Conference Talks

I've spoken at more than 36 events in 14 countries, primarily about Bundler, security, and web development. This list of talks includes links to blog posts, slide decks, and videos wherever possible. If you'd like to invite me to speak at your event, please contact me directly.

Securing your Software Supply Chain Panel

Composability has rapidly accelerated the pace of software development by allowing engineers to reuse openly shared libraries and packages. But the widespread adoption of these components also makes them an enticing avenue of attack for malicious actors. In this fireside session, André Arko (Head of Open Source, Ruby Central) and Dustin Ingram (Director, Python Software Foundation) will join Emilio Escobar (CISO, Datadog) for a discussion about securing your software supply chain. They’ll share practices to verify the provenance of your dependencies, mitigate the risks of using third party components, and secure the software you share with others.

Engineering Teams in a Time of Corona

It’s been a month since San Francisco and the surrounding counties announced a lockdown, and at least a couple of weeks in most of the US. The good news is that it’s possible to build software even when everyone is staying at home every day, unlike a lot of jobs!

The bad news is this isn’t remote working, not the way that anyone has ever talked about it before. In the words of Juan Pablo Buritica, this is “stuck at home work”, and that’s much worse.

Read the entire talk as a blog post →
How to calculate the phase of the moon very, very badly!

This talk is about how, despite “common knowledge”, lunar cycles are not 28 days long, and in fact lunar cycles don’t have a single numerical length! You’ll hear about several very bad ways to calculate the phases of the moon, why they seemed reasonable at the time, and exactly how it took three years from the time one app shipped to the App Store before the calendar was even arguably correct.

Read the entire talk as a blog post →
Pairing: a guide to fruitful collaboration 🍓🍑🍐

Despite general consensus that pairing is good, the desire to pair doesn’t come with instructions. Come to this talk to learn how to pair with someone more experienced, how (and why) to pair with your peers, and how to pair productively with someone less experienced. (Hint: productivity isn’t about the speed of new features.) Pairing is a fantastic tool for your professional toolbox: let’s design, discuss, refine, and refactor, together.

Read the entire talk as a blog post →
A History of Bundles: 2010 to 2017

When Bundler 1.0 came out in 2010, it did something really great: installed all of your gems and let you use them in your app. Today, Bundler does something really great: it installs all your gems and lets you use them. So, given that, why has Bundler needed thousands upon thousands of hours of development work? What exactly has changed since then? Prepare to find out. We’ll cover performance improvements, server response optimizations, adapting to new versions of Ruby, and adding features to support new usecases. Learn the tricks of Bundler power users, and find out how to optimize your gem workflows.

Read the entire talk as a blog post →
Robin Hood Hashing

Without requiring calculations in advance or additional arrays to store extra data, Robin Hood Hashing provides a system that results in a maximum of O(ln n) probes per operation, where n is the number of items stored in the hash table. How does it do this? By stealing from the rich and giving to the poor, of course. 😆

Read the entire talk as a blog post →
From No OSS Experience to the Core Team in 15 Minutes Per Day

Using and contributing to open source has been a cornerstone of the Ruby community for many years. Despite this strong tradition, it’s hard to find anything collecting the likely advantages and costs of working on open source. This talk will introduce open source work, the benefits and costs of doing that work, and then provide a straightforward list of activities that can be done by anyone, no matter their level of experience with programming. Pick a project, schedule at least 15 minutes per day, join the core team. It’s your destiny!

Read the entire talk as a blog post →
A Year of Ruby, Together

Ruby Together is a simple concept: Ruby developers and companies all pay a small amount of money. That money ensures that Bundler, RubyGems, and other critical software continues to work, by paying developers to work on it. While the concept is simple, creating Ruby Together was very complicated in practice. In this talk I’ll explain why I was motivated to start Ruby Together, how it became possible, and what we have done for Ruby in our first year.

Read the entire talk as a blog post →
Package Managers: Before And After NPM (Panel)
Don't Forget The Network: Your App Is Slower Than You Think

When you look at your response times, satisfied that they are "fast enough", you're forgetting an important thing: your users are on the other side of a network connection, and their browser has to process and render the data that you sent so quickly. This talk examines some often overlooked parts of web applications that can destroy your user experience even when your response times seem fantastic. We'll talk about networks, routing, client and server-side VMs, and how to measure and mitigate their issues.

Including People

This talk is about the twin open source project goals of, on the one hand, increasing participation and contribution to an open source project, and on the other hand including everyone while eliminating discrimination and harassment (whether deliberate or accidental). I'll talk about different approaches to reducing discrimination, including better documentation, better development tooling, explicit onboarding process, and codes of conduct. I'll also cover concrete steps that anyone can take to help increase inclusion and participation in the teams, communities, and open source projects that they are involved in.

Read the entire talk as a blog post →
Introducing Ruby Together

Ruby Together is the Ruby programming language trade association. It funds maintenance and development on Ruby open source tools like Bundler and RubyGems.org using funds from developers and companies that use Ruby.

Read the entire talk as a blog post →
  • Oct 17, 2015 EuRuKo 2015 Lightning Talks
  • Jun 18, 2015 MagmaConf 2015 Lightning Talks
  • Jun 12, 2015 RubyNation 2015 Lightning Talks
  • Apr 12, 2015 RailsConf 2015 Lightning Talks see slides
How Does Bundler Work, Anyway?

We all use Bundler at some point, and most of us use it every day. But what does it do, exactly? Why do we have to use bundle exec? What's the point of checking in the Gemfile.lock? Why can't we just `gem install` the gems we need? Join me for a walk through the reasons that Bundler exists, and a guide to what actually happens when you use it. Finally, we'll cover some Bundler "pro tips" that can improve your workflow when developing on multiple applications at once.

Read the entire talk as a blog post →
Lies, Damn Lies, and Metrics

Metrics are great, and measuring things can provide tremendously useful insights. But there's a problem: metrics lie to you. Metrics just report the numbers that were measured. Analyzing those numbers is up to us, and that analysis can go wrong in so, so many ways. Learn how to arm yourself against human intuition, interpreter pauses, routing, instrumentation lag, and other issues. Don't get so caught up in instrumenting that you lose sight of why metrics exist! Make sure your metrics are telling you actionable information, instead of just accurate numbers.

Everything You Ever Wanted to Know About Diversity But Were Too Afraid To Ask

Co-presented with Ashe Dryden. See also "How To Be An Ally".

Read the entire talk as a blog post →
Development Was The Easy Part

We want to produce reliable, functioning software… but we often don’t. The cliched cry of “but it works on my machine” demonstrates the myopia that most web developers (including me) suffer from: we spend almost all of our time working with a development environment. This leads us to think of production as “like development, with people using it”. Then, when things go wrong, we think “oh, I see now, production is like development except this one thing that went wrong”. This is exactly the opposite of the mindset we need. Production is fundamentally different from development, and it’s important to keep that in mind. This talk discusses some of those fundamental differences, including load balancing, metrics, data store reliability, and network partitions. Don’t get stuck rebuilding your servers at 3AM because you went with the option that was easiest during development!

How To Be An Ally

This talk presents a theory of ally work that encourages everyone to do what they are able to create an open, inclusive, empathetic, and compassionate culture.

Read the entire talk as a blog post →
  • Mar 28, 2014 RubyConf Philippines 2014 Lightning Talks see slides
  • Feb 25, 2014 Úll 2014 Lightning Talks
  • Dec 04, 2013 RailsBridge Lightning Talks Meetup see slides
Extreme Makeover: Rubygems Edition

Rubygems.org provides every Rubyist with an amazing service: all the libraries in the Ruby world. As amazing as that is, installing gems can be a time-consuming and even error-prone process. (Just ask the Travis guys.) In this talk, you'll learn about the recent dramatic changes in Rubygems and Bundler to improve speed and reliability by rewriting the Rubygems client/server architecture. I'll show how the new system caches more information, makes fewer requests, and takes less time to install gems. Finally, I'll cover how the changes allow worldwide mirrors of rubygems.org, improving things for Rubyists around the globe.

Read the entire talk as a blog post →
The Iceberg of Webdev

If you do web developement, you've probably noticed that "distributed systems" and "service oriented architecture" are really hot topics right now. I have a surprise for you, though: you already work on a distributed system with a service oriented architecture, because every webapp is one. That means you've already decided how your distributed system is going to work, and chances are good you didn't even know you were making those decisions. This talk will uncover the hidden decisions that shape web applications, including how the org chart limits service architecture, and how consistency and availability by default seems great until it's 3am and the data store needs to be rebuilt by hand to bring the site back up. Once the decisions aren't hidden anymore, I'll explain some other options, and why you might want to pick them to save yourself pain in the future.

You Don't Know Bundler
  • Oct 09, 2013 Rails Israil 2013 Lightning Talks
Deathmatch: Bundler vs. Rubygems

The story of the quest to make `bundle install` faster; in which Rubyists around the world inadvertently DDoS rubygems.org, witness its ignominious death, and vow to rebuild it from the ashes stronger than it was before. Then, a tour of the changes; why is Redis so much slower than Postgres? Marvel at the gorgeous metrics and graphs used to measure and optimize; gasp in delight as we track, live, exactly how many Heroku dynos are needed. Finally, a happy ending: today, the server responds to requests TWO ORDERS OF MAGNITUDE faster than it did before.

Read the entire talk as a blog post →
Hack Your Bundle For Fun And Profit

Bundler has turned out to be a super-useful tool for installing and managing dependencies, but it has hidden depths! This talk discusses some of the ways you can use Bundler and other tools together to boost your development productivity. I’ll walk through how to use the lesser-known but very handy commands like bundle gem, bundle open, and a few others. I’ll show you how to use Bundler to make sure you always run your app on the right version of Ruby, how to search through every gem in your Gemfile with a single command, and how to check for newer versions of the gems you use.

Read the entire talk as a blog post →
`bundle install` Y U SO SLOW

If you've ever done anything in ruby, you've probably used rubygems and to search or install your favorite gem. On October 17, 2012, rubygems.org went down. A Dependency API was built to be used by Bundler 1.1+ to speed up bundle install. Unfortunately, it was a bit too popular and the service caused too much load on the current infrasture. In order to get rubygems.org back up the API had to be disabled.

Security Is Hard, But We Can't Go Shopping

The last year has been brutal for Ruby and security. Ruby has gotten quite popular, which is really exciting! But it also means that we are now square in the crosshairs of security researchers, whether whitehat, blackhat, or some other hat. Before 2013, only the Ruby and Rails core teams had meaningful experience with security issues. This year everyone got meaningful experience. Vulnerabilities are everywhere, and handling security issues responsibly is critical if we want Ruby (and Rubyists) to stay safe and in high demand. I’ll discuss responsible disclosure, as well as repsonsible ownership of your own code. How do you know if a bug is a security issue, and how do you report it without tipping off someone malicious? As a Rubyist, you probably have at least one library of your own. How do you handle security issues, and fix them without compromising apps running on the old code? Don’t let your site get hacked, or worse yet, let your project allow someone else’s site to get hacked! Learn from the hard-won wisdom of the security community so that we won’t repeat the mistakes of others.

Read the entire talk as a blog post →
Deploying with Bundler

Rails 3 is here, and ships with Bundler by default. Bundler’s default mode makes things easy on developers, obsoleting that out of date list of gems in your app’s readme. Deploying, however, isn’t as obvious. What if you’re using Sinatra or something else that isn’t Rails? How do you deploy a bundled app using Capistrano, or Vlad, or your own script? What are the best practices for deploying to an app running in Mongrel, Unicorn, or Passenger? What if your server doesn’t have an internet connection to talk to rubygems.org? These questions and others will be answered by a member of the Bundler core team.

Read the entire talk as a blog post →
Why Bundler?

There comes a point in every programming language's life, where the question of dependency management arises. That is, "if A requires B and B requires C, and C requires D, what happens when I install A." Believe it or not, that's actually an easy question, the hard question is "What happens when I install A, but I have two apps on a machine that rely on different versions of C and D. Ruh-oh Fortunately, Andre will be joining us at SunnyConf to talk about painless dependency management with Bundler. Bundler, which has been released alongside Rails 3, has been designed to fix all of your dependency problems. It makes using dependencies easy and reliable at the same time. Bundler can handle your Rails gem plugins, your application's dependancies, and even your dependencies' dependencies, all automatically. In this talk, Andre will walk us through why Bundler was written, and why you should be using it for all of your Ruby applications. He'll talk about how to use it effectively in common scenarios and even cover it's usage within Rails 3, Rails 2, Sinatra, and your own Ruby application. He'll also share where Bundler is headed in the future.