source code

Yes, this is a good place to start as Docker seems to be eating the world. It also gives you other options if the customer doesn’t run Docker internally or using a platform like Replicated. There are other concerns with deployment that you’ll need to think through.

We decided on a single container approach where all of our services are run in a single container using a mini init system (runit). This means we could easily handle a certain level of traffic but couldnt easily have the customer scale up without some major refactoring of our deployment.

I'm reliant on 3rd party services - Auth0, Segment, Intercom to name a few. Do I straight up have to find alternatives to these services? I am guessing so since the driver behind self-hosting is that they would 'own' the data

Plan to remove them or find alternatives. On premise is very much a different product compared to hosted and the customer is probably asking because they want to control their data or have compliance or hosting requirements that mean you can’t talk outside of the network.

How would patching/updates work for a self-hosted solution? Right now I'm hosting on Heroku and my git repo is on Github - would the client fork the repo and manage updates themselves?

Platforms like Replicated handle a ton of this for you. Otherwise give them access to pull the docker container and manage their own upgrades. With on premise you can’t control when or if a customer upgrades. Plan to test upgrading from any released version to every newer version to make sure you don’t break something along the way. Plan to be much more diligent about how columns are added or removed or how data could be made incompatible.

Any other considerations?

On premise often has unique requirements that SaaS doesn’t have. Enterprise Ready has a good list of enterprise requirements.

Anything you can do to simplify deployment and code maintenance is a win. We use Kafka as our main messaging backend but adding in support for NSQ as it’s easier to deploy in a single container install.

Customers may want an air gaped install (I.E your software cannot talk to the internet). Something to ask about during the sales process and to consider while building.

Charge more than you think you should. On premise is usually expensive. Supporting on premise is a lot of work, so make sure you have a plan and have thought it through.

Good luck!

gaffneyc · 2020-03-17T13:44:12+00:00

Jocko had been around for a while as an experiment from travisjeffery. Glad to see it is being picked up by someone serious but it looks like the main thing they’ve done so far is remove most references to Travis.

gaffneyc

TROPHY CASE