A board member's perspective of the RubyGems controversy

This story is missing any context around what occurred. The only thing I was able to find was by searching, and I came to this PDF statement.

https://pup-e.com/goodbye-rubygems.pdf

> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:

> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,

> added non-maintainer Marty Haught of Ruby Central, and

> removed every other maintainer of the RubyGems project.

> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams

Which is important context that was left out of this board member's statement.

> A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.

This makes a lot of sense, and it puts the 'drastic' action in understandable light.

It also contrasts with the 'On September 9th, with no warning or communication, a RubyGems maintainer unilaterally...' from the Goodbye RubyGems letter. Perhaps that person did not have communications or insight?

Going forward I think we could judge the good faith, if it's uncertain, by if we do see people reinstated. Cutting off access (for urgency with a deadline) followed by reinstatement (because they contribute) would match this post. No doubt there will be hurt feelings on all sides, which is understandable, but I hope as humans everyone can get through it.

I don't know more about the controversy than what's explained here, but, reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation. (When they work, of course; sometimes those institutions don't work very well.)

I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.

Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.

The only reason why Ruby and other open source projects survive is because large companies can trust them to do the right thing. Given the critical nature of the supply chain attacks, what the board did was 100% right. Like he said, some people's egos got hurt but if no one can trust the maintainers, then Ruby has no future in the industry and it will die quickly.

This is basically like fixing technical debt. It's painful and it's political but sometimes you have to do the right thing for the community as opposed to trying to assuage individuals' egos.

> Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.

Seems pretty clear after reading this. If 1-2 companies pulling funding is enough for them to force you to to what they want, its hard to stay independent.

Agreeing with most of the other comments here that this discussion needs more context which we don't have...

If the request for additional access controls/access cleanup came from one of the Ruby Central funders, could we not know who that was and what exactly their ask consisted of? I am interested in knowing their side of the story, and what the motivation was. (But in general, cutting off long-time maintainers' access seems like a bad choice - as presumably they have long since proven their good will toward the ruby community as shepherds of these projects.)

A few prior comments here as well: https://news.ycombinator.com/item?id=45325792

I'm truly hoping for a reasonable resolution on all sides for this situation. IMO Ruby is too small, and shrinking compared to Python and JS/TS especially in the AI era, to be able to afford any splintering of efforts.

I think that if they had been up front and transparent, and cut the PR bullshit corpospeak from their damage-control post, this would have been something that's much less embarrassing for all involved.

Something like:

"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."

Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...

It's kind of a tradition on HN to read very little of the OP before commenting. That may not be a good tradition.

> [The Ruby Central board] is a small group of volunteers

is somewhat at odds with

> Some [...] companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain,

but not so much. Then the sentence goes on with

> but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.

So something has been wrongly managed or wrongly sold.

Then the final part about the emotional conversations and the dilemma sounds honest or at least very plausible, but as they write, the critical mistake already happened.

Locking out a guy like David Rodriguez (the main person I see doing bundler commits) in a dramatic fashion just seems like absolute craziness. I can't fathom doing it without a very good reason, which has yet to be revealed if it exists.