> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
> added non-maintainer Marty Haught of Ruby Central, and
> removed every other maintainer of the RubyGems project.
> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams
Which is important context that was left out of this board member's statement.
How you can tell this is all lies from the board is simple:
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
The first thing is they didn't tell them. The second bit is simple:
"Hi [x], I'm sure you've seen the news about npm. Given supply chain attacks directed at them and the one recently foiled against the python folks, we're [doing fill in here], including reducing permissions. [More info here.] Further updates as soon as we have them."
There's a bunch of red flags here. The author of the article is desperately trying to sound like pert of the Ruby developer community, not some corporate type power player trying to maximise profits and their own bonus...
In the linked post the author claims to be just some grateful Ruby developer volunteering their time to mundane bookkeeping tasks for an organisation they feel lead to support, describing themselves with:
When I first discovered Ruby, watching some crazy video where a blog was built in just a few minutes, I was just a young man working at a bank who would sometimes get paid to build software for other people on the side. Ruby opened my eyes to the idea that code could be a craft, a skill I could hone and develop. It also introduced me to the idea that code could be poetry... code could be art.
20 years later, and here I am, a reasonably successful person who's built a career out of building software.
Freedom Dumlao is a seasoned technology executive with experience at leading companies like Vestmark, Flexcar, Zipcar, Wayfair, and Amazon. Currently the CTO of Vestmark, Freedom brings strategic insights that will help drive Ruby Central’s efforts to expand the Ruby ecosystem and build stronger connections with top companies and startups.
The post appears to be signed as "MINASWAN", a well know pseudonym for Yukihiro Matsumoto, the chief designer of the Ruby programming language. Hard to imagine a scenario where that was accidental and not an attempt to manipulate readers into assuming Yukihiro has something to do with writing the post.
It's posted to a Substack launched 1 day ago. With the username/subdomain "apiguy" - suspiciously not 'ctoguy' or 'seasonedtechnologyguy'.
I place pretty close to zero respect for the OPs position, compared to well known names in the decade long Ruby Gems committer community.
> Initialism of Matz is nice and so we are nice: a motto of the Ruby programming language community, in reference to the demeanor of Yukihiro Matsumoto (nicknamed Matz) [...].
Reasonable people would've accepted that fine. And you don't have to worry about unreasonable people, because most people will find them unreasonable and dismiss anything they say.
No, reasonable people would not have accepted "we're unilaterally deciding to lock you out with no advance notice, over something we could and should have been discussing for many months or years, but instead screwed up so badly that we're doing it ten minutes from now".
Tekin's conclusion: "it will send a clear message to the wider Ruby community (and those who may be considering joining it) that the majority does not stand with DHH and his toxic views."
He is going to be ultra surprised to learn what the majority thinks and how it's not what he thinks it is.
Using your personal brand to espouse the values of ethnonationalism fundamentally serves the capital class wishing to divide and exploit social order among those who labor. This is so rich, coming from the guy who literally created a tool that increases the value of labor.
So, if I had to guess, the smart, critical thinkers in the _global_ Ruby community might find this whole situation reeks.
If I were an immigrant to the UK and a Rails developer, and DHH is getting re-platformed while saying crazy stuff like this, I would think twice about my career choices going forward — Or, push the Ruby community not to stand with a garbage attitude like this, even if from a BDFL-type personality. I _invested_ my life into promoting the use of your tool, while you disparage me based on skin color and country of origin for the sake of some 'ye olde country' vibefest?
Wow! When that one DHH blog went around the other day, I didn't actually pay attention to who the author was. All I saw was yet another bigoted rant and just skimmed it and rolled my eyes. (e: here it is to save people the effort: https://world.hey.com/dhh/as-i-remember-london-e7d38e64 )
I should not have skimmed it. From your link:
> In the same post he praises Tommy Robinson (actual name Stephen Christopher Yaxley-Lennon), a right-wing agitator with several convictions for violent offences and a long history of association with far-right groups such as the English Defence League and the British Nationalist Party. He then goes on to describe those that attended last weekend’s far-right rally in London as “perfectly normal, peaceful Brits” protesting against the “demographic nightmare” that has enveloped London, despite the violence and disorder they caused.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report from the Quilliam Foundation, an organisation with ties to both the the US Tea Party, and Tommy Robinson himself.
This is ... disqualifying. That's the best word I can summon here to express my dismay. This is a crossed line. Absolutely nutso.
edit2: Uh wow I really should not have skimmed it. Here's one paragraph from DHH's blog itself:
> Which brings us back to Robinson's powerful march yesterday. The banner said "March for Freedom", and focused as much on that now distant-to-the-Brits concept of free speech, as it did on restoring national pride. And for good reason! The totalitarian descent into censorious darkness in Britain has been as swift as its demographic shift.
Well, if that doesn't speak volumes as to DHH's values, I don't know what does.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report
Were independent inquiries also repeating weaponised tropes from long since discredited reports?
“By far the majority of perpetrators were described as 'Asian' by victims, yet throughout the entire period, councillors did not engage directly with the Pakistani-heritage community to discuss how best they could jointly address the issue. Some councillors seemed to think it was a one-off problem, which they hoped would go away. Several staff described their nervousness about identifying the ethnic origins of perpetrators for fear of being thought racist; others remembered clear direction
from their managers not to do so.”
The ultimate problems lie in the police: they are generally terrible at handling rape cases, and in this case there are claims that they were actively complicit in some of the rapes.
Using the actions of some members of an ethnic minority to justify .. well, any action against people who were not actually personally involved, is textbook discrimination.
He makes his position clear enough in the second paragraph,
for those who know how to read between the lines.
"London is no longer the city I was infatuated with in the late '90s and early 2000s. Chiefly because it's no longer full of native Brits."
This post is full of outright nonsense. I was in Central London last Saturday and watched a lot of it go down, before heading to Islington and then catching the last dregs of the crowd nearer Euston and chatting in the pub with some of them.
As a "native Brit" and "native Londoner" that DHH wouldn't recognise as such, he can absolutely do one.
As a fellow Scandinavian, DHH is just writing what the vast majority of us think. And it isn’t racist. That word is being misused until it soon has no value left; you sure you want that?
Tekin, what makes a Turk less white than a Greek or Spaniard?
If it's cultural (religion, music/sports related subcultures and codes) then it's chosen. Nobody can force you into a subculture in the West. As soon as you turn 18 you can essentially do what you want, most likely even way before that.
You can chose your subculture, how you dress, style your hair, talk and are read by the mainstream society. Actual racists go by skin color and ignore your cultural choices, fuck them.
Not really, racists often include ethnic features such as hair texture or even nose shape within their criteria for racial exclusion.
While in certain cultural contexts Turks may be read as white, within Europe there is a history of excluding them from whiteness and presenting them as a threat to European culture, mostly due to Islamophobia
It was not left out of the statement. I understood that was essentially what happened by the time I got to the end of his piece. The only exception being the “with no warning or communication” part. Obviously there is disagreement about whether that is true or not.
Everything you're quoting is from one aggrieved person, who clearly felt slighted, and who left out a whole lot of context in their own post. The article above is a lot more reasoned, less emotional, and seems completely reasonable to me. Ruby Central clearly has issues with both internal and external communication. And the above article isn't an official statement either; it's just one person, not involve in the decision, offering another perspective.
Between the initial removal of access, then giving it back after explaining it was a mistake; the people involved started a conversation about governance to clarify/fix things.
The conversation terminated because the majority of those people then had their access revoked again.
When weighing the facts here; which group or claimant has the most evidence for their claims?
The technical folks with lots of commits over many years, or the treasurer of an organisation who says the impetus for this was a "funding deadline" so all access had to be seized?
I think this person has good cause for being very upset at the lack of communication and the sudden removal of them from the organization. They were a maintainer of RubyGems for a decade.
Right now the board is acting indistinguishably from Andrew Lee during the Freenode collapse, and, like, everyone else who ever did a hostile takeover of an open source project ever. Supporters of the board are acting indistinguishably from supporters of Andrew Lee during the Freenode collapse.
Less emotional? It comes from someone who has no personal stake in the outcome, and was in the loop for the decision making. Versus someone who was personally slighted and was not properly communicated with about such a big change.
A maintainer of RubyGems was forcibly removed from the RubyGems GitHub org — which was renamed to Ruby Central — along with every other maintainer. Then access was restored, then revoked again. There was no explanation, no communication, and no understandable reasoning for this.
This wildly transcends "issues with both internal and external communication" or "we're just a bunch of makers who can't be expected to be good at organization or communication" (to highly paraphrase TFA). This is an absolutely disastrous breach of the community's trust.
So Ruby Central, by their own admission, agreed to take $$$$$ of funding on the premise that they would "secure RubyGems against supply chain attacks", and then sat on their hands not doing anything about it until a few days before the deadline, when it was too late to seek community consensus or figure out a good transition plan. So they ended up screwing over everybody who was actually doing work on the project in favor of their own funding. And also they apparently used this as an opportunity to consolidate their power in other ways (renaming the github org) for reasons that were unrelated to the self-imposed deadline. How does this make them look better?
For any company that wants to secure and maintain critical source infrastructure for a language, community/maintainer relations is a fundamental responsibility. It is not to be waved away with quasi-candid admissions that you're just too small a team, too technical, etc. Even if this board member is being totally sincere about his feelings for Ruby and its community, it changes little.
> Some of those companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain, but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
This is the most candid bit of the article.
RubyCentral seems to have screwed up. The sense I get after reading this paragraph is that RC's non-apologies about poor communication are smoke. Why did they have to move this quickly/silently? Well...
If you are taking money from businesses in exchange for certain assurances about the security/soundness of RubyGems, you have a responsibility the minute pen leaves paper to KYC(ontributors). Not when there's suddenly a fire, or when your clients notice.
By all appearances, RC was negligent, if not necessarily in the legal sense. They were highly reactive in response to a problem they should have been across already, and they have paid for it with a chunk of the Ruby community's trust.
To now retcon this action as poorly-communicated but ultimately noble and security-minded does not sit very well.
I think that most Rubyists want to forgive each other and move forward. The board, staff, and volunteers at Ruby Central are all people and people are fallible, that's fine. The way to receive forgiveness isn't to convince others (who weren't there and who don't have the full context) that what was done was reasonable or justified. It doesn't matter. It doesn't even matter who is at fault. What matters is who will take responsibility.
The actions taken by people in service of Ruby Central have had unintended consequences, including damaging the community's trust in Ruby Central's stewardship.
A new governance model will solve only the problem of there not being a governance model. There also has to be an acknowledgment that the lack of an existing appropriate governance model wasn't just a "fiduciary failure," but a failure which cased harm to the community and contributors. Contributors who—like the board—are volunteers, and would have probably liked to have their significant dedication shown more respect.
You show respect to someone by giving them important information from which they can use to make their own decisions. As opposed to withholding information because you are uncomfortable with the possibility that they may make a decision you don't want them to.
A lot of people are arguing about whether locking down access was justified to resolve the security issues. I guess it's debatable.
But I don't see any excuse for not putting out a statement when you do it. You have to know there will be a fight, and you will look like the bad guy. Perhaps I could see directly communicating to the maintainers that you expect that they'll be reinstated. But to say nothing? To let the post by duckinator float around for days without having a "we did this because of security concerns, we want to work together and find a resolution..." It's incomprehensible that they thought this would go well.
Firstly, you can tell them you’re working on SOC2 compliance, and secondly, those colleagues are getting paid in dollars, not doing it for the love of the work.
I don't know more about the controversy than what's explained here, but, reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation. (When they work, of course; sometimes those institutions don't work very well.)
I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.
Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.
> reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation.
There was a funding agreement which imposed obligations upon the operators. Those obligations were to be sure that supply chain attacks were reasonably secured against. The volunteers didn’t have to sign that agreement - they chose to and received consideration for their decision to sign.
Licensing terms don’t change the underlying mechanism of a contract and the message is even easier. If your organization cannot abide by the terms of a contract, don’t sign it.
This is a reasonable perspective but leaves a lot of unanswered questions and creates more questions. Who is the funder threatening to pull funding and why were they not more collaborative or flexible with Ruby Central? Did they know that this is how their request would be handled?
How much information and what information did Board members have when making their votes?
One thing that hasn’t been addressed is who was responsible for communications and implementation of this. It says here that the Director of Open Source did what the Board asked of him. Outside of the Board, which as stated here were heads down and trying to problem solve, Ruby Central’s website also shows a staff of several non-technical employees. Prominently, there is an Executive Director with a background in communications and non profit work per their LinkedIn. Where was this Executive Director and the other staff members during this? Were they involved with decision making and communication around this? How involved was the Board of Directors in implementation after the decision was made? It is a hollow statement to say they are just technical people trying to problem solve when there appears to be a whole team of non-technical staff members and an executive specializing in communications. Something clearly went wrong here and there are a lot of missing pieces around what happened after the vote took place. Most of this could have been mitigated with standard processes and simply communicating to maintainers and the community.
To add, did Ruby Central consider going to the community and asking for funding so they wouldn’t have to be beholden to one or a small group of key funders? If they were at risk of shutting down without this funding source I think the community might have rallied around them so they could make more independent decisions in the best interests of the community.
This is not to say that they didn’t act in the best interests of the community by tightening security, but an organization of this nature should be able to act more independently.
This program is public and has been for a very long time - it’s called the Community Support Program because Windows devs don’t have enough nightmares of the acronym CSP.
Do you contribute? I can send you a link if you don’t.
Why would someone contribute to Ruby central now, when the org has been shown to be callous and incompetent stewards who are utterly incapable of showing even minimal respect to their community?
I don’t know why the funder matters. RC agreed to a contract that provided a fixed date by which these issues needed to be resolved or funding would be terminated. Exploding terms are rare in funding agreements because they don’t make the funder look good when they explode. Back in my non profit board days, I learned that contracts with exploding terms need to go in front of the entire board instantly for action or lawyers will get paid.
Actions were taken, at the request of a major funder or group of funders, that have become a PR problem for the entire Ruby language. This is the third article I’ve seen on HN in the last week and it’s not just Rubyists commenting. This is damaging to everyone who uses Ruby and developers who want job security in the future. These funders should want to maintain the reputation of Ruby, and forcing a nonprofit to take an extreme action like this in a pressure cooker situation puts all of Ruby at risk when it explodes into a scandal. These companies need to work transparently in the best interest of the whole community.
> Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
Seems pretty clear after reading this. If 1-2 companies pulling funding is enough for them to force you to to what they want, its hard to stay independent.
> A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
This makes a lot of sense, and it puts the 'drastic' action in understandable light.
It also contrasts with the 'On September 9th, with no warning or communication, a RubyGems maintainer unilaterally...' from the Goodbye RubyGems letter. Perhaps that person did not have communications or insight?
Going forward I think we could judge the good faith, if it's uncertain, by if we do see people reinstated. Cutting off access (for urgency with a deadline) followed by reinstatement (because they contribute) would match this post. No doubt there will be hurt feelings on all sides, which is understandable, but I hope as humans everyone can get through it.
Locking out a guy like David Rodriguez (the main person I see doing bundler commits) in a dramatic fashion just seems like absolute craziness. I can't fathom doing it without a very good reason, which has yet to be revealed if it exists.
'My work in Bundler & RubyGems is completely halted, including the Bundler 4 project which I expected to complete in the next ~2 months. The immediate reason for this is simple: my commit access to the repository has been revoked, so I can no longer do the job anymore. The more fundamental reason is that I completely lost motivation after all the recent events, regardless of whether work is paid or not.
I'll be happy to resume my work in Bundler & RubyGems if maintainer ownership prior to September, the 9th is restored, and thus the previous maintainer's team is allowed to continue building a transparent and democratic governance model for the project.'
Does “lest we lose critical funding because we don’t have proper agreements with our committers” not cut it as a reason for you? Genuinely curious, it seems like a reasonable explanation assuming it’s true.
Given that access was cut, then restored, then cut again, then days, then someone finally says "hey were were going to lose critical funding" makes it seem like a post-facto excuse for a hostile takeover.
And the whole "oh, well, we're bad at comms" makes it sound even worse!
Which is the whole crux of the issue. At no point in any of this did Ruby Central do anything reasonable. The they tried to explain that their unreasonable actions were reasonable, if you only knew the things they knew, which they were for some reason unable to tell people until just now.
> Let's get some kind of committer agreement in place with those folks who need access (the same way many other high profile open source projects have), and remove access from those who don't, while still being fully open to accepting PRs and being open to re-welcoming them as committers if they decide that is how they want to spend their time in the future.
> Here's the challenge. How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
Ruby Central sponsors him to work on the project. They also own the project. Sure it’s not ideal that they’ve apparently come to an impasse of some sort but locking him out is not bonkers.
Then you act in advance or with notice to get those agreements in place. Just dropping an atom bomb on the commit rights of the biggest contributor is very disrespectful.
If you can't work out an agreement after a good faith period... then that can become a good reason.
What's the point of a foundation having funding if there's no ecosystem left to spend it on? And if a single source of funding is so critical that they can demand immediate wide-spreading changes to the ecosystem, is the foundation even independent at all, or just a corporate puppet pretending to be?
Who cares that you have funding for things like build servers and meetups when your core developers walk away and the project is left to rot?
I'm truly hoping for a reasonable resolution on all sides for this situation. IMO Ruby is too small, and shrinking compared to Python and JS/TS especially in the AI era, to be able to afford any splintering of efforts.
Agreed. I wish the communications would move away from FUD that could scare people away from using Ruby when things are already splintered. A more honest and transparent accounting of what really happened is necessary.
Honestly this description makes me even more concerned. There’s a lot of “I don’t know what happened” and “I wasn’t involved” and “apparently we agreed to”.
In particular, after a long winded introduction and setting of the scene, suddenly there’s a mention out of the blue of a 24 hour deadline to cut off access or face losing funding (forever)? But who was holding this deadline over the board’s head is not explained (in fact the author doesn’t seem to know???).
Overall this just reinforces the impression that the RC board handled this sloppily and in a rushed manner, and failed to communicate with long term community members, and thought of themselves as the only parties who mattered, while not taking responsibility for holding such an important position (see the opening paragraphs about how “we don’t have time to communicate to the public because we’re busy programmers without a PR team”).
Agreeing with most of the other comments here that this discussion needs more context which we don't have...
If the request for additional access controls/access cleanup came from one of the Ruby Central funders, could we not know who that was and what exactly their ask consisted of? I am interested in knowing their side of the story, and what the motivation was. (But in general, cutting off long-time maintainers' access seems like a bad choice - as presumably they have long since proven their good will toward the ruby community as shepherds of these projects.)
I think that if they had been up front and transparent, and cut the PR bullshit corpospeak from their damage-control post, this would have been something that's much less embarrassing for all involved.
Something like:
"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."
Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...
Sounds like you should volunteer for Ruby Central to help them with their communications! I don't mean that facetiously: it seems that they could use you, or someone like you, with comms. As the OP readily admits, this is not a strong point for them.
My general take on this:
1) Nerds are often not the best at communicating.
2) People on the Internet can be very cruel towards people they don't know.
We could all do better, especially with #2. The Internet used to be cool as hell. Now, by and large, it sucks.
> Ruby Central has been responsible for RubyGems and Bundler for a long time. This isn't a new development, and I'm honestly very confused about the confusion.
That's the opposite claim from a coup. It's not fair for you to put those words in his mouth.
He is claiming that Ruby Central has the authority. True or not, that claim is not consistent with a coup. You seem to be catastrophizing and constructing misleading quotes, including inverting his words, not because his claim is not true but because of how he communicated it and the impact of it.
My point is that he chose to communicate the way he did; it is poorly thought out and extremely difficult to accept as an explanation.
Objective tests you yourself can perform.
1) How much of the publication talks about himself? Why is that relevant?
2) How much does it directly provide links, context, history? Can you find the opposing point of view directly linked from it, or is it omitted?
3) From reading the content, does this person represent the board, or not? Do they make any conflicting claims that are difficult to both be true at the same time?
4) A coup d'etat is a "a sudden, violent, and unlawful seizure of power from a government"
Were the people who lost access acting as a governing body?
Was the loss of access sudden and unexpected?
Did the loss of access follow any of the rules of the governing group?
Did the loss of access harm individuals?
With the answers to the above, reflect on the following:
Why would someone write about themselves, their experience, etc for 6 paragraphs? Would you say it is clear they have only been appointed since Jan 2025? Or are they trying to establish themselves as an authority? If they are not attempting to appeal to authority, why is it relevant?
Did they actually apologise? If so, to who? Is it specific? Does it clearly articulate what the person did, admit fault, recognise harm? Or is there downplaying of impact, vague language, downplaying of involvement?
Does it characterise the contrary point of view in a way that trivial uses the concerns? Are the conversations "emotional" or is it implied the people experiencing the negative act are? Is the author emotional?
If you were the person or people affected, would you accept this explanation? If you were the person taking these actions, would you explain why like this? Why or why not?
I strongly encourage you to do this exercise, putting aside feelings or initial responses even if you think I am wrong.
Money.
It's all about money.
This is the only sentence from the post worth reading:
"Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going"
What I'm missing is what, if any, communication Ruby Central had with maintainers.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
Start by letting go of the goal of not upsetting them. Make sure you do communicate clearly. Just say what you said a paragraph earlier: open source ecosystems, including ours, are increasingly suffering supply chain attacks. To guard against this, we need to tighten access that has traditionally been fairly loose. Starting <date>, we're going to remove general access and ask that contributors sign <link to agreement> before re-enabling access.
I mean, maybe that is what happened -- as the OP says, he wasn't part of the conversations so can't say. From the earlier public posts, it doesn't _sound_ like that's what happened. But I'd say as a general rule, it's important to communicate disruptive changes ahead of time to those affected and give a clear path to how they can mitigate the disruption.
I’m the Homebrew Project leader and care a lot about Ruby so met with both sides to attempt to mediate and posted two threads on Bluesky about what went down:
TL;DR: Regardless of what you think of RubyCentral’s actions, it’s very clear they absolutely screwed up the execution and communication here. In general the transparency is far below what you’d expect from an open source organisation.
> I can't speak for the board or the Ruby Central staff. But I know them and they are like me. They do this because they love Ruby and our community. I'm certain of that.
I don't know how to reconcile 'they love Ruby and our community' with moves that are actively hostile to the community.
The only reason why Ruby and other open source projects survive is because large companies can trust them to do the right thing. Given the critical nature of the supply chain attacks, what the board did was 100% right. Like he said, some people's egos got hurt but if no one can trust the maintainers, then Ruby has no future in the industry and it will die quickly.
This is basically like fixing technical debt. It's painful and it's political but sometimes you have to do the right thing for the community as opposed to trying to assuage individuals' egos.
I think you got things mixed up, open source projects survive because volunteers believe in them and want to contribute to them. Large companies rarely get involved, occasionally with some funding.
It sounds like they sold something to their donors they couldn't really guarantee – supply chain safety – and they decided to alienate their contributors to try to appease them.
Only time will tell if this was really damaging to the ruby community or just a temporary hurdle
Look at the core maintainers of Rails for example. Many are paid by Shopify and Basecamp, so it’s much more commercial than your regular open source project.
Which isn’t a bad thing that people get to contribute on company time.
Again this is mixed causality. Rails did not take off because of commercial interests – besides dhh who was working on it on the side, all the initial committers were doing that for fun.
Eventually they brought rails in many commercial companies and these companies succeeded to the point they could pay people to maintain rails.
gems and bundler is for everyone though, even hobbyists writing scripts. Alienating contributors who support common infrastructure for no good reason is just plain stupid especially when those projects wasn't theirs to begin with
The board was not 100% right, not even close. I’ll assume their technical actions were justified. But they screwed the communication badly in a domain where informal trust is an important commodity. Therefore, they flubbed a big chunk of their responsibility.
> I want to apologize, genuinely, to people who have felt (...) outrage (...) after reading some of what others have shared.
He's apologizing for what others have shared, not for what they (Ruby Central) did.
> I often go out of my way to avoid making people feel bad
"I'm the good guy."
> and so to be part of what's caused so much chaos lately has really been awful.
"_I_ feel awful."
"I'm sorry for what others have said about what we _did_. I feel awful for people being outraged" Amazing.
> this is a small group of volunteers spread out all over the globe. (...) It's just us.
You didn't, for a single moment, think about notifying the people involved that you are removing them? It's the very first thing to do - notify someone who's involved of the change in their status. If your communication skills didn't reach a level in which you thought that would be the thing to do, I don't know what to tell you.
> It is really boring stuff. So why do I do it?
So what? Should we feel sorry for you?
> I love the community. I love the people who use Ruby, (...) I love the people who give their time to Ruby and I love the people and companies who generously provide financial support for Ruby.
Cool.
> I can't speak for the board or the Ruby Central staff. But (...)
proceeds to speak for the board and the Ruby Central staff.
> Ruby Central has been responsible for RubyGems and Bundler for a long time.
This is a lie. RubyGems and Bundler have been maintained by a group of core maintainers. Some members of this group were also Ruby Central staff, but not all.
> It's not a new story that Ruby Central has been working on (or trying to at least) improve the governance model for Bundler and RubyGems.
It's a new story to me. If it's not a new story, do you mind sharing some links to past discussions?
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
You learn some basic English. And then let them know. It's called communication.
> And what if other people who do still need that access claim things like "If you remove their access, I'll just add it back" or "If you remove their access, I'll quit".
It's called consensus. And communication. You talk. You speak with people. And then you agree on a decision.
> These are emotional conversations.
Yes, they are. Is that why we shouldn't have them? When you want to leave your wife, do you just leave? What a strong person with strong values.
> I wasn't a part of them and can't actually speak to the content of the conversations or how they were handled.
Bad. They were handled bad.
Why did you write this post? You don't have information, you don't know what happened...you just love people and community and companies. Happy happy joy joy.
> we don't have a "communications team"
You don't need a communications team. You just need to have a communication channel public or private, where you can reach all of the core members. It could be an email with everyone in CC.
> A deadline (which as far as I understand, we agreed to) loomed.
If you're not sure whether it was agreed on, again, communication. Learn how to communicate.
Which deadline? Who set this deadline?
> With less than 24 hours to go
Did someone give you 24 hours deadline? Why wasn't this discussed long before the deadline?
> Marty, Ruby Central's Director of Open Source
How the f is Marty? If he wasn't one of RubyGems maintainers, why is he suddenly being put as the main maintainer? Aside from communication issues, you also have decision making issues. All of the core members should come to an agreement, without Marty.
> I love this community and I love Ruby.
Cool.
Please find some time to read a book or two on communication skills. As well as decision making.
Read the comments in this thread. Ignore mine, don't think too much about it. Just read other comments. Then think again about your decision and to which percentage people in this thread agree with it. And perhaps reevaluate it.
Christ what a clusterfuck. I only use Ruby because of Rails so whatever DHH says I'll go with. If he says this is bogus it's bogus, otherwise it's not bogus.
> [The Ruby Central board] is a small group of volunteers
is somewhat at odds with
> Some [...] companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain,
but not so much. Then the sentence goes on with
> but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
So something has been wrongly managed or wrongly sold.
Then the final part about the emotional conversations and the dilemma sounds honest or at least very plausible, but as they write, the critical mistake already happened.
Very reasonable other side to this story, which doesn’t come as much of a surprise. Too bad it didn’t hit the front page.
People went WAY too far WAY too fast on this. There HAS to be urgency to this, the software supply chain is presently, undeniably, under attack.
Frankly, everyone blasting RubyCentral the last few days should feel shame and embarrassment. These aren’t evil suits at Microsoft, they’re normal people invested in maintaining a critical piece of infrastructure for the good of all who love and profit from Ruby.
What? This article is absolutely damning re: RC's leadership and the utter lack of proper transparency, strategic planning, marketing/PR, and solid OSS governance. Did we read the same article?!
Honestly I don’t know how to feel about it anymore, but I found the rhetoric way too explosive at the time, when nothing was really known. Now that some time has passed, and more has been said… yeah I get your point too.
Ruby has been a HUGE part of building my career, I don’t want to see it slide away one questionable move at a time into full corporate control. It’s not TOO hard to see how this whole thing could just be step one of that :/
I hate this for the community - I’m an outsider, who always wanted to give Ruby (and Rails) a good swing. However, after this, and after learning about dhh’s awful (imo) stances, I’m not ever going to go near any of it.
I had a similar “yuck” when WPEngine started taking Mullenweg to task over all of the WordPress shenanigans - that hit a lot closer to home for me, as I’ve spent about half of my career building great sites and applications on top of Wordpress. Although I’ve moved on, I was still an active contributor on the WP StackExchange and had my ear to the ground in several plugin repos I authored for employers who contributed to Five for the Future, and replied to comments on blog posts from people who found my previous insights helpful.
I have zero interest to ever go back to that project because of how poorly it’s been managed - if you want to see one man completely wreck an open-source ecosystem, it’s quite a fascinating if not depressing story.
i read the article, but didn't see anything damning about it. how big of a staff do you think a tiny 501c3 like RubyCentral is? RC shepherds a pretty small community around a niche DSL with a shoestring non-profit budget that mostly goes towards running conferences.. you can see their financial reports here https://projects.propublica.org/nonprofits/organizations/300...
expectations around "strategic planning" and "marketing/PR" are not realistic. You should just be glad these randos don't have admin access to the Github org anymore. Any one of them were huge targets for adversaries who want to ship malware in Rubygems, supply chain attacks are very real and having commit access directly to rubygems/bundler is too powerful for a rando.
my main takeaway from reading all this is why were so many assorted people given such high levels of access..
"These randos" are our friends and fellow contributors. Probably everybody in the Ruby community has worked with theme in one capacity or another. The article provides no reason why they should have had their contribution permissions revoked. Just because you think of Ruby as a "niche DSL" and the people maintaining its core infrastructure as "randos" doesn't mean the rest of us do.
I'm for least privildge and tightening up perms, reviewing who has access. But it just needed some comms and timeline. Unless there was an obvious immediate threat.
just because someone is a nice community member doesn't mean they deserve rewrite-the-commit history admin level access to rubygems and bundler. they can be great committers even without the ego boost of knowing you hold the keys to get a ton of companies hacked without interference.
also, if you step back, Ruby's problem is it consists of a fading community of millenials and Gen Xers who first came to Rails when it was the best/coolest option. however with the majority of builders now turning to JS for web, Rust (and Go) for systems, and Python for ML, it doesn't have a use case anymore that can drive a community or any hope for growth in the future. so a "niche DSL" for legacy webapps and plugin systems is what's left IMO, but i'm sorry for being super frank about it
languages like this with a shrinking community and loose security policies pose around the centralized package management system pose high security risks to its users.
I'm not saying that they're just "a nice community member", I'm saying that they're the ones doing the work. They're not randos, they're trusted maintainers in the ecosystem with a proven track record. After the purge, rubygems and Bundler has only one active maintainer, one who's splitting his time between Rails, Ruby core, and many other open source projects. The bundler and gem-specific experts have been removed, and we've gone from a bus factor of 4-5 to a bus factor of 1. This is much, much more unacceptable then the theoretical risk of a trusted, active maintainer with 10+ years of community experience suddenly deciding to go rogue and rewrite history (has this ever happened in the history of a supply chain attack?)
Also, commit access to Github doesn't even say anything about access to deploying the actual package on rubygems. If security really was the goal, there were a million less invasive ways to make this change then revoking commit access from the active maintainers. Set up branch protections, require approvals, etc. There are a lot more tools in the toolbox other than "remove all of the maintainers".
I think a lot of people did read the OP and were left wanting - I know I did and was.
Breaking down the posted article, there’s a lot missing (which the author admits), and it’s not clear really what the goal of the post was other than to say “someone, not me, made an oops. But it’s fine, right, because the community needed this to happen.”
Parts that were particularly odd, that others have said with better words:
- Who imposed this ultimatum on RC?
- How long was the timeline to “tighten things up”? It sounds like there was both a decent amount of time and an immediate urgency - it can’t be both.
- “We’re nerds who can’t communicate well” (paraphrased) is such a poor argument - I get it, I’ve had to do a lot of work to figure out how to navigate social spaces and how to communicate effectively in professional settings. That said, the author is writing as if they’ve never had a single conversation with a technical person that they didn’t know well; that any conversation about removing or reducing access would be a catastrophe. That’s ridiculous.
It seems that either there was poor planning around this, or someone forgot about the deadline and YOLO’d it, or there was a malicious push to oust some of the biggest contributors under the guise of security.
One thing is clear, regardless of what the root cause of this all was: RC showed a deep lack of respect for the people that make their community what it is, and that stinks.
https://pup-e.com/goodbye-rubygems.pdf
> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
> added non-maintainer Marty Haught of Ruby Central, and
> removed every other maintainer of the RubyGems project.
> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams
Which is important context that was left out of this board member's statement.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
The first thing is they didn't tell them. The second bit is simple:
"Hi [x], I'm sure you've seen the news about npm. Given supply chain attacks directed at them and the one recently foiled against the python folks, we're [doing fill in here], including reducing permissions. [More info here.] Further updates as soon as we have them."
That email takes 10 minutes to write and send.
In the linked post the author claims to be just some grateful Ruby developer volunteering their time to mundane bookkeeping tasks for an organisation they feel lead to support, describing themselves with:
-----------------------------------------------------------------
When I first discovered Ruby, watching some crazy video where a blog was built in just a few minutes, I was just a young man working at a bank who would sometimes get paid to build software for other people on the side. Ruby opened my eyes to the idea that code could be a craft, a skill I could hone and develop. It also introduced me to the idea that code could be poetry... code could be art.
20 years later, and here I am, a reasonably successful person who's built a career out of building software.
-----------------------------------------------------------------
Yet the Ruby Central website describe them like this:
-----------------------------------------------------------------
Freedom Dumlao is a seasoned technology executive with experience at leading companies like Vestmark, Flexcar, Zipcar, Wayfair, and Amazon. Currently the CTO of Vestmark, Freedom brings strategic insights that will help drive Ruby Central’s efforts to expand the Ruby ecosystem and build stronger connections with top companies and startups.
-----------------------------------------------------------------
The post appears to be signed as "MINASWAN", a well know pseudonym for Yukihiro Matsumoto, the chief designer of the Ruby programming language. Hard to imagine a scenario where that was accidental and not an attempt to manipulate readers into assuming Yukihiro has something to do with writing the post.
It's posted to a Substack launched 1 day ago. With the username/subdomain "apiguy" - suspiciously not 'ctoguy' or 'seasonedtechnologyguy'.
I place pretty close to zero respect for the OPs position, compared to well known names in the decade long Ruby Gems committer community.
From https://en.m.wiktionary.org/wiki/MINASWAN
> Initialism of Matz is nice and so we are nice: a motto of the Ruby programming language community, in reference to the demeanor of Yukihiro Matsumoto (nicknamed Matz) [...].
Reasonable people would've accepted that fine. And you don't have to worry about unreasonable people, because most people will find them unreasonable and dismiss anything they say.
No, reasonable people would not have accepted "we're unilaterally deciding to lock you out with no advance notice, over something we could and should have been discussing for many months or years, but instead screwed up so badly that we're doing it ten minutes from now".
And communicating [situation], [action(s)], [how this affects you] is one of the most basic professional communication skills you could imagine.
Sounds like they made some really big changes and put zero effort into communicating to people who've spent 10+ years working on the project.
He is going to be ultra surprised to learn what the majority thinks and how it's not what he thinks it is.
Using your personal brand to espouse the values of ethnonationalism fundamentally serves the capital class wishing to divide and exploit social order among those who labor. This is so rich, coming from the guy who literally created a tool that increases the value of labor.
So, if I had to guess, the smart, critical thinkers in the _global_ Ruby community might find this whole situation reeks.
If I were an immigrant to the UK and a Rails developer, and DHH is getting re-platformed while saying crazy stuff like this, I would think twice about my career choices going forward — Or, push the Ruby community not to stand with a garbage attitude like this, even if from a BDFL-type personality. I _invested_ my life into promoting the use of your tool, while you disparage me based on skin color and country of origin for the sake of some 'ye olde country' vibefest?
Does DHH even know where his principles lie?
I should not have skimmed it. From your link:
> In the same post he praises Tommy Robinson (actual name Stephen Christopher Yaxley-Lennon), a right-wing agitator with several convictions for violent offences and a long history of association with far-right groups such as the English Defence League and the British Nationalist Party. He then goes on to describe those that attended last weekend’s far-right rally in London as “perfectly normal, peaceful Brits” protesting against the “demographic nightmare” that has enveloped London, despite the violence and disorder they caused.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report from the Quilliam Foundation, an organisation with ties to both the the US Tea Party, and Tommy Robinson himself.
This is ... disqualifying. That's the best word I can summon here to express my dismay. This is a crossed line. Absolutely nutso.
edit2: Uh wow I really should not have skimmed it. Here's one paragraph from DHH's blog itself:
> Which brings us back to Robinson's powerful march yesterday. The banner said "March for Freedom", and focused as much on that now distant-to-the-Brits concept of free speech, as it did on restoring national pride. And for good reason! The totalitarian descent into censorious darkness in Britain has been as swift as its demographic shift.
Well, if that doesn't speak volumes as to DHH's values, I don't know what does.
Were independent inquiries also repeating weaponised tropes from long since discredited reports?
“By far the majority of perpetrators were described as 'Asian' by victims, yet throughout the entire period, councillors did not engage directly with the Pakistani-heritage community to discuss how best they could jointly address the issue. Some councillors seemed to think it was a one-off problem, which they hoped would go away. Several staff described their nervousness about identifying the ethnic origins of perpetrators for fear of being thought racist; others remembered clear direction from their managers not to do so.”
https://www.rotherham.gov.uk/downloads/file/279/independent-...
The ultimate problems lie in the police: they are generally terrible at handling rape cases, and in this case there are claims that they were actively complicit in some of the rapes.
Using the actions of some members of an ethnic minority to justify .. well, any action against people who were not actually personally involved, is textbook discrimination.
This post is full of outright nonsense. I was in Central London last Saturday and watched a lot of it go down, before heading to Islington and then catching the last dregs of the crowd nearer Euston and chatting in the pub with some of them.
As a "native Brit" and "native Londoner" that DHH wouldn't recognise as such, he can absolutely do one.
If it's cultural (religion, music/sports related subcultures and codes) then it's chosen. Nobody can force you into a subculture in the West. As soon as you turn 18 you can essentially do what you want, most likely even way before that.
You can chose your subculture, how you dress, style your hair, talk and are read by the mainstream society. Actual racists go by skin color and ignore your cultural choices, fuck them.
While in certain cultural contexts Turks may be read as white, within Europe there is a history of excluding them from whiteness and presenting them as a threat to European culture, mostly due to Islamophobia
This is how your point reads like: Just cosplay as a white european christian, and if you still experience racism... well fuck those racists.
Between the initial removal of access, then giving it back after explaining it was a mistake; the people involved started a conversation about governance to clarify/fix things.
https://github.com/rubygems/rfcs/pull/61
The conversation terminated because the majority of those people then had their access revoked again.
When weighing the facts here; which group or claimant has the most evidence for their claims? The technical folks with lots of commits over many years, or the treasurer of an organisation who says the impetus for this was a "funding deadline" so all access had to be seized?
I think this person has good cause for being very upset at the lack of communication and the sudden removal of them from the organization. They were a maintainer of RubyGems for a decade.
You responded with an ad-hominem attack. If you can offer a rebuttal of the facts then please do, otherwise try to refrain from personal attacks.
Having access revoked with no heads up is a slight. You’re goddamned right they feel slighted. They were slighted.
“Feel slighted” is like “I’m sorry you’re upset”. You put everything on the aggrieved party when you say it like that.
^ This was a personal attack.
A maintainer of RubyGems was forcibly removed from the RubyGems GitHub org — which was renamed to Ruby Central — along with every other maintainer. Then access was restored, then revoked again. There was no explanation, no communication, and no understandable reasoning for this.
And still! If there is an "official" statement, I can't find one on https://rubycentral.org/.
This wildly transcends "issues with both internal and external communication" or "we're just a bunch of makers who can't be expected to be good at organization or communication" (to highly paraphrase TFA). This is an absolutely disastrous breach of the community's trust.
2. Click News.
3. It’s the top item.
Direct link: https://rubycentral.org/news/strengthening-the-stewardship-o...
> less emotional,
Expressing emotions is good, actually.
> Some of those companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain, but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
This is the most candid bit of the article.
RubyCentral seems to have screwed up. The sense I get after reading this paragraph is that RC's non-apologies about poor communication are smoke. Why did they have to move this quickly/silently? Well...
If you are taking money from businesses in exchange for certain assurances about the security/soundness of RubyGems, you have a responsibility the minute pen leaves paper to KYC(ontributors). Not when there's suddenly a fire, or when your clients notice.
By all appearances, RC was negligent, if not necessarily in the legal sense. They were highly reactive in response to a problem they should have been across already, and they have paid for it with a chunk of the Ruby community's trust.
To now retcon this action as poorly-communicated but ultimately noble and security-minded does not sit very well.
The actions taken by people in service of Ruby Central have had unintended consequences, including damaging the community's trust in Ruby Central's stewardship.
A new governance model will solve only the problem of there not being a governance model. There also has to be an acknowledgment that the lack of an existing appropriate governance model wasn't just a "fiduciary failure," but a failure which cased harm to the community and contributors. Contributors who—like the board—are volunteers, and would have probably liked to have their significant dedication shown more respect.
You show respect to someone by giving them important information from which they can use to make their own decisions. As opposed to withholding information because you are uncomfortable with the possibility that they may make a decision you don't want them to.
But I don't see any excuse for not putting out a statement when you do it. You have to know there will be a fight, and you will look like the bad guy. Perhaps I could see directly communicating to the maintainers that you expect that they'll be reinstated. But to say nothing? To let the post by duckinator float around for days without having a "we did this because of security concerns, we want to work together and find a resolution..." It's incomprehensible that they thought this would go well.
Bingo
I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.
Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.
There was a funding agreement which imposed obligations upon the operators. Those obligations were to be sure that supply chain attacks were reasonably secured against. The volunteers didn’t have to sign that agreement - they chose to and received consideration for their decision to sign.
Licensing terms don’t change the underlying mechanism of a contract and the message is even easier. If your organization cannot abide by the terms of a contract, don’t sign it.
How much information and what information did Board members have when making their votes?
One thing that hasn’t been addressed is who was responsible for communications and implementation of this. It says here that the Director of Open Source did what the Board asked of him. Outside of the Board, which as stated here were heads down and trying to problem solve, Ruby Central’s website also shows a staff of several non-technical employees. Prominently, there is an Executive Director with a background in communications and non profit work per their LinkedIn. Where was this Executive Director and the other staff members during this? Were they involved with decision making and communication around this? How involved was the Board of Directors in implementation after the decision was made? It is a hollow statement to say they are just technical people trying to problem solve when there appears to be a whole team of non-technical staff members and an executive specializing in communications. Something clearly went wrong here and there are a lot of missing pieces around what happened after the vote took place. Most of this could have been mitigated with standard processes and simply communicating to maintainers and the community.
This is not to say that they didn’t act in the best interests of the community by tightening security, but an organization of this nature should be able to act more independently.
Do you contribute? I can send you a link if you don’t.
Seems pretty clear after reading this. If 1-2 companies pulling funding is enough for them to force you to to what they want, its hard to stay independent.
This makes a lot of sense, and it puts the 'drastic' action in understandable light.
It also contrasts with the 'On September 9th, with no warning or communication, a RubyGems maintainer unilaterally...' from the Goodbye RubyGems letter. Perhaps that person did not have communications or insight?
Going forward I think we could judge the good faith, if it's uncertain, by if we do see people reinstated. Cutting off access (for urgency with a deadline) followed by reinstatement (because they contribute) would match this post. No doubt there will be hurt feelings on all sides, which is understandable, but I hope as humans everyone can get through it.
[0] https://rubygems.org/gems/bundler
[1] https://web.archive.org/web/20250824033341/https://rubygems....
'My work in Bundler & RubyGems is completely halted, including the Bundler 4 project which I expected to complete in the next ~2 months. The immediate reason for this is simple: my commit access to the repository has been revoked, so I can no longer do the job anymore. The more fundamental reason is that I completely lost motivation after all the recent events, regardless of whether work is paid or not.
I'll be happy to resume my work in Bundler & RubyGems if maintainer ownership prior to September, the 9th is restored, and thus the previous maintainer's team is allowed to continue building a transparent and democratic governance model for the project.'
Given that access was cut, then restored, then cut again, then days, then someone finally says "hey were were going to lose critical funding" makes it seem like a post-facto excuse for a hostile takeover.
And the whole "oh, well, we're bad at comms" makes it sound even worse!
Which is the whole crux of the issue. At no point in any of this did Ruby Central do anything reasonable. The they tried to explain that their unreasonable actions were reasonable, if you only knew the things they knew, which they were for some reason unable to tell people until just now.
Could it be true? Sure, absolutely.
Does it seem reasonable at the moment? Hell no.
> Let's get some kind of committer agreement in place with those folks who need access (the same way many other high profile open source projects have), and remove access from those who don't, while still being fully open to accepting PRs and being open to re-welcoming them as committers if they decide that is how they want to spend their time in the future.
> Here's the challenge. How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
deivid-rodriguez's last commits were Sept 18: https://github.com/rubygems/rubygems/commits/master/?since=2...
With 7873 commits since 2018 he's 2x over the second one and crushingly the most active contributor since then: https://github.com/rubygems/rubygems/graphs/contributors
However you slice it, none of that fits into TFA's above narrative.
His access being revoked can only be described as complete bonkers.
From the guy who has supplied most of the chain.
If you can't work out an agreement after a good faith period... then that can become a good reason.
Who cares that you have funding for things like build servers and meetups when your core developers walk away and the project is left to rot?
In particular, after a long winded introduction and setting of the scene, suddenly there’s a mention out of the blue of a 24 hour deadline to cut off access or face losing funding (forever)? But who was holding this deadline over the board’s head is not explained (in fact the author doesn’t seem to know???).
Overall this just reinforces the impression that the RC board handled this sloppily and in a rushed manner, and failed to communicate with long term community members, and thought of themselves as the only parties who mattered, while not taking responsibility for holding such an important position (see the opening paragraphs about how “we don’t have time to communicate to the public because we’re busy programmers without a PR team”).
Wildly unprofessional or just willful lying.
If the request for additional access controls/access cleanup came from one of the Ruby Central funders, could we not know who that was and what exactly their ask consisted of? I am interested in knowing their side of the story, and what the motivation was. (But in general, cutting off long-time maintainers' access seems like a bad choice - as presumably they have long since proven their good will toward the ruby community as shepherds of these projects.)
Something like:
"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."
Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...
My general take on this:
1) Nerds are often not the best at communicating.
2) People on the Internet can be very cruel towards people they don't know.
We could all do better, especially with #2. The Internet used to be cool as hell. Now, by and large, it sucks.
"I WANT to apologize ... that I feel awful."
"How can you possibly talk to someone about changing access, when multiple people tell you no, you are wrong?! A coup is the only way!"
"Because funding deadline, we executed a coup, which will keep everyone safe from hostile actors... Taking over accounts and access"
That's the opposite claim from a coup. It's not fair for you to put those words in his mouth.
Objective tests you yourself can perform.
1) How much of the publication talks about himself? Why is that relevant?
2) How much does it directly provide links, context, history? Can you find the opposing point of view directly linked from it, or is it omitted?
3) From reading the content, does this person represent the board, or not? Do they make any conflicting claims that are difficult to both be true at the same time?
4) A coup d'etat is a "a sudden, violent, and unlawful seizure of power from a government"
Were the people who lost access acting as a governing body? Was the loss of access sudden and unexpected? Did the loss of access follow any of the rules of the governing group? Did the loss of access harm individuals?
With the answers to the above, reflect on the following:
Why would someone write about themselves, their experience, etc for 6 paragraphs? Would you say it is clear they have only been appointed since Jan 2025? Or are they trying to establish themselves as an authority? If they are not attempting to appeal to authority, why is it relevant?
Did they actually apologise? If so, to who? Is it specific? Does it clearly articulate what the person did, admit fault, recognise harm? Or is there downplaying of impact, vague language, downplaying of involvement?
Does it characterise the contrary point of view in a way that trivial uses the concerns? Are the conversations "emotional" or is it implied the people experiencing the negative act are? Is the author emotional?
If you were the person or people affected, would you accept this explanation? If you were the person taking these actions, would you explain why like this? Why or why not?
I strongly encourage you to do this exercise, putting aside feelings or initial responses even if you think I am wrong.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
Start by letting go of the goal of not upsetting them. Make sure you do communicate clearly. Just say what you said a paragraph earlier: open source ecosystems, including ours, are increasingly suffering supply chain attacks. To guard against this, we need to tighten access that has traditionally been fairly loose. Starting <date>, we're going to remove general access and ask that contributors sign <link to agreement> before re-enabling access.
I mean, maybe that is what happened -- as the OP says, he wasn't part of the conversations so can't say. From the earlier public posts, it doesn't _sound_ like that's what happened. But I'd say as a general rule, it's important to communicate disruptive changes ahead of time to those affected and give a clear path to how they can mitigate the disruption.
https://bsky.app/profile/mikemcquaid.com/post/3lz7klsyue22f
https://bsky.app/profile/mikemcquaid.com/post/3lzfxctubbk2y
TL;DR: Regardless of what you think of RubyCentral’s actions, it’s very clear they absolutely screwed up the execution and communication here. In general the transparency is far below what you’d expect from an open source organisation.
I don't know how to reconcile 'they love Ruby and our community' with moves that are actively hostile to the community.
Seems pretty clear-cut to me.
Just drop all the facts. Acknowledge you fucked up. Or dont say anything at all?
A board position means responsibility not just "head down coding". And that means communicating with people.
For clarity I wasnt super keen on the original submission this is responding to, for similar reasons.
This is basically like fixing technical debt. It's painful and it's political but sometimes you have to do the right thing for the community as opposed to trying to assuage individuals' egos.
It sounds like they sold something to their donors they couldn't really guarantee – supply chain safety – and they decided to alienate their contributors to try to appease them.
Only time will tell if this was really damaging to the ruby community or just a temporary hurdle
Which isn’t a bad thing that people get to contribute on company time.
Eventually they brought rails in many commercial companies and these companies succeeded to the point they could pay people to maintain rails.
> 37signals built Rails for Basecamp and has since used it to create all their web products.
From: https://rubyonrails.org/foundation/37signals
gems and bundler is for everyone though, even hobbyists writing scripts. Alienating contributors who support common infrastructure for no good reason is just plain stupid especially when those projects wasn't theirs to begin with
just because they host it doesn't mean it's theirs
my webhost doesn't own the community around my projects simply because it's on their server
> I want to apologize, genuinely, to people who have felt (...) outrage (...) after reading some of what others have shared.
He's apologizing for what others have shared, not for what they (Ruby Central) did.
> I often go out of my way to avoid making people feel bad
"I'm the good guy."
> and so to be part of what's caused so much chaos lately has really been awful.
"_I_ feel awful."
"I'm sorry for what others have said about what we _did_. I feel awful for people being outraged" Amazing.
> this is a small group of volunteers spread out all over the globe. (...) It's just us.
You didn't, for a single moment, think about notifying the people involved that you are removing them? It's the very first thing to do - notify someone who's involved of the change in their status. If your communication skills didn't reach a level in which you thought that would be the thing to do, I don't know what to tell you.
> It is really boring stuff. So why do I do it?
So what? Should we feel sorry for you?
> I love the community. I love the people who use Ruby, (...) I love the people who give their time to Ruby and I love the people and companies who generously provide financial support for Ruby.
Cool.
> I can't speak for the board or the Ruby Central staff. But (...)
proceeds to speak for the board and the Ruby Central staff.
> Ruby Central has been responsible for RubyGems and Bundler for a long time.
This is a lie. RubyGems and Bundler have been maintained by a group of core maintainers. Some members of this group were also Ruby Central staff, but not all.
> It's not a new story that Ruby Central has been working on (or trying to at least) improve the governance model for Bundler and RubyGems.
It's a new story to me. If it's not a new story, do you mind sharing some links to past discussions?
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
You learn some basic English. And then let them know. It's called communication.
> And what if other people who do still need that access claim things like "If you remove their access, I'll just add it back" or "If you remove their access, I'll quit".
It's called consensus. And communication. You talk. You speak with people. And then you agree on a decision.
> These are emotional conversations.
Yes, they are. Is that why we shouldn't have them? When you want to leave your wife, do you just leave? What a strong person with strong values.
> I wasn't a part of them and can't actually speak to the content of the conversations or how they were handled.
Bad. They were handled bad. Why did you write this post? You don't have information, you don't know what happened...you just love people and community and companies. Happy happy joy joy.
> we don't have a "communications team"
You don't need a communications team. You just need to have a communication channel public or private, where you can reach all of the core members. It could be an email with everyone in CC.
> A deadline (which as far as I understand, we agreed to) loomed.
If you're not sure whether it was agreed on, again, communication. Learn how to communicate. Which deadline? Who set this deadline?
> With less than 24 hours to go
Did someone give you 24 hours deadline? Why wasn't this discussed long before the deadline?
> Marty, Ruby Central's Director of Open Source
How the f is Marty? If he wasn't one of RubyGems maintainers, why is he suddenly being put as the main maintainer? Aside from communication issues, you also have decision making issues. All of the core members should come to an agreement, without Marty.
> I love this community and I love Ruby.
Cool.
Please find some time to read a book or two on communication skills. As well as decision making.
Read the comments in this thread. Ignore mine, don't think too much about it. Just read other comments. Then think again about your decision and to which percentage people in this thread agree with it. And perhaps reevaluate it.
is somewhat at odds with
> Some [...] companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain,
but not so much. Then the sentence goes on with
> but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
So something has been wrongly managed or wrongly sold.
Then the final part about the emotional conversations and the dilemma sounds honest or at least very plausible, but as they write, the critical mistake already happened.
People went WAY too far WAY too fast on this. There HAS to be urgency to this, the software supply chain is presently, undeniably, under attack.
Frankly, everyone blasting RubyCentral the last few days should feel shame and embarrassment. These aren’t evil suits at Microsoft, they’re normal people invested in maintaining a critical piece of infrastructure for the good of all who love and profit from Ruby.
Ruby has been a HUGE part of building my career, I don’t want to see it slide away one questionable move at a time into full corporate control. It’s not TOO hard to see how this whole thing could just be step one of that :/
I had a similar “yuck” when WPEngine started taking Mullenweg to task over all of the WordPress shenanigans - that hit a lot closer to home for me, as I’ve spent about half of my career building great sites and applications on top of Wordpress. Although I’ve moved on, I was still an active contributor on the WP StackExchange and had my ear to the ground in several plugin repos I authored for employers who contributed to Five for the Future, and replied to comments on blog posts from people who found my previous insights helpful.
I have zero interest to ever go back to that project because of how poorly it’s been managed - if you want to see one man completely wreck an open-source ecosystem, it’s quite a fascinating if not depressing story.
expectations around "strategic planning" and "marketing/PR" are not realistic. You should just be glad these randos don't have admin access to the Github org anymore. Any one of them were huge targets for adversaries who want to ship malware in Rubygems, supply chain attacks are very real and having commit access directly to rubygems/bundler is too powerful for a rando.
my main takeaway from reading all this is why were so many assorted people given such high levels of access..
also, if you step back, Ruby's problem is it consists of a fading community of millenials and Gen Xers who first came to Rails when it was the best/coolest option. however with the majority of builders now turning to JS for web, Rust (and Go) for systems, and Python for ML, it doesn't have a use case anymore that can drive a community or any hope for growth in the future. so a "niche DSL" for legacy webapps and plugin systems is what's left IMO, but i'm sorry for being super frank about it
languages like this with a shrinking community and loose security policies pose around the centralized package management system pose high security risks to its users.
Also, commit access to Github doesn't even say anything about access to deploying the actual package on rubygems. If security really was the goal, there were a million less invasive ways to make this change then revoking commit access from the active maintainers. Set up branch protections, require approvals, etc. There are a lot more tools in the toolbox other than "remove all of the maintainers".
Breaking down the posted article, there’s a lot missing (which the author admits), and it’s not clear really what the goal of the post was other than to say “someone, not me, made an oops. But it’s fine, right, because the community needed this to happen.”
Parts that were particularly odd, that others have said with better words:
- Who imposed this ultimatum on RC? - How long was the timeline to “tighten things up”? It sounds like there was both a decent amount of time and an immediate urgency - it can’t be both. - “We’re nerds who can’t communicate well” (paraphrased) is such a poor argument - I get it, I’ve had to do a lot of work to figure out how to navigate social spaces and how to communicate effectively in professional settings. That said, the author is writing as if they’ve never had a single conversation with a technical person that they didn’t know well; that any conversation about removing or reducing access would be a catastrophe. That’s ridiculous.
It seems that either there was poor planning around this, or someone forgot about the deadline and YOLO’d it, or there was a malicious push to oust some of the biggest contributors under the guise of security.
One thing is clear, regardless of what the root cause of this all was: RC showed a deep lack of respect for the people that make their community what it is, and that stinks.