Marty Haught joins Robby to discuss the sustainability of open-source projects, the challenges of maintaining RubyGems, and why the metaphor of technical debt may not fully capture how software ages. Instead, he suggests thinking of it as drift—the natural misalignment of software with its evolving purpose over time.

They also dig into security challenges in package management, including how Ruby Central worked with Trail of Bits to audit RubyGems. Marty also shares insights on the EU Cyber Resilience Act and how it might affect open-source maintainers worldwide. Finally, they explore how companies can support open-source sustainability through corporate sponsorships and individual contributions.

• [00:01:00] The two pillars of maintainable software: good tests and readability.
• [00:02:40] From Perl to Ruby: How readability changed Marty's approach to programming.
• [00:07:20] Is technical debt the right metaphor? Why "drift" might be a better fit.
• [00:11:00] What does it take to maintain RubyGems? Marty's role at Ruby Central.
• [00:14:00] Security in package management: How RubyGems handles vulnerabilities.
• [00:16:40] The role of external audits: Partnering with Trail of Bits for security improvements.
• [00:20:40] EU Cyber Resilience Act: How new regulations might affect open-source projects.
• [00:34:00] Funding open source: Why corporate sponsorships are becoming essential.
• [00:38:20] Processes in distributed teams: Balancing structure with flexibility.
• [00:44:45] Advocating for technical debt work in teams: How to make a compelling case.

• Technical debt is often misunderstood. The real issue may not be shortcuts taken in the past, but the way software naturally drifts from its original purpose.
• Security in package management is a growing concern. Open-source ecosystems like RubyGems require continuous investment to remain secure.
• Open source needs sustainable funding. Relying on volunteers is not a long-term solution—companies need to contribute via corporate sponsorships.
• Advocating for code improvements requires strategy. Engineers should frame technical debt discussions around business impact, not just code quality.

• Marty Haught on LinkedIn
• Marty Haught on Twitter
• Ruby Central
• RubyGems
• Auditing the Ruby Ecosystem’s Central Package Repository – Trail of Bits
• EU Cyber Resilience Act Overview
• What the EU's New Software Legislation Means for Developers (GitHub Blog)
• Ruby Central Open Source Program – Get Involved
• Corporate Sponsors Program
• Give and Take by Adam Grant

• LinkedIn
• Twitter
• BlueSky

Jelly is the simplest, most affordable way to deal with your “contact@...” emails.

Tired of sharing an email login, or CCing colleagues to loop them into conversations? Terrified by the dizzying total cost of big-name “customer support” tools? Jelly is the answer. Whether it's for customer support, community organizing, or even managing band emails, Jelly helps your team share an email inbox and manage your conversations in a simple, elegant way. Use the "I got this” feature to communicate responsibility, and private comments for internal discussions. Jelly is perfect for small teams — because it was built by a small team. And, Jelly is actually affordable —team-based pricing means everyone can pitch in with your team’s conversations with customers, clients and beyond.

Bonus for Maintainable listeners Get 20% off your first year at letsjelly.com/maintainable.

Subscribe to Maintainable on:

• Apple Podcasts
• Spotify

Or search "Maintainable" wherever you stream your podcasts.

Keep up to date with the Maintainable Podcast by joining the newsletter.