Ruby Central: Update July 2024

Signed-off-by: Martin Emde <[email protected]>

alpha/engagements/2024/RubyCentral/README.md

@@ -16,6 +16,7 @@ This engagement started in February 2024.
 * [April 2024](update-2024-04.md)
 * [May 2024](update-2024-05.md)
 * [June 2024](update-2024-06.md)
+* [July 2024](update-2024-07.md)
 
 ### Primary Contacts
 
@@ -25,4 +26,5 @@ This engagement started in February 2024.
 ### Announcement / News
 
 * [Alpha-Omega Announcement](https://alpha-omega.dev/blog/alpha-omega-announces-first-four-grants-of-2024-and-our-2024-okrs/)
-* [Ruby Central Announcement](https://rubycentral.org/news/ruby-central-receives-alpha-omega-grant/)
+* [Ruby Central Announcement](https://rubycentral.org/news/ruby-central-receives-alpha-omega-grant/)
+* [Organization Feature Public Roadmap](https://docs.google.com/document/d/1YTNNiqxORDik5_cuIkK-3VsKuBafGLXN3gSUFZr9kV4/edit?usp=sharing)

alpha/engagements/2024/RubyCentral/update-2024-07.md

@@ -0,0 +1,48 @@
+# Update 2024-07
+
+## Organizations
+
+July was an active month for us on the organization project.
+Unfortunately, we had multiple sicknesses during the month and also vacations.
+This slowed each of us from making as much progress as we otherwise felt we could have. C'est la vie.
+
+### Maintainer Role
+
+* Colby researched access control systems in other ruby projects and was inspired by GitLab (another open source Rails app).
+* He defined a new system for setting permissions levels that will define each permission level using a number.
+* The new system will allow us to continue using the existing ownership model with a quick SQL query lookup (i.e. `where level >= 60`) to ensure the required permission level is met.
+* Progress on adding the Maintainer role helps us provide some of the needed organization level features for singular gems that don't need the added complexity of an organization.
+
+### Organizations
+
+* André defined and built the Organization & Membership models, defined their relations, and added administrative views for all of the models.
+* The models are now merged into RubyGems.org, allowing other engineers to be aware of and collaborate on the models whenever their work may overlap.
+* In the meantime, Ian has refined the designs for our onboarding process for new users.
+* We settled on a process that will allow people to use the name of a gem they own as the name of their organization.
+* Allocating org names only by owned gem names will prevent the landrush that PyPI experienced and warned us about.
+* RubyGems.org has been around long enough that most of the desireable gem names are taken. We believe that granting ownership of the same-named org will be a natural progression for most users.
+
+### Authorization
+
+* Martin continued to work on finding and streamlining places where authorization checks are currently made in the application.
+* Previously, almost all authorization checks did some version of (with varying formats): `if rubygem.owned_by?(user)`.
+* We have made significant progress turning these into more descriptive checks: `if policy(rubygem).add_owner?`.
+* This change allows us to define different levels and specific membership requirements for each policy in a shared policy class for each object in the system.
+* Already this has paid dividends, allowing Colby to quickly redefine `add_owner?` to require that you have a level matching at least "gem owner".
+
+### Next steps:
+
+* Finalize design and begin to implement the onboarding interface.
+* Roll out maintainer role
+* Add permissions levels to organization memberships
+* Maybe near the end of the month, add ourselves as test users on a rubygems org, then hopefully role to a few beta users.
+
+## Audit
+
+* Trail of Bits (ToB) proposed a timeline for the audit from August 19 to September 6th.
+* We continue to communicate and prepare for the audit and will meet with them early August to start transferring documentation and preparing their engineers.
+* In the meantime, we wrapped up most of the pending security work related to MFA and sign-in in an attempt get ahead of call-outs we read in other ToB audits.
+
+### Next steps:
+
+* We look forward to starting the audit.