A board member's perspective of the RubyGems controversy
76 comments
·September 21, 2025sc68cal
jmcgough
I found this helpful in explaining what's happened: https://www.theregister.com/2025/09/22/ruby_central_rubygems...
Sounds like they made some really big changes and put zero effort into communicating to people who've spent 10+ years working on the project.
fwip
Thanks - that was helpful indeed. From there, I also found the linked post by Tekin Süleyman ( https://tekin.co.uk/2025/09/the-ruby-community-has-a-dhh-pro... ) to be informative.
McGlockenshire
Wow! When that one DHH blog went around the other day, I didn't actually pay attention to who the author was. All I saw was yet another bigoted rant and just skimmed it and rolled my eyes. (e: here it is to save people the effort: https://world.hey.com/dhh/as-i-remember-london-e7d38e64 )
I should not have skimmed it. From your link:
> In the same post he praises Tommy Robinson (actual name Stephen Christopher Yaxley-Lennon), a right-wing agitator with several convictions for violent offences and a long history of association with far-right groups such as the English Defence League and the British Nationalist Party. He then goes on to describe those that attended last weekend’s far-right rally in London as “perfectly normal, peaceful Brits” protesting against the “demographic nightmare” that has enveloped London, despite the violence and disorder they caused.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report from the Quilliam Foundation, an organisation with ties to both the the US Tea Party, and Tommy Robinson himself.
This is ... disqualifying. That's the best word I can summon here to express my dismay. This is a crossed line. Absolutely nutso.
edit2: Uh wow I really should not have skimmed it. Here's one paragraph from DHH's blog itself:
> Which brings us back to Robinson's powerful march yesterday. The banner said "March for Freedom", and focused as much on that now distant-to-the-Brits concept of free speech, as it did on restoring national pride. And for good reason! The totalitarian descent into censorious darkness in Britain has been as swift as its demographic shift.
Well, if that doesn't speak volumes as to DHH's values, I don't know what does.
caymanjim
Everything you're quoting is from one aggrieved person, who clearly felt slighted, and who left out a whole lot of context in their own post. The article above is a lot more reasoned, less emotional, and seems completely reasonable to me. Ruby Central clearly has issues with both internal and external communication. And the above article isn't an official statement either; it's just one person, not involve in the decision, offering another perspective.
throwaway346434
It's not just one person.
Between the initial removal of access, then giving it back after explaining it was a mistake; the people involved started a conversation about governance to clarify/fix things.
https://github.com/rubygems/rfcs/pull/61
The conversation terminated because the majority of those people then had their access revoked again.
When weighing the facts here; which group or claimant has the most evidence for their claims? The technical folks with lots of commits over many years, or the treasurer of an organisation who says the impetus for this was a "funding deadline" so all access had to be seized?
sc68cal
> who clearly felt slighted,
I think this person has good cause for being very upset at the lack of communication and the sudden removal of them from the organization. They were a maintainer of RubyGems for a decade.
caboteria
Everything he quoted is a fact, which can be proven or falsified. Taken together (and if true) they're pretty damning.
You responded with an ad-hominem attack. If you can offer a rebuttal of the facts then please do, otherwise try to refrain from personal attacks.
caymanjim
I dunno what you read, but nothing I wrote included any attacks, personal or otherwise.
generalk
Wait, what?
A maintainer of RubyGems was forcibly removed from the RubyGems GitHub org — which was renamed to Ruby Central — along with every other maintainer. Then access was restored, then revoked again. There was no explanation, no communication, and no understandable reasoning for this.
And still! If there is an "official" statement, I can't find one on https://rubycentral.org/.
This wildly transcends "issues with both internal and external communication" or "we're just a bunch of makers who can't be expected to be good at organization or communication" (to highly paraphrase TFA). This is an absolutely disastrous breach of the community's trust.
McGlockenshire
I know you're already getting piled on here but
> less emotional,
Expressing emotions is good, actually.
jtbayly
It was not left out of the statement. I understood that was essentially what happened by the time I got to the end of his piece. The only exception being the “with no warning or communication” part. Obviously there is disagreement about whether that is true or not.
x0x0
How you can tell this is all lies from the board is simple:
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
The first thing is they didn't tell them. The second bit is simple:
"Hi [x], I'm sure you've seen the news about npm. Given supply chain attacks directed at them and the one recently foiled against the python folks, we're [doing fill in here], including reducing permissions. [More info here.] Further updates as soon as we have them."
That email takes 10 minutes to write and send.
gorbachev
100%
Reasonable people would've accepted that fine. And you don't have to worry about unreasonable people, because most people will find them unreasonable and dismiss anything they say.
x0x0
Exactly.
And communicating [situation], [action(s)], [how this affects you] is one of the most basic professional communication skills you could imagine.
nightpool
So Ruby Central, by their own admission, agreed to take $$$$$ of funding on the premise that they would "secure RubyGems against supply chain attacks", and then sat on their hands not doing anything about it until a few days before the deadline, when it was too late to seek community consensus or figure out a good transition plan. So they ended up screwing over everybody who was actually doing work on the project in favor of their own funding. And also they apparently used this as an opportunity to consolidate their power in other ways (renaming the github org) for reasons that were unrelated to the self-imposed deadline. How does this make them look better?
actionfromafar
To my untrained eye it looks like a board with a bunch of money and perhaps a fork on their hands.
mpalmer
For any company that wants to secure and maintain critical source infrastructure for a language, community/maintainer relations is a fundamental responsibility. It is not to be waved away with quasi-candid admissions that you're just too small a team, too technical, etc. Even if this board member is being totally sincere about his feelings for Ruby and its community, it changes little.
> Some of those companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain, but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
This is the most candid bit of the article.
RubyCentral seems to have screwed up. The sense I get after reading this paragraph is that RC's non-apologies about poor communication are smoke. Why did they have to move this quickly/silently? Well...
If you are taking money from businesses in exchange for certain assurances about the security/soundness of RubyGems, you have a responsibility the minute pen leaves paper to KYC(ontributors). Not when there's suddenly a fire, or when your clients notice.
By all appearances, RC was negligent, if not necessarily in the legal sense. They were highly reactive in response to a problem they should have been across already, and they have paid for it with a chunk of the Ruby community's trust.
To now retcon this action as poorly-communicated but ultimately noble and security-minded does not sit very well.
hyperpape
A lot of people are arguing about whether locking down access was justified to resolve the security issues. I guess it's debatable.
But I don't see any excuse for not putting out a statement when you do it. You have to know there will be a fight, and you will look like the bad guy. Perhaps I could see directly communicating to the maintainers that you expect that they'll be reinstated. But to say nothing? To let the post by duckinator float around for days without having a "we did this because of security concerns, we want to work together and find a resolution..." It's incomprehensible that they thought this would go well.
nenenejej
I mean imagine you are at work and you need to so this for SOC2 or something but dont tell your colleagues.
kragen
I don't know more about the controversy than what's explained here, but, reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation. (When they work, of course; sometimes those institutions don't work very well.)
I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.
Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.
hluska
> reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation.
There was a funding agreement which imposed obligations upon the operators. Those obligations were to be sure that supply chain attacks were reasonably secured against. The volunteers didn’t have to sign that agreement - they chose to and received consideration for their decision to sign.
Licensing terms don’t change the underlying mechanism of a contract and the message is even easier. If your organization cannot abide by the terms of a contract, don’t sign it.
vintagedave
> A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
This makes a lot of sense, and it puts the 'drastic' action in understandable light.
It also contrasts with the 'On September 9th, with no warning or communication, a RubyGems maintainer unilaterally...' from the Goodbye RubyGems letter. Perhaps that person did not have communications or insight?
Going forward I think we could judge the good faith, if it's uncertain, by if we do see people reinstated. Cutting off access (for urgency with a deadline) followed by reinstatement (because they contribute) would match this post. No doubt there will be hurt feelings on all sides, which is understandable, but I hope as humans everyone can get through it.
cyanydeez
Pretty sure github issues would enligghten everyone on the timely communication of funding requirements
rubiest2010
This is a reasonable perspective but leaves a lot of unanswered questions and creates more questions. Who is the funder threatening to pull funding and why were they not more collaborative or flexible with Ruby Central? Did they know that this is how their request would be handled?
How much information and what information did Board members have when making their votes?
One thing that hasn’t been addressed is who was responsible for communications and implementation of this. It says here that the Director of Open Source did what the Board asked of him. Outside of the Board, which as stated here were heads down and trying to problem solve, Ruby Central’s website also shows a staff of several non-technical employees. Prominently, there is an Executive Director with a background in communications and non profit work per their LinkedIn. Where was this Executive Director and the other staff members during this? Were they involved with decision making and communication around this? How involved was the Board of Directors in implementation after the decision was made? It is a hollow statement to say they are just technical people trying to problem solve when there appears to be a whole team of non-technical staff members and an executive specializing in communications. Something clearly went wrong here and there are a lot of missing pieces around what happened after the vote took place. Most of this could have been mitigated with standard processes and simply communicating to maintainers and the community.
rubiest2010
To add, did Ruby Central consider going to the community and asking for funding so they wouldn’t have to be beholden to one or a small group of key funders? If they were at risk of shutting down without this funding source I think the community might have rallied around them so they could make more independent decisions in the best interests of the community.
This is not to say that they didn’t act in the best interests of the community by tightening security, but an organization of this nature should be able to act more independently.
hluska
This program is public and has been for a very long time - it’s called the Community Support Program because Windows devs don’t have enough nightmares of the acronym CSP.
Do you contribute? I can send you a link if you don’t.
hluska
I don’t know why the funder matters. RC agreed to a contract that provided a fixed date by which these issues needed to be resolved or funding would be terminated. Exploding terms are rare in funding agreements because they don’t make the funder look good when they explode. Back in my non profit board days, I learned that contracts with exploding terms need to go in front of the entire board instantly for action or lawyers will get paid.
rubiest2010
[dead]
andersmurphy
> Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
Seems pretty clear after reading this. If 1-2 companies pulling funding is enough for them to force you to to what they want, its hard to stay independent.
decasia
Agreeing with most of the other comments here that this discussion needs more context which we don't have...
If the request for additional access controls/access cleanup came from one of the Ruby Central funders, could we not know who that was and what exactly their ask consisted of? I am interested in knowing their side of the story, and what the motivation was. (But in general, cutting off long-time maintainers' access seems like a bad choice - as presumably they have long since proven their good will toward the ruby community as shepherds of these projects.)
qrush
I'm truly hoping for a reasonable resolution on all sides for this situation. IMO Ruby is too small, and shrinking compared to Python and JS/TS especially in the AI era, to be able to afford any splintering of efforts.
bradly
I still remember your The Legal Stuff post on Google Groups from a million years ago. <3
rubiest2010
Agreed. I wish the communications would move away from FUD that could scare people away from using Ruby when things are already splintered. A more honest and transparent accounting of what really happened is necessary.
eutropia
I think that if they had been up front and transparent, and cut the PR bullshit corpospeak from their damage-control post, this would have been something that's much less embarrassing for all involved.
Something like:
"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."
Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...
adriand
Sounds like you should volunteer for Ruby Central to help them with their communications! I don't mean that facetiously: it seems that they could use you, or someone like you, with comms. As the OP readily admits, this is not a strong point for them.
My general take on this:
1) Nerds are often not the best at communicating.
2) People on the Internet can be very cruel towards people they don't know.
We could all do better, especially with #2. The Internet used to be cool as hell. Now, by and large, it sucks.
nenenejej
This has the advantage of being short and so take way less brainpower to piece what actually happened. Reading between lines is exhausting.
anyonecancode
What I'm missing is what, if any, communication Ruby Central had with maintainers.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
Start by letting go of the goal of not upsetting them. Make sure you do communicate clearly. Just say what you said a paragraph earlier: open source ecosystems, including ours, are increasingly suffering supply chain attacks. To guard against this, we need to tighten access that has traditionally been fairly loose. Starting <date>, we're going to remove general access and ask that contributors sign <link to agreement> before re-enabling access.
I mean, maybe that is what happened -- as the OP says, he wasn't part of the conversations so can't say. From the earlier public posts, it doesn't _sound_ like that's what happened. But I'd say as a general rule, it's important to communicate disruptive changes ahead of time to those affected and give a clear path to how they can mitigate the disruption.
This story is missing any context around what occurred. The only thing I was able to find was by searching, and I came to this PDF statement.
https://pup-e.com/goodbye-rubygems.pdf
> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
> added non-maintainer Marty Haught of Ruby Central, and
> removed every other maintainer of the RubyGems project.
> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams
Which is important context that was left out of this board member's statement.