I think this is the right move. Thank you to Ruby Core and Matz for stepping up and providing stability to the language and community as a whole.
delichon
Matz is a pillar. Remember "Matz is nice and so we are nice"? s/nice/nice and responsible/gc.
sam_lowry_
Ruby communuty has always been quite toxic, though.
Remember why the lucky stiff?
The last spat between pro-Israel anti-immigration gang vs the cancel culture gang that resulted in Matz taking over contended code is a perfect illustration.
runjake
why’s identity reveal had nothing to do with the Ruby community. A random bad actor posted his personal details in a blog post.
The Ruby community respected his pseudonymity. Some of us already knew his name.
sebiwOP
I don't like talking about a heterogeneous group of people in a generally negative way. I try to stick to the people I perceive as sharing the same values that are important to me. And there are many such people in the Ruby community.
ryandv
> I don't like talking about a heterogeneous group of people
> many such people in the Ruby community.
In which case, this presumes that the values you share with the Ruby community are positive - otherwise you would be talking about this heterogeneous group in a generally negative way.
This would appear to beg the very question under contention - that the values of the Ruby community are not in fact positive, but toxic; unless you wish to argue that a community can simultaneously profess positive values and still exhibit toxic behaviour.
One position offers historical (and current) examples; the other offers an impressive feat of linguistic gymnastics.
the_mitsuhiko
> Remember why the lucky stiff?
I remember _why and I definitely don't remember him as toxic.
sam_lowry_
Wasn't his identity revealed while he wanted to remain anonymous?
The pickaxe guys coined it. People repeat it without thinking about it.
If matz were to say "jump from the bridge", people would do it, because matz is nice?
Just to point out: I do think matz is nice and a great language designer. That in itself doesn't mean anything. Why would I proxy my own decisions based on any mindless slogan? That makes no sense. Why do people in the ruby ecosystem keep on repeating those pointless slogans?
ubercore
I think it's pretty obvious to see the difference between being nice and jumping off a bridge? Curious why this cute phrase bothers you so much.
vidugavia
The phrase has been weaponized in the past many times. Some figures in the community are almost as far from "nice" as possible, but you're not allowed to call that out, because "it's not nice".
Is being nice equivalent to jumping off a bridge? I think it's relatively simple to comprehend and also harmless. The guy who built this thing is nice, let's try to continue that tradition so that our community doesn't turn to shit.
squeaky-clean
> Why would I proxy my own decisions based on any mindless slogan?
Exactly, why would you? But ignoring a hypothetical communal bridge jumping situation, do you have a problem with Matz having stewardship over RubyGems? Use your own thinking. If you're okay with it, then... is it because Matz is nice?
matheusmoreira
It's a reminder to us all.
I don't think I've ever seen Matz be rude to anyone on the Ruby bug tracker. I've actually witnessed him deal with controversial topics firmly yet gracefully, making decisions that avoid turmoil in the community and that leave no room for escalation into flamewars. Other projects weren't so lucky.
I wrote some Ruby in my teenage years and his conduct certainly made an impression on me. I try to remember this guy whenever I get too angry about stuff. We should all try to be more like him.
That's what the phrase is saying, by the way. It's an encouragement to follow in his footsteps.
sam0x17
It affirms that being nice is a role model / thing we want to do in the Ruby community
dudeinjapan
Matz wouldn’t say jump from a bridge because he is nice.
delichon
I know what you mean about mindless aspirational slogans. "No child left behind" is logically the same as "no child gets ahead". But trying to convince the Ruby community to be nice, by the example of their founder, isn't in that category. And if Matz told me to jump off of a bridge, he has enough stored up credibility that I'd at least consider it.
cortesoft
Not necessarily. Your logic only holds if you assume the "behind" refers to other children.
The statement is ambiguous. I interpret it as "no child left behind THE STANDARD FOR THEIR AGE". In that interpretation, other kids being ahead of that standard doesn't mean the other kids have to be behind the standard. Every kid could be not "left behind" the standard even if some are ahead of the standard.
Of course, NCLB has a lot of other issues, but I think the name isn't the issue.
gmac
> "No child left behind" is logically the same as "no child gets ahead"
If by both statements you mean "all children must be in exactly the same position", yes ... but that's a wilfully obtuse interpretation.
...but seriously, what on earth do you think you're saying here?
dluan
In the long run, having multiple sources like gem.coop is probably a safer and more robust solution. But for RubyGems specifically, the trust was fully lost, through several layers - maintainers, community members, sponsors, etc. There's still open questions that probably need to be resolved like the funding and data privacy stuff, but I think most folks in ruby land will be supportive of this.
neya
Any summary of what exaclty unfolded please (if you don't mind)? Sorry haven't been following the Ruby news for sometime.
shadowgovt
The broad-strokes story is:
* DHH said some things on his blog that some people believe to be deeply racist / fascist (not going to unpack whether they were or not because answering that question is irrelevant to the fact pattern; consult other threads for that debate).
* A Ruby conference run by Ruby Central was asked to deplatform him. Since he's the creator of Rails, they declined.
* In response to their decision, a major sponsor (Sidekiq) pulled out of supporting the conference and Ruby Central in general, to the tune of $250k a year.
* This created a "blood in the water" situation where Shopify hit Ruby Central with an ultimatum: they would back-fill the lost sponsorship for oversight control of Ruby Central (and the gem repository they maintain, rubygems.org). And if Ruby Central didn't take the deal, Shopify was going to pull their funding also, leaving them in dire straits (this, BTW, is a fairly common corporate tactic when multiple partners share support of a service that doesn't independently generate revenue. Look for it in your own business, startup company, and nonprofit dealings!).
* Shopify now de-facto controls rubygems.org and people immediately started backing towards the exits because corporate takeover tends to be a harbinger of enshittification. As if to prove the point, Shopify's folks immediately ham-fisted the access controls, yanking several gem creators from the admin roles of the gems they created. They claim this was a mistake; several in the community do not want to give them a benefit of the doubt they are not believed to have earned.
* Community members are standing up gem.coop as an alternative gem repository.
ameliaquining
This is missing an important part of the story that makes the Ruby Central side look relatively better, which is that one of the existing maintainers offered to help fill the funding gap in exchange for being allowed to monetize the server logs. https://rubycentral.org/news/rubygems-org-aws-root-access-ev...
saghm
Your addition also misses an important part where the only reason he was able to do that was because the servers were forcibly taken from the previous owners for the ostensible purpose of security, but the new regime forgot to change the passwords as part of that.
At this point, it's probable that any attempt to just list the pertinent events isn't going to end up being as neutral as one might hope because even the choice of what context to include or exclude is itself editorial. This is the same lesson people might learn in a high school history class, just applied to something much more recent.
I'm only going by the corporate narrative structure of the director's post, who clearly wants to throw someone under the bus and cover up organizational incompetence. "Open" source has become so despicable.
But Ruby Core is not the same thing as Ruby Central, apparently? This blog post says, "To provide the community with long-term stability and continuity, the Ruby core team, led by Matz, has decided to assume stewardship of these projects from Ruby Central. We will continue their development in close collaboration with Ruby Central and the broader community." What, if anything, is the relationshp between Ruby Core and gem.coop?
ameliaquining
There is none. gem.coop is run by people who were previously involved with RubyGems and Bundler before they were ousted or resigned; AFAIK none of those people are part of Ruby Core.
kragen
Thank you for explaining!
mindcrash
If only the drama stopped there:
* DHH is not only considered racist / fascist due to some blog posts, but also for making Hyprland the default DE in Omarchy, developed by someone who goes by the name Vaxry Vaxerski, who is also considered fascist and racist, and thus banned from contributing to freedesktop projects due to supposed breach of CoC:
* Hyprland and all its contributors are now also considered fascist from taking sponsorship money from 37signals, DHH's company, due to it being an important part of Omarchy.
* Due to the fact that both DHH and Vaxry are both considered fascist / racist, Framework and its CEO (yes, that Framework) are now considered to be supporters of fascism, because Framework is sponsoring and supporting both Omarchy and Hyprland.
* Cloudflare (yes, that Cloudflare) is considered to support fascism because they support Omarchy and the Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
* Last but not least, Tobi (Shopify CEO) and thus Shopify are also considered by many to be supporters of fascism when this drama started to unroll for standing by DHH no matter what when activists wanted to deplatform and ban DHH from his own creation (Ruby on Rails). Which makes the Ruby Central drama due to the involvement of Shopify even more interesting:
Me? I want to hop in a time machine back to the 90s/early 00s before all this crap started and everybody was just generally nice to each other.
9rx
> I want to hop in a time machine back to the 90s/early 00s before all this crap started and everybody was just generally nice to each other.
The internet was never nice. It, however, did at one time require technical savvy to use. With that savvy came the understanding that computers and people aren't the same thing, so when the computer emitted something not nice you'd laughed at how quant the technology was instead of getting your emotions all tied up in a knot and try to hold a person accountable like those who have no idea about what's going on around them do.
> Hyprland and all its contributors are now also considered fascist from taking sponsorship money from 37signals
This methodology is definitely not how you discover fascism. But it is how fascists and communists defined and traced their enemies in the 20th century.
I know vaxry made/allowed childish & offensive comments about trans folks, but has this gotten worse? Why is he considered a full on fascist now?
> Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
Do you mean awesomekling? Why is he considered a fascist?
There are definitely actual fascists in tech (like Curtis Yarvin) which I (centrist liberal, not a tankie) fully support deplatforming where possible, but why are they considered fascists?
Oh people were getting cancelled in the 90s and 00s
kbelder
"Everyone is a fascist except me and thee, and I'm not sure about thee."
shevy-java
This is not 100% correct though; I mean, your summary is good, don't get me wrong so I upvoted it. But it conflates a few issues that are not 100% related.
For instance, DHH and his fancy blog, are not 100% related or relatable to RubyCentral ousting long-term developers. There may be some connection (DHH on shopify's board, tons of ruby developers being paid by shopify and still writing "my opinion is totally unbiased" like byroot did), but there is no 1:1 overlap. For instance, I could not care what DHH writes on his blog any less. rubygems.org changing policies though - that affects me. And if shopify is in part responsible, and DHH sits on shopify and makes decisions, then yes, something changed here. But there are also people who have a vendetta against DHH and they leak into other spaces too. I am not among those people and they shouldn't try to hijack other communities either.
By the way, the Shopify ultimatum also does not explain why all other ruby devs were ousted. Ruby Central lost the narrative here. And, since they accuse Arko as the ultimate bad boy - why haven't they sued him? Why do they continue to refuse to do so? (Because they know their case would be rubbish nonsense and they would have to open up ALL emails, which may make many more people suddenly ... very funky.)
nozzlegear
> And, since they accuse Arko as the ultimate bad boy - why haven't they sued him? Why do they continue to refuse to do so?
As someone who has sued someone else and won, it can take months for your legal team to gather the facts, decide on strategy, and then file suit.
thayne
> For instance, DHH and his fancy blog, are not 100% related or relatable to RubyCentral ousting long-term developers.
It's related because it led to Sidekiq dropping their funding, which increased shopify's power over ruby central.
skywhopper
It’s related because from the outside it looks like DHH is pulling strings to spitefully oust the folks who brought up concerns about his radical, hateful views. So you may not care what he has to say, but if he uses his influence to exclude folks who do care, and it causes you a problem, maybe it is related after all.
neya
Thanks, that was a superb summary! Appreciate it.
runjake
It's news to me that the RubyCentral event had anything to do with DHH at least directly.
You are alleging that Shopify was retaliating. Do you have any reliable context that Shopify was acting in a retaliatory manner?
overfeed
I'm sure it's a total coincidence that Shopify (on whose board DHH sits) coincidentally became an active participant on toppling the maintainers soon after they criticized DHH.
Given the power dynamics, the burden of proof is on Shopify to proove it wasn't retaliating at the behest of, or in a misguided attempt to defend DHH's honor.
I don't have any signal one way or the other on whether Shopify retaliated; the fact DHH is on their board I learned from this thread.
I have seen the "soft-hostile takeover" executed in other contexts, however. I don't think it's necessary to presume DHH used his influence as a Shopify board member to seal the deal or that he would have ulterior motive in doing so; in my experience, it's sufficient for a company to see a valuable piece of a puzzle they care about go vulnerable to acquisition offers to make the offer (with the corresponding stick). I'm willing to be convinced otherwise in either direction if more information presents itself; all I know is that Shopify put the offer on the table "We'll back-fill your funding gap or we'll make it much worse; your call." And I've seen that offer made in a completely capitalism-red-in-tooth-and-claw "business is business" way in the past.
pabs3
> having multiple sources like gem.coop is probably a safer and more robust solution
I prefer the Go solution where the package manager uses the git repos instead of a separate package index that might or might not correspond to the git repos.
downrightmike
I can't believe that long gone maintainers still had root access, or any access at all to the core platform. Its has been wild to see ruby community members getting upset with modern and established security norms, for a platform that runs a lot of the web. Its not 2006 anymore, and we aren't just running random curl commands off the net to get rails installed. Scary to think how naive the backlash has been. Having an unmaintained security posture that is inherently insecure, just blows my mind. That supply chain was wide open to attacks, may still be, but at least someone tried to bring security up to this decade.
sussmannbaka
Trying and doing aren’t the same thing. I’ll take competent community members over incompetent leadership any day of the week. And I am right to think so, seeing how they entirely bungled even kicking out the people they wanted kicked out. They literally had their first security incident at second zero of their attempt to “bring security up to this decade”.
shevy-java
Agreed.
I think we have to wait and see how much momentum gem.coop can build. Right now they have promised "things for the future"; they will most likely also deliver eventually. But right now they are not there.
If and when they open beta, though, I'll begin to republish my old gems (not all, some I merged into other gems but most of the core stuff will be back) there. They have some things they should improve on though - documentation (also a problem that ruby doc was separate by the way), namespacing (this is in part also a problem that ruby had no primary way of namespacing; this is also a feature, but it should have a way to separate concerns when possible or wanted).
Anyway, I think we'll soon see what happens - I say people should evaluate again in about half a year or so, say like ... end of May 2026. I think this would be a more realistic time frame.
I do, however had, also suspect that DHH may become the biggest asset to gem.coop - every further snide remark he does on his blog, will gain new people who are upset, and some of those will eventually help contribute and benefit gem.coop. So for the end user this may be a win-win situation since they can install things how they like it, thus having more flexibility. Many can and will stay with rubygems.org, others may prefer gem.coop, many others will probably use and combine both (this may be a bit more difficult; guess gem.coop needs to think of a way to specify different gem sources on a per-gem basis too. Lots of work to be had for certain).
busterarm
Even if you're not an old-timer and don't remember what Ruby Together was like, the AWS root password changing shenanigans, presumably done by Arko, is enough of a red flag that nothing he's associated with has any credibility.
No serious business with real (business) customers will accept that kind of risk and gem.coop will never be a thing outside of hobbyists.
I agree with busterarm's take. Andre Arko's story omits specific concerns like ssh'ing into Rubygems in Japan 9 days after the debacle. Further, his narrative excludes his termination email and instead focuses on generic platitudes his boss sent the group, to somehow prove Andre didn't know he was fired.
All in all, I don't see sound judgement from Andre Arko or from RubyCentral. That seems the common takeaway from neutral third parties https://archive.md/SEzoV
> Regarding Arko’s blog post about his removal, McQuaid [Homebrew Maintainer] told me it’s good that Arko is crediting other people for their contribution and that he’s following open source principles of community and transparency, but that “his ‘transparency’ here has been selective to things that benefit him/his narrative, he seems unwilling or unable to admit that he failed as a leader in being unwilling or unable to introduce a formal governance process long before this all went down or appoint a meaningful successor and step down amicably.”
busterarm
No, it won't because I can read the timelines and see what he's omitting.
He logged in and changed the password after the board emailed him and told him his services were terminated. That includes/specifically mentions his on-call services. His response claims only silence from the board and that he was just performing his on-call duties.
I've been a corporate stooge for 25 years or so now. On call duties are one of my main responsibilities. I would NEVER probe out which logins I still have access to after receiving notice of termination. He admits to doing this in multiple places.
All his justifications are that he was under contract to do work that he was already notified was terminated. Everything that follows either tells me that he has bad judgment, that he's lying (by omissions), or in the worst case totally delusional.
If he was so worried about operational takeover, why did he _change a password_ without notifying anyone else with operational capabilities that he was doing so? Nobody reasonable would _ever_ do that. There's a certain amount of upfront communication and CYA required of reasonable actors in this space and he doesn't have it (Not that Ruby Central did any better).
So no, I won't be changing my mind, and I don't know why you put "(again)" in there.
This is just the tooling though, not "rubygems.org" which is still owned by a hostile entity (depending on where you sit on this), so not sure how this would restore any trust?
rich_kilmer
As a co-author of RubyGems and one of the original Board members of Ruby Central, they are not a hostile entity. They are the entity that we gave stewardship of RubyGems and we/they have hosted it for its entire existence.
shevy-java
I disagree. The actions are orthogonal to your claim - they eliminated everyone else from there. How is that not hostile? Duckinator has been 100% right here.
> we gave stewardship of RubyGems
I didn't sign anything.
I also remember the original creators of rubygems. How old is Ruby Central? 10 years? 15 years? There were several years before that.
rich_kilmer
Ruby Central started in 2001. I was one of the early Board members, along with Chad Fowler and David Alan Black. We put on every Ruby conference until Ruby became more popular to support multiple conferences. We started coding RubyGems (although the name originated in 2001 at the first RubyConf in Florida) in 2003 at the RubyConf in Austin TX. We sat around a table the first night with a CVS repo on a USB drive and passed it around and committed code until we had a functioning gem command. I demoed it in my talk the next day with the first "gem install". Gem versioning, gemspec, gem command, gem server were all built that first night. Obviously tons of changes since then!
lyu07282
It goes without saying that Ruby Central doesn't think Ruby Central has ever lost any trust to begin with.
monooso
I don't have a dog in this fight, but the discussion is about the phrase "hostile entity", not about a loss of trust.
lyu07282
That really doesn't matter. I think what happened could be described as "hostility" towards the community, that's what my impression was, it was appearing like a hostile takeover of the github repositories/organization with no discussion, no community involvement, no transparency. Obviously not everybody will agree especially not people working at Ruby Central.
dismalaf
Hostile entity? The entity that has literally hosted them for their entire existence?
kragen
Apparently so. That shouldn't be a surprise; Amazon Web Services turned out to be hostile to WikiLeaks, CDDB's hosting turned out to be hostile to the community that built CDDB, coal mining company towns were hostile to miners' unions, and, in the final analysis, turkey farmers are hostile to the turkeys.
florkbork
Imagine if you opened up your laptop to discover Microsoft windows has locked you out of a your entire machine, because you were writing a novel in RTF and it could be opened in Microsoft Word. Microsoft's executives started posting they "took control of the your machine/the novel to maintain security".
- Corporate entity doesn't have copyright over your creative output. Just because word can open and view ("run") your novel does not give them ownership.
- Locking your access completely on your resources would be akin to a ransomware attack or account compromise
Would you label those actions hostile? Or just accept it as right because "maintain security"?
If you would label the above hypothetical actions as hostile (if not outrageous overreach, something akin to theft?); what is fundamentally different to what Ruby Central did by taking over the source code of a GitHub repository?
dismalaf
This is a bad analogy. André Arko was a contractor employed by Ruby Central. His employer terminated his contract. He continued to access their server which is literally a crime.
The "maintainers" weren't volunteers. They were paid employees.
Also none of the ones complaining were the original authors of gem nor bundler.
florkbork
Alright, let's extend it.
You work for Microsoft as an independent contractor, as a night watchman/groundskeeper. So do a number of others. You were hired because you and your crew of weirdos were writing the story of advanced gardening and building maintenace; which people including those at many famous and powerful companies used and found useful.
A number of years ago someone said "huh, maybe these guys should get funding", and a few others agree; and Microsoft ends up in charge of distributing that funding.
The above still happens. They have locked your computer with a ransomware message that says "we will give you back access if you get rid of one of you".
To lock your computer, which is airgapped, it would require someone with admin privileges to your computer to walk in and manually do this. It turns out one of your has colleagues done this, added an account for the Director of Night Maintenance at Microsoft to your machine.
You and almost all of the "paid employees", again, a number of whom are independent contractors, resign in protest; leaving only the person who tampered with your computer.
> The behavior Ruby Central exhibited was so egregious that I sincerely thought someone's account had been compromised at one point
During this chaos; which all happened between September 9 and September 18;
- at midday LA time/2:40pm New York time; Microsoft terminates the contract with one specific individual; who was the one they demanded the group gets rid of if they wanted access back
- 8 hours later, that person locks the doors; changes nothing else, etc.
Some basic analysis about the situation you need to do:
- Did the actions on September 19th, even if you believe it was a crime of the most serious nature, justify the actions on Sept 9-18 where Microsoft took access, said whoopsie, then did it again?
- Treating the Sept 19 actions as a crime; did the person who did it do so with a criminal intent? (Mens rea). Did they intend harm? Or were they indifferent to the harm caused? Should this be prosecuted, has that person provided justification or similar that could in any way be reasonable doubt?
- If the actions on September 19 are a crime in your viewpoint; would paying/influencing someone to lock the accounts of all of the maintainers also be a crime? Why or why not?
First off, was anything involved a "protected computer"? No, probably not, not by the legal definition there; yes by what we as laypeople would assume.
But, let's roll with the assumption it's "literally a crime" and not a civil matter; but apply that standard equally.
> (4)knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
* Is the draft novel/rubygems source code a thing of value? Yes. $5000 worth? Tricky to say with the open source licencing! But RC were distributing $ to maintain it; and that cost them more than $5000/year. Cost does not equal value; but I think we can argue yes, kinda here.
> (7)with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
* Did anyone attempt to extort anyone else to remove a person? (Get rid of x if you want access back!)
* Did that have value? (Gee, I hope the treasurer didn't post, it was about the funding deadlines/only to have that walked back!) Also a bit murky as the value isn't coming from the extortion directly, only indirectly.
> (b)Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
* Did anyone conspire? (Two or more people agree to criminal act, followed by an overt act)
Can you plausibly see how if you try to apply US law to argue one individual on one side is a criminal; that same law would likely make the other side just as criminal; if not more so?
---
> none of the ones complaining were the original authors of gem nor bundler.
"I joined the team at a pivotal moment, in February 2010, as the 0.9 prototype was starting to be re-written yet another time into the shape that would finally be released as 1.0. By the time Carl, Yehuda, and I released version 1.0 together in August 2010, we had fully established the structure and commands that Bundler 2.7.2 still uses today."
IE: Claims to be a significant contributor, predating any "stewardship" by RubyCentral. I would argue this can be born out by contributions and the fact he proposed the darned merger with RC in the first place; and that merger assigns no intellectual property rights or similar.
queenkjuul
The entity that just fired all the people who maintained it
charcircuit
>multiple sources is safer
It tripples the attack surface making it more vulernable to having security vulnerabilities.
> As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem. In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems.
It took less than two weeks from this statement for them to put out an incident report from them forgetting to change the password on the infrastructure they took from the previous maintainers. I can't say I'm shocked that this didn't actually result in people's confidence in their ability as steward to provide long-term stability for the ecosystem.
jrochkind1
Ruby Central has been the entity responsible for the infrastructure hosting rubygems.org the entire time. Literally since the beginning of rubygems.org. Any hosting bills, contracts, or agreements are in the name of the Ruby Central corporation and always have been, as far as I know. Any "previous maintainers" were working as contractors or employees of Ruby Central, if they were working on infrastructure.
The (open source) source code for rubygems and bundler, the libraries that rubyists use in their apps to manage gem dependencies, are potentially another story.
But the infrastructure, to have passwords to it, for rubygems.org, has been Ruby Central since the beginning of rubygems.org without any break. I don't know why people receiving checks from Ruby Central as contractors would think they had a personal right above Ruby Central to the infrastructure that Ruby Central has been running since long before they received those checks. Them thinking they did is sketchy.
Again, the open source source code, I agree, is another matter with other considerations. It has had many maintainers and contributors over time, including periods where development was not coordinated by Ruby Central. And all the code is owned by it's authors, and licensed MIT-style. But you're talking about passwords to infrastructure...
the_hangman
Genuine question: how do you take something which you have already been paying for?
They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager and logged in a few hours later and changed the root password to lock the legal owners out. Most of the community has turned on the maintainer who did that, it was extremely childish behaviour.
re
> They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager
Inaccurate:
> Ruby Central also had not removed me as an “owner” of the Ruby Central GitHub Organization. They also had not rotated any of the credentials shared across the operational team using the RubyGems 1Password account.
> I believe Ruby Central confused themselves into thinking the “Ruby Central” 1Password account was used by operators, and they did revoke my access there. However, that 1Password account was not used by the open source team of RubyGems.org service operators. Instead, we used the “RubyGems” 1Password account, which was full of operational credentials. Ruby Central did not remove me from the “RubyGems” 1Password account, even as of today. https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
Ruby Central didn't realize that they hadn't actually revoked any access to the previous maintainers (and that they didn't have the updated root AWS credentials) until two weeks later when André notified them.
shevy-java
They keep on using buzzwords. These Ruby central guys never maintained a single gem used by many people in their life. I have no idea what they are writing, but it feels as if AI is writing their statements. Even then it is of such a poor, repetitive quality that even AI may just accidentally write better "summaries". People lost all trust in Ruby Central - there is no way for them to win back trust here.
IMO it would be better to start from a clean slate; dissolve Ruby Central and bring back the community with a new policy, rules - but that's not going to happen. Ruby Central went the corporate way and that's it. It would just be ironic if, say in 10 years, gem.coop proves to be much more successful whereas Ruby Central still writes the same AI-generated text ("we care for the community even if everyone is now elsewhere already").
the_hangman
Afaik many of the people who were on board to help start gem.coop have stepped back after the recent controversies with Andre Arko, at this point I don’t think it will ever be anything more than a ruby gems mirror
florkbork
I sincerely doubt this without a source
white-moss
Really appreciate Matz stepping up to take on this difficult situation.
As a Japanese developer, I’ve been worried about the direction things were going, so it’s reassuring to see this.
shevy-java
Stepping up how? It was always clear that Hiroshi Shibata didn't act solo without approval. I am not saying he knew the outcome before that, but WHEN was the decision made to take over gems + bundler? I have a slight suspicion that this may have been decided upon months ago already.
> As a Japanese developer, I’ve been worried about the direction things were going, so it’s reassuring to see this.
I am actually much more worried now. I don't live in the USA; I don't live in Japan. To me it seems as if Japan and the USA are totally over-dominating in the ruby ecosystem. While this is understandable that it is Japan (local community, I get it, this is different to english-speaking ones), I am absolutely upset that the USA has so much proxy-influence here. But I guess there is nothing that can be done. I guess in Python the USA also over-dominates. I just think this sucks really.
xg19837
Yes. At least Ruby was always strongly Japanese though. In Python European and Asian developers are overtly exploited, with U.S. corporations and their employed stooges holding the reins of power.
I'm considering switching to Erlang, which was developed at a corporation from the start and appears to be drama and cancel free.
nxor
Or Europeans choose to work for US corporations. What am I missing? I know Europeans who only want to work for American companies.
JoshTriplett
American salaries are typically wildly higher, both on the low end and on the high end. It's often remote work. There are more jobs and more variety of jobs, on an absolute scale, than any particular locality. There may be more of a job ladder, and less stigma to wanting to climb it. There are some other cultural aspects as well.
I would love to see such options become available in Europe (insofar as additional options existing, not taking away the ones that already exist). But that would require some extremely successful European companies working to change it.
nxor
My comment was unclear. I am American. I think I am familiar with these differences. You seem to agree with me that in light of these aspects, referring then to American company employees as stooges is exaggerated. Regarding Asia of course it's a different topic, and I am unfamiliar with it. Obviously some American companies are bad but I just question the comment I responded to, that's all. And I don't understand "stigma to climbing it." Depending on the country, of course, but I didn't think there was stigma. Europeans compete for prestige like the rest of us. Don't they? Some do, some don't, of course.
busterarm
Different money and different attitudes.
Trying to get paid more than your peers if you're appropriately skilled isn't social kryptonite here in the states.
linhns
Ericsson is drama free?
dudeinjapan
Shopify is pretty much dominating the Ruby ecosystem. It’s Canadian tho :)
dismalaf
> I am actually much more worried now
Why? Japanese culture is more conservative, less prone to knee jerk decisions, and Ruby is their biggest home grown programming language.
I'm also not American nor Japanese and I think this is the best possible outcome.
nxor
More people live in the US. What is overdominating Python?
pebble
Better Ruby core than Ruby Central but still leaves me wondering what the hell happened and slightly sours me on the whole ecosystem.
zer00eyz
I spend most of my time writing go (among other languages).
Candidly its decentralized nature when it comes to "packages" is one of its strengths. It does have downsides, and yes GitHub could be at issue at some point.
After this, after NPM compromises (left pad and more recently the supply chain attacks) why we arent seeing more community driven changes around decentralization and venturing is beyond me.
joshmn
This is the only outcome that anyone who touches ruby cannot be upset with.
MatthiasPortzel
This is only a win for Ruby Central. They haven't conceded anything and they've convinced Ruby Core to endorse them as the correct and true maintainers of RubyGems.
> While repository ownership has moved, Ruby Central will continue to share management and governance responsibilities for RubyGems and Bundler in close collaboration with the Ruby core team.
Andre has previously maintained that he owns a trademark on Bundler and he will enforce it against Ruby Central.
So Ruby Central transfers "ownership" of Bundler to Ruby Core. Ruby Central gets to continue to maintain Bundler, and Ruby Core is stuck with the liability. If Andre wants to enforce his trademark, he now has to sue Japan-based Ruby Core and risk the bad optics of that.
damagednoob
>Andre has previously maintained that he owns a trademark on Bundler and he will enforce it against Ruby Central.
Well,
1. He's not fighting Ruby Central anymore, he'd be fighting the Ruby core team.
2. He's going to have a tough time asserting copyright on a name he didn't come up with on a project which shipped v1 before he joined.
3. If he believes the trademark belongs to the community, the right thing to do would be to transfer it to Ruby Core then, right?
ergocoder
People aren't upset because Matz hasn't chimed in on immigration laws yet.
baggy_trough
cannot?
riffraff
as a rubyist, I'd second "cannot"
joshmn
my coffee hadn't hit—that was my intention, the "cannot"
Add also at the bottom a short comment, so the other replies don't look wrong. Somethig like:
Edit: fixed can -> cannot
shevy-java
How so?
I think there are a gazillion questions left. But, I also agree that the future will tell, e. g. we'll have to see how popular gem.coop will become (if they become popular). And I also, despite my disagreements, think that it may have been better to solve installations of ruby projects from the get go, e. g. Rust + cargo. But I also see this as separate from a service such as rubygems.org (or whoever provides any infrastructure). The question of who develops functionality can be separate, I have no strong preference here. And, I also agree that having both bin/gem and bin/bundle is not good. There should be a unified API (or two - a simple one maintained by ruby core, and then people can build extra functionality into their own variants).
What I liked about bin/gem was its simplicity. Bundler brought a few new things or easier things to the table. "gem" should make it much easier to use any source though, including gem.coop.
kayodelycaon
It's pretty easy to change the sources for ruby gems using "gem sources" or ~/.gemrc. I'm not sure how that could be improved.
mring33621
NGL, the drama is entertaining.
I'm sorry for Ruby people that are negatively impacted, tho.
Lastly, Matz is the best!
mring33621
So this whole thing stems from a dislike of DHH?
It also seems like rubygems.org could simply fork the rubygems code, perform whatever 'security and governance' changes they believed were needed in their fork, and run with that?
Isn't that the open source way of handling disagreements in direction?
bl4kers
> So this whole thing stems from a dislike of DHH?
Not really. Shopify threatened to pull funding for them which set the whole thing in motion
tomnipotent
Which only had weight because Sidekiq pulled funding because Ruby Central wouldn't deplatform DHH.
blasphemers
Isn't rubygems distributed as part of Ruby
Mystery-Machine
It seems like it stems from dislike of André
saghm
As best I've been able to understand it, a dislike of DHH led to the opportunity for those with a dislike of André to do all the stuff under discussion. I doubt we'll ever know the whole story, but in the absence of any of the additional context that some people claim exists (but haven't made public), this seems to be the most coherent explanation for what happened.
florkbork
No, no, no, this isn't the open source way at all! I can't believe you aren't getting it still!
Because I once installed your project, I need to:
- Take over all of the accounts/access you AND all of your friends/co-maintainers used in connection with it
- Tell you it was a mistake, give back access temporarily
- Do it again!
- Have one of my board members who happens to be the treasurer say it was about the $
- Make a straight to camera YouTube post Addressing The Concerns
- Make a first "continuing our series of transparency" blog post a week later, where I use a dense corporate laden dialect to claim it was for the betterment of all mankind and definitely not about the $; because I need you to understand Where We Are Now; What This Is and What This Isn't.
- Open a Google forms question submission box.
- Smear your reputation, because you had an idea once about tracking which packages go to which companies; so I'll insinuate that you want to read everyone's mail and snoop through their undergarments drawer. What's that? My actions affected much more than just you? Quiet now, we're reshaping the narrative to smear you.
- Answer no questions, explaining that we chose to give you a regular series of Friday updates; but also We Want to Move On from the back and forth but also in that same publication have another go at the smear, because it partially worked.
- Donate the project to my state library, to take some of the heat off of me
Isn't that so much easier than typing "git clone" and "git remote add"?
(I am consistently flummoxed that a handful of people here are buying this narrative; instead of as you point out... Just applying a smidgeon of critical analysis about the usage of tools that the majority of us must use day to day and coming to the conclusion you do.
Instead of doing this or accepting this conclusion, there's a frothy passion it seems for Appeal to Authority/Argument from Authority where any excuse, flaw, etc on the part of the maintainers is used to justify the whole chain of events.
It seems like it hits 5-7 facts and people can no longer manage them in short term memory, go and look at more than what is presented to them by a single party, etc; so they just default to the easiest mental shortcut.
For some reason I keep falling into the trap that "people are more educated, capable of critical thinking, and have easier access to data than ever before in history"; which I rationally know is not true)
mcphage
> So this whole thing stems from a dislike of DHH?
I don't believe this has anything to do with DHH.
codesnik
I waited for this as the more or less easiest option to regain back some trust. Benevolent leaders still keep many communities together.
AnonHP
Since Ruby Central is still very much involved, does (or would) this have any impact on the people who left recently (like Ellen Dash/duckinator)?
riffraff
seems to me they can happily go back to contributing to the tools, and at the same time ignore the fact that rubygems.org exists, by running gem.coop or whatever else.
florkbork
Do the former maintainers have full commit access?
Remember, this is what was taken in the middle of a discussion about governance.
Matz' action and tone in the announcement is impeccable. Humbling reminder of what greatness looks like.
jcmfernandes
By not addressing HOW the project ended up in RC's hands, Matz is effectively whitewashing the move.
florkbork
Right?
Why is there (seemingly) no public offer to former maintainers to rejoin, or acknowledgement of wrongdoing having been done as part of this? It's practically zero cost to do that; as the Ruby core team is (largely) not the party that inflicted harm.
Politeness? Conspiracy to have done this all along? Cultural differences around public vs private opinions? Something else?
What would we think if this wasn't a software project but a hijacked community bus, being passed from party to party, pretending nothing is untoward about the whole situation while the passengers are still aboard? "Oh good, the new bus drivers are politely accepting the keys from the hijackers; all is well!"?
When I see opinions like this, I run, not walk, away from the community in question.
jcmfernandes
Loved the... argument?
busterarm
Unless there is some yet-unnamed party with enough credibility and enough money to do a proper takeover from Ruby Central, this was always the inevitable way forward.
In my 17ish-year involvement with Ruby, I can't think of one.
jcmfernandes
I don't understand why the move wasn't undone. This is essentially kicking the can down the road.
prh8
by thanking Ruby Central who is the aggressor but not thanking the maintainers for their decade plus of work?
krmbzds
Does that mean RubyCentral or anyone associated with them no longer have admin access to RubyGems GitHub organization? Watching the debacle unfold made me much less trusting of their "stewardship".
It's good to hear Ruby core team took the ownership. Thank you Matz.
gardnr
Can anyone please explain this in simple terms for a relative outsider?
See especially Mike McQuaid's summaries. He did a bunch of mediation and comms work to make the situation digestible to outsiders. Check his recent posts (at time of writing) on https://bsky.app/profile/mikemcquaid.com
shevy-java
Yeah. I think everyone on all sides praises Mike for his effort. Cool guy.
joshmn
Changed hands a couple times with “unclear” transition details at best. How it came about wasn’t all that transparent.
Tensions within the community were heightened because its loudest voice and most recognizable figurehead has opinions that aren’t all that popular and he made them loud and clear as he’s a loud thinker.
jrochkind1
probably nobody can, no. Other than: a shitshow.
binary132
Decentralized package hosting is the only way.
ivan_gammel
The key question here is how exactly the supply chain attacks will be prevented. If you consider release of new version of a library some sort of transaction, it's easy to see then the difference with cryptocurrencies: in crypto transaction can be automatically verified, but with software releases it is impossible. It is hard to imagine hundreds of hostings on the same very high trust level, so either risks become significant or there are several, but not many hostings which everyone can trust. If Number of hostings << Number of users, then it's not truly decentralized and there still exists a different risk, when there's some sort of political split between some of them. Summarizing all of that, I don't know if decentralization is a solution at all. Transparent community ownership over a centralized solution is much better.
shevy-java
The supply chain attack is not the only argument here, though.
For instance, who effectively controls the ruby ecosystem? See ad-hoc restrictions such as 100.000 downloads - past that point you are disowned from your own gem. I always felt that was a direct attack on independent developers. They could have forked those gems just fine (the licence permits this for most gems after all), but nope, they forbid you to remove your own (!!!) code.
ivan_gammel
Decentralization is not the answer to that though.
pabs3
They could start with reproducible builds from the source git repos.
> The key question here is how exactly the supply chain attacks will be prevented
By using signed packages. Why is this even a question.
ivan_gammel
If it’s PKI and there’s verification on each stage, maybe. Just different sort of centralization. If keys are self-issued, it’s still a problem. Say, you add a new dependency from a repository XXX. A new version is released signed by another key, which appears to be legitimate. What are you going to do? Run full KYC on new credentials? Distrust the new dependency version and fork the library? Just ignore assuming that repo has verified it?
With central repo you may expect that they operate under increasingly stronger security standards and even if you missed malicious update, there’s higher chance that it was taken down by someone else. In decentralized environment your risks are higher and attention surface bigger.
binary132
Whence this idea that Web of Trust is an unsolved useless design that requires central certificate authorities?
The fact is that even the “canonical” CA’s can’t be automatically trusted, but here we are. CA is just one shitty implementation of WoT that has been near-universally imposed on us and most people simply accept as a necessity of life, but it isn’t necessarily the only way. It’s just how it is right now.
westurner
Can Gems be served from OCI Container/Artifact registries, which (also) already support signatures?
> Native Containers are bare-metal host images as OCI Images which can be stored in OCI Container Registries (or Artifact registries because packages too). GitHub, GitLab, Gitea, GCP, and AWS all host OCI Container/Artifact Registries
So, packages there too would simplify.
Re: "RPM 6.0 Released with OpenPGP Improvements and Signature Checking by Default" (2025) and Sigstore and PyPI and SLSA.dev and key revocation transparency:
https://www.hackerneue.com/item?id=45354568
> Trusted publishing is a mechanism for uploading gems to RubyGems.org without using long-lived secret credentials. [..]
> Trusted Publishing is a term for using OpenID Connect (OIDC) to exchange short-lived identity tokens between a trusted third-party service and RubyGems.org. This allows obtaining short-lived API tokens in an automated environment (such as CI) without having to store long-lived API tokens or username/password credentials.
__float
What languages do you use that have adopted this well?
I'm not counting something like C++ where there's effectively no "packages" to speak of.
zrail
Go, for some values of "distributed". The vast majority of go packages are hosted on GitHub, but nothing stops anyone from hosting elsewhere and Go has explicit support for indirection such that anyone can use a vanity domain that happens to point at GitHub or wherever.
cortesoft
Isn't this the same as ruby gems, then? You can use alternative sources in your Gemfile pretty easily.
zrail
Sort of.
Go packages have the source baked into the package name. It would be like needing to say `require "github.com/sparklemotion/nokogiri"` rather than what we do today, `require "nokogiri"` and then if you want to change the source wrapping `gem "nokogiri"` in an alternate `source` block.
binary132
This is why Go’s dependency management doesn’t really qualify as “decentralized” in my mind. A decentralized provider (IPFS?) could possibly be implemented for some packages, but most of its packages are locked into centralized hosting and URLs today. Some of them sometimes being hash-identified and cache-proxied doesn’t help the case much and IMO the centralized proxying by default actually hurts it.
shadowgovt
Go's one weakness is that the package source is baked into the package data in a not-automatically-fungible way. And if pkg.go.dev ever becomes a threat vector, we're gonna have a bad time.
dselect solved this ages ago with its mirrors, but at some point it seems every major package manager decided that was unnecessary complexity ("why bother? It's not like a package repo just goes down") and left it out when they built their alternatives.
So, from time to time, when a domain in the Internet goes sour it's a huge problem (whereas were a Debian mirror to go sour I'd add like one line to a config file and never notice the issue again, assuming dpkg doesn't automatically identify the problem and route around it).
binary132
Depending on your definition of “threat” I’d definitely consider it a threat vector already.
bananapub
go is comically un-distributed in practice:
- almost every package is hosted on GitHub and that url is baked in to consumers of those packages
Nowadays there are, as vcpkg and conan step by step win the earths of the C and C++ communities, and then there are the distro specific ones, if someone is happy enough with rpm/deb + pkg-config.
However I would say all ecosystems have issues, regardless of the approach, because 99% of the developers have no clue on what they depend on, and there are plenty of ways to mess up with ecosystem.
binary132
Do Linux repos not implement decentralized (perhaps “federated” is a better word here) package management?
Btw, I’m definitely not saying anything is doing this really well yet, but I do think Linux distributions are a pretty good implementation of it. I think it would be pretty difficult to stamp out Linux and Linux packages.
voxic11
Go has decentralized package hosting and it works reasonably well.
Deno does also but I'm less clear on well how that is working out for them.
monooso
The Deno people recently released jsr.io, "a modern package registry for JavaScript and TypeScript."
I'm not familiar with the technical details, but at first glance it appears pretty centralised.
Not that defaults don't matter, just offering the extra detail. And, as the post goes on to explain, this change seems to cause its own set of dependency issues.
ergocoder
Is this written by a spy from a hostile country?
binary132
Yes, I hail from the Democratic People’s Republic of GNU Plus Linux
andsmedeiros
So Ruby Central will still be running rubygems.org?
Sadly yes. They probably have no other choice, because what else would they do with their time? Do the unthinkable and create gems other people would use? That would be too much work.
winterqt
rubygems.org will still be operated by Ruby Central, though, so you still have to trust them. Given the state of affairs, this is less than ideal, but it’s probably a better outcome than nothing changing.
dismalaf
Ruby Central has literally ALWAYS hosted rubygems.org.
mikemcquaid
As someone who spent a bunch of time talking before and after this all went down with current and past RubyGems maintainers, RubyCentral employees, Gem.coop maintainers and Ruby Core folks: this seems like the best outcome that was actually attainable.
I've been working on Homebrew for 16 years and leading it for some proportion of that and this all "smells" like a more sustainable long-term solution than anything we've seen happen in the last year. Some proposals sounded nicer but were not going to be acceptable to one or more sides.
Ruby already provides a vendored version of RubyGems and (more recently) Bundler so this seems appropriate. It also separates the "running a web service" which has guaranteed hosting costs, requires on-call, etc. from "running an open source CLI/library" which has no guaranteed costs.
It will be interesting to see what the Gem.coop folks do now (disclaimer: I helped them with their governance process). If there's some competition for rubygems.org as a server implementation that feels like a good thing for the community overall.
Good luck to all involved on all sides.
ScotterC
Thank you for your work in this arena and trying to add clarity. As a business owner and longtime rubyist, I'm very happy Ruby Core is taking stewardship here and that maybe we can put this tempest in a teapot behind us.
notepad0x90
Other than personal preference, are there any features that make Ruby worth considering for new apps? As a user, my experience with gems hasn't been great. I don't know any Ruby, I'm just asking out of curiosity.
ufmace
Ruby by itself is still a pretty decent scripting language. I still think Rake is highly underrated as a command runner.
Rails is still a good web framework within its limits. If you want to build a small, modest complexity web app with like 1 or 2 developers and under maybe 6 months of active development, modest traffic needs, etc, it's a good way to get everything up and running fast with best-practices for everything.
The lack of types may start to pinch some once you get an order of magnitude more developer-months into the app than that. Lack of overall speed, threading issues, and memory usage may be an issue once you get a few orders of magnitude more traffic. But while you're within those limits, I think you'll get features out on it faster than any other language or framework.
As they say, a lot more startups have died due to not being able to iterate fast enough in the early stages than from their traffic capacity, hosting efficiency, and bug count once they get into serious growth.
gls2ro
> If you want to build a small, modest complexity web app with like 1 or 2 developers and under maybe 6 months of active development, modest traffic needs, etc, it's a good way to get everything up and running fast with best-practices for everything.
Of course lets silently ignore Github, Gitlab, Shopify and others: all small, modest complexity web apps built with Ruby on Rails. Look at Shopify last year black friday numbers and come back and tell us how Ruby is fit only for modest traffic.
ufmace
I did say that those aspects of Ruby would start to be painful at that scale, not that it was totally unusable. Clearly it's usable, and there's certainly less scale-able things than Ruby on Rails out there serving big production traffic today. But I wouldn't recommend switching an app that big in some other language over to Ruby, and at least as many companies have moved off of Rails monoliths when they outgrew them, like AirBnB for example.
notepad0x90
But would they still build with Ruby if they had to rewrite it today? It seems other commenters are saying they wouldn't. I wanted to see if it offered anything more than my python and Go preference.
gls2ro
Let me ask you a different question:
Would they be where they are today if there weren't been built at that moment with Ruby?
Both these questions are hard to answer without connecting the dots, looking backward.
Github was started in 2007, Shopify in 2006, Gitlab in 2011, Whop in 2021
It takes a long time approximately for a company to get out of the medium zone and go really big. So the only answer for this is we don't really know.
For any programming language you can find similar stories.
Of course this data is 6 years old and it was based on the initial programming language and also it is about funding amount and not revenue.
I did not had time these days to update the data there.
notepad0x90
I don't know. Do programming languages really make that big of a difference, other than with developer unhappiness and talent scarcity when hiring?
I think how many quality devs you can hire with that language is really the only question that matters 90% of the time (ballparking), so long as the language is designed for that use case, like don't use assembly to write a production webapp.
I don't know many devs that code with Ruby, I know of more devs that code in rust and Go which are newer by at least a decade? so the question of what actual benefits it has is important.
For Go, it makes it hard to mess up error handling and easy to deploy your apps since it's all a static blob, but memory footprint and optimization can be challenging at times. For rust, it takes a long time to do things, so fast shipping timelines might not be a good fit. For Ruby, does it have anything that makes it more secure, faster to code with,resilient to failure, easier to scale,etc...? I don't think anyone answered that here.
What can it do _better_ that the other languages you listed can't or can't as well?
adamors
I’ve been writing Ruby profesionally for over a decade and while the writing has been on the wall for almost the entire time, it’s more certain than ever that Ruby is on its last legs.
Big legacy companies who have invested heavily into Ruby cannot switch but every shop I’ve been at often started new services in non-Ruby (mostly Go but have seen plenty of Node/TS as well or Rust for that matter).
If I were to start a new app Ruby would be far from my first choice and the biggest reason are types. After being in the weeds of big Rails apps while also working with Go/Ts/typed Python, Ruby seems very fragile in big codebases. Sorbet is also not enough.
kingnothing
I've used Ruby off and on since the hype train started with DHH's early videos showing how easily you can make a blog in Rails. Oof, that was published 20 years ago! I wouldn't use it for anything beyond simple shell scripts these days. You're better off with Go for back-end work.
poemxo
Does this potentially mean that RHEL will include more gems in their supported repos? It would be nice to script in Ruby instead of having to do everything in Python. Ruby is maybe my favorite language simply because of how it flows from left to right and how functional idioms come so naturally. But adding a gem sourced from community would be a hassle for my organization.
dismalaf
This makes sense, considering Gem and Bundler are shipped with Ruby.
shevy-java
Well - I'd actually argue that it would be better and simpler if there would be just one binary. How it is called is IMO secondary. It would be better if the whole API would be unified. Bundler came later though.
jrochkind1
i believe that has been the goal of maintainers for a couple years now. Yeah, they had different histories where bundler was developed as an add-on.
elliotec
This is a fascinating and seemingly unusual development that will look obvious in history.
I find “BDFLs” and open source communities so incredibly interesting. Especially in the context of geopolitics and state entities. Linux!
This stuff is PHD material for sociology and polisci post-grads and I’m so interested in following the progression of history with these types of things.
shevy-java
I don't think BDFLs are a problem. Nobody questioned, say, guido design of python or matz' design of ruby as such. The issue here is primarily about who controls the ruby ecosystem. Interestingly python also had a somewhat similar discussion in the past; you can see this indirectly if you look at pypi:
"Isn't supply chain security a corporate concern?"
He tries to bring arguments to invalidate that. And failed in an epic manner. Now people are more suspicious than before. Kind of strange to see, too.
zahlman
> Nobody questioned, say, guido design of python
Not up until the incident that motivated him to resign, anyway.
undecisive
Yeah, certainly tickles a few neurons.
I feel like BDFLs are akin to the concept of village elders; they're not immune to corruption or scandal, but they often have this beloved status that can paper over a lot of cracks. That's probably dependant on their leadership style - the hard headed (Linus, DHH) vs the grandfatherly (Matz, Van Rossum).
Which, going back to your note on geopolitics, leads me to wonder: Is it just that more power corrupts more, or is it that (modern-day definitions of) democracy require a desire for power? I guess as the "FL" part of "BDFL" comes to bite more of the communities, we'll see better how different succession styles have different effects. I also wonder if the analytical nature of the individuals within the "populations", and inability to police defectors will mean uprisings will be more successful, either in causing BDFL attitude adjustments, or just overturning the community completely (for example, there's already a lot of momentum for a complete fork of Rails)
(Edit: having submitted this, I now see others have had very similar thoughts! Definitely an excellent conversation topic)
TheCraiggers
> I feel like BDFLs are akin to the concept of village elders; they're not immune to corruption or scandal, but they often have this beloved status that can paper over a lot of cracks.
I think a lot of this is due to how so much is a scandal these days, for better and worse. (I'm obviously going to keep politics as much out of my response as possible.)
A few decades ago, people could have political views without ostracizing roughly 50% of the global population, or generally causing a ruckus at the holiday family dinner. (Obviously politics + holiday dinners has been an issue for a long time, but back then it was just something people tried to sweep under the rug. Now? Holiday dinners are getting cancelled or families are splitting up.)
It used to be that a scandal in the OSS community required you killing your wife (thinking back to ReiserFS). Now, a remark on Twitter is all it takes.
Again, I am absolutely not taking sides here. I'm just noticing a difference in the times, and agreeing that it is indeed interesting to watch.
undecisive
No, I agree. That said, I think a lot of that particular shift is down to a) increased individualism b) an emphasis on the healing power of personal boundaries and c) the rejection of unity as an overriding good.
People are far more happy to cling to the tribe they choose, and the tribe that has their back, over the tribe they were born to. Then, there are those who see that trend as dangerous to society (where, in many cases, society is really just a proxy for their own power or social status - ironically as viewed through their own chosen tribes more than the tribe they were born to)
That is to say, I don't think it's the political views that are splitting the families. Individuals have decided that care for each other should come secondary to those political views. I feel like there used to be a certain amount of care in the "sweeping under the rug" - it was the tribe against the world, it was protecting the family image as much as it was protecting the individual from society. These days, being a thing "in private" means being a thing alone, and that's no longer a compelling thought when external tribes are willing to embrace you.
Which probably applies to software tribes just as much as family ones.
zahlman
Clinging to tribes is the opposite of individualism, though, and represents pretty weak rejection of unity.
mrguyorama
>A few decades ago, people could have political views without ostracizing roughly 50% of the global population
This is ahistorical.
Not only was it the norm forever to ostracize entire sections of your society (protestant vs catholic and lots of other religions, black vs white, any form of non-hetero behavior, the Roma people and any form of outsider)
It often was the law
Americans shot their family members over whether we should own black people or not.
My french and white ancestors were expelled to Louisiana, intermarried with black people, and then when the US bought the french land, they introduced laws that made such families illegal.
Reagan made a hobby of publicly claiming his coworkers were communist. Thought that maybe we should be allowed to form unions? 100 years ago that was enough to get you investigated by the senate. Americans voted for him so hard the Democratic party is still floundering to have support. "We should allow unions" or "we should regulate companies" is still half-verbotten.
Do you know how many kids are still kicked out of their homes for the crime of being born gay?
This idea of "You used to be able to hold diverse opinions in public" is outright wrong. This past never existed.
Weird Christians in the US have tried to cancel things like Harry Potter and halloween for gods sake. They took a teacher to trial for teaching evolution. They made playing pen and paper RPGs a sin! When preachers molested kids, they shunned the kids
Being too chummy with another guy in public was a scandal! Being a woman who wanted an education was a scandal! Getting pregnant out of wedlock was a scandal that would tear apart families. Getting divorced was verbotten. Expressing support for social policy could get you fired, or murdered
Bush Jr literally said "You're either with us or against us" about supporting a criminal war and America pitched a globally public fit when other countries did not pledge allegiance.
gus_massa
> I find “BDFLs” and open source communities so incredibly interesting. Especially in the context of geopolitics and state entities. Linux!
The diference is that with an open source licence, the comunity can just fork the project (assuming they have enough developers), so the BDFL must master the art of herding cats.
A country has clear phisical borders and tanks, and people can't fork them and ignore the old power structure.
shadowgovt
I think you're absolutely right. We are starting to reach the age where a combination of large cooperative non-corporate tech projects and the Internet (that, partially at least, enabled them) are putting us in a place where the actual mortality of project owners matters. The "L" in BDFL is a finite constraint.
I think there's going to be an interesting and complicated churn as several major projects under the BDFL model have their Ds succeed at passing the torch, struggle to pass the torch, struggle to realize the torch needs to be passed, or take the torch and do their best to burn the whole project down so it can't outlive them.
runjake
I think this is great news and the right move!
At the same time, I would like more information around how the Gem supply chain will be handled, particularly how Rubygems and Bundler will be protected against supply chain attacks, which are becoming endemic.
bm5k
This is satisfactory news. Now we can all get back to coding.
xbar
Thank you Matz.
didip
How’s th adoption and usage situation for Ruby these days?
Is Ruby ecosystem doing well?
krmbzds
Alive and well. I write Ruby every day and enjoy doing so. It's the only thing that consistently got better for me in the last 10+ years without losing it's simplicity and joy. Ruby is truly a programmer's best friend.
rvitorper
As an outsider, I have two questions:
- why is Shopify kind of hated in the comments?
- what is it DHH said?
Hoping for some context
Alifatisk
I think because of this, which started this whole thing
> Shopify demanded that Ruby Central take full control of the RubyGems
This isn't true according to this article: https://www.404media.co/how-ruby-went-off-the-rails/. Joel has a terrible habit of not citing his sources so I'm not sure if the post in question is the same but this seems to nullify that argument. TBF I do think there was pressure from Shopify to get compliance and security in order but saying "Shopify demanded that Ruby Central take full control of the RubyGems" is just plain not true.
mijoharas
The rubygems treasurer who is on the board said funding was conditional on doing this[0][1].
One interesting thing is that Ruby Central then said "Board decisions are independent and not contingent on funding."[2].
Doesn't inspire a lot of trust when there is a statement from a board member saying "we did this because of funding".
I'm more inclined to believe Joel's account.
[0] A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
Ruby Central is making legal threats to its critics, so I hope you can see why people don’t feel safe to come forward on the record.
I can tell you that two people with direct knowledge of the situation told me that Shopify demanded that Ruby Central take full control of the RubyGems GitHub organisation and packages.
You can believe that I am lying if you want. But I can’t directly cite my sources in this case.
drbragg
I never said you were lying. I said the quote that person pulled from your article isn't true. IIRC your article came out before the one I linked came out.
joeldrapper
I believe the quote pulled from my article is true. Freedom’s original article lines up with what other people told me. I know he’s tried to retract it, but I don’t trust him to be truthful in this matter. He has lied about other things like the takeover being necessary for security.
mijoharas
Oh no, looks like you're one of today's (unlucky) 10000[0]. (For context I only heard about all this recently).
For the DHH thing he wrote a recent blog post where he said he wants fewer non-white people in London and praises an english far-right fascist figure (Tommy Robinson)[1].
Not really sure about the Shopify stuff. I've heard people aren't too fond of Tobi (the C.E.O. I think), and he's buddies with DHH, but it could just be general distrust of a big company trying to exert control of an open source project (through Ruby Central).
As an outsider to Ruby I kept hearing rumours and thinking it has to be exaggerated.
No, it turns out DHH really wrote a blog post complaining not enough people in London are white (even though they’re British) and praising a famous British fascist.
The rest is very much still confusing, some kind of opportunistic power plays and typical open source chaos.
mijoharas
Almost exactly my thoughts when I heard about it[0].
They deviated from progressive orthodoxy which to some intolerant members of the community is an unforgivable sin.
tedchs
Is this announcement just about the gem and bundler packages themselves? I don't think Ruby core team is taking over the rubygems.org site right?
itsnowandnever
this is good and I hope this puts a lot of the drama in the rearview mirror. younger developers coming across Ruby must be like "wtf" about this situation. very peculiar to have these projects so politicised and I say that to the people that "try and keep politics out" (DHH) more than anyone. making your politics known and then being like "but you're not allowed to have an opinion on it" is't cute or clever. it's childish and everyone everywhere deserves to be treated with more respect than that.
shevy-java
But how does this solve anything? People will still not trust Ruby Central. And rubygems.org is under control by Ruby Central, even IF ruby core tries to jump in to the rescue.
mijoharas
Well, now there's gem.coop, and we don't have to worry about bundler/gem becoming hostile to other services so either:
gem.coop matures and people move to it
Or ruby central gets their crap together and regains some trust.
It's definitely a win that the tool entry point is now managed by competent people with a good track record that aren't involved in the current drama.
zahlman
> making your politics known and then being like "but you're not allowed to have an opinion on it"
As far as I can tell, this doesn't fairly reflect what actually happened. Ruby users were free to keep their own political views to their own blogs, just as DHH does. Reading world dot hey dot com slash dhh is not in any way required in order to use Ruby, participate in the development of Ruby or anything else along those lines.
There are a lot of prominent developers in the Python community whose politics I strongly disagree with. I got banned from the main discussion forum as a result of objecting to hidden Code of Conduct enforcement principles which (in my view) attempted to bring (many of) those politics in through the back door. (And in the process of getting into that meta argument, and doing research, I encountered several previous unpleasant incidents on the forum and on the mailing list that preceded it.)
But I would never start arguments with people in that space over things they wrote on their blogs. I would not go onto, say, the CPython issue tracker to complain about how certain people needed to be removed from the project because of things they said in their own spaces (like we saw with, for example, Opalgate). If I wanted to talk about someone else's politics — or my own — I would and could use my own blog for that.
The mere fact of people knowing DHH's politics emphatically does not politicize Ruby, Rails or any related project. To the extent that Python development has become politicized, that's a consequence of actual enacted policy, not the political beliefs of steering committee members, PSF board members etc. DHH putting this content on his blog was part of the effort to have it not in the workplace. And, in point of fact, that does keep it out of 37Signals board rooms.
brightball
He's also in a bit of a unique situation because of his public political profile was essentially forced.
- Politics at work were becoming a huge problem at 37Signals
- They asked that politics be kept out of company chats, but encouraged people to be political active on non-work channels/social media/etc even during work hours
- People lost their minds at this incredibly reasonable request which then blew up on the internet
- They offered any employee 6 months severance if they weren't comfortable with the new policy. About 1/3 of the company took it.
- Rails Conf dis-invited the creator of Rails
- Obviously, this was not going to sit well as people were trying to create a very public political flex against DHH and at that point, he started getting much more vocal about the problem of politics sweeping into every aspect of life.
In the following years...
- DHH becomes very publicly outspoken against politics infecting everything
- 37 Signals publishes another successful book
- Ships much more quickly as all of the people constantly distracted by politics at work are no longer in the building
- Starts the Rails World conference to great success
- Rails Conf shuts down
- DHH ships Omarchy which is getting significant support
So the end result has been that a bunch of people tried to essentially "cancel" DHH and the result was him having virtually non-stop, resounding success while publicly speaking out against those who created the problem in the first place...because some people really do just want to build cool things regardless of your politics.
wbronitsky
I don't know how this fits into the narrative you just posted, but DHH was a keynote speaker at RailsConf this year. I was there and heard him speak. He didn't speak about anything "political"; just his usual ranting and raving, this time about how long it takes to test and deploy things.
blasphemers
He was brought back for the last RailsConf since DHH started RailsWorld after he was removed as a speaker for previous conferences.
blibble
I more or less agree with the "no politics at work" stance
but you've omitted his recent "contributions", where he went completely off the rails
it's completely unacceptable, and he's promoting a self proclaimed fascist white nationalist (Tommy Robinson)
zahlman
> I more or less agree with the "no politics at work" stance
> but you've omitted
I'm not that poster, but it was objectively correct to omit that, because it was as an objective matter of fact not "at work".
It does. Not. Matter. In this context what his beliefs are, or how they look to you through your lens.
In exactly the same way that, for example, the political views of GNOME and Xorg developers are not relevant to the development of those projects, and only become relevant when they get discussed in development spaces. (Or, you know, when they become the motivation for explicit interference in XLibre development.)
unethical_ban
(political opinion incoming)
Other than his mention of Tommy Robinson, it is not radical or unacceptable to say "Wow, my city has changed radically in the past 20 years and is losing its identity".
If the center and the left completely reject the validity of national identity and the expectation of immigrant integration to British identity, then you leave people with those sentiments running into the only open arms left: the far-right and the rest of their agenda.
As a liberal, even a progressive in my own mind, I still recognize that completely open borders are a problem and that we should expect all people coming to a country to want to learn the language and integrate with the native community and customs. This concept is compatible with respecting cultural diversity and immigrant populations and their civil rights.
And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
FINALLY - I don't see how this kind of hard-fork-over-politics maneuver helps change minds in the long run. It only generates bitterness.
mijoharas
> If the center and the left completely reject the validity of national identity and the expectation of immigrant integration to British identity
He explicitly cited race, not "British identity" he quoted a Wikipedia page where he took stats excluding non-white British.
I don't think he was arguing the point you're attributing to him.
blibble
> Other than his mention of Tommy Robinson, it is not radical or unacceptable to say "Wow, my city has changed radically in the past 20 years and is losing its identity".
what does DHH, a Dane, who as far as I'm aware has never lived in London (and certainly doesn't now), know about London/the UK?
absolutely fuck all
he should keep his trap shut, in the same way Elon Musk should stop attempting to stoke nationalist fires in a foreign nation
I am also a (British, not American) liberal, and I agree with your comments about integration
the UK has an integration problem that successive political leaders have attempted to brush under the carpet, whilst ignoring the electorate's desire for a reduced rate of immigration
but the sort of nativist crassness displayed in that blog post is not the answer
and leads down a very nasty road that we thought we had defeated forever 60 years ago
> And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
I'm afraid this type of authoritarianism always seems to come with a labour government
dash2
That's not quite accurate. Quoting chatGPT, since it may have more credible neutrality than my own opinion:
"""
Does Tommy Robinson call himself a "fascist" or "white nationalist"?
No — Tommy Robinson (real name Stephen Yaxley-Lennon) does not call himself a fascist or white nationalist.
He consistently rejects those labels, describing himself instead as a patriot, free-speech activist, or anti-Islamist campaigner.
To summarize the record:
* Public statements:
Robinson has said things like “I’m not a racist, I’m not a fascist — I’m a working-class lad from Luton who’s standing up for my country.”
In interviews (e.g., BBC Panorama, ITV, and various YouTube appearances), he has explicitly denied being a fascist or white nationalist.
* Affiliations:
He co-founded the English Defence League (EDL), which has been widely described by journalists and researchers as far-right and anti-Muslim.
However, he left the EDL in 2013 saying it had become associated with racism and extremist elements he could no longer control.
"""
Maybe TR is a fascist or white nationalist, but he isn't a self-proclaimed one.
zahlman
I don't know why you were downvoted for this. The term "self-proclaimed" does actually mean something in English and is not just an intensifier.
mijoharas
I mean, even if you grant that the EDL is not a fascist organisation (I don't) he was a member of the BNP which is an explicitly fascist organisation, so at best he is a former fascist or a reformed fascist.
basisword
I disagree. DHH said no politics at work. I thought that was great. A sensible moderate position at a time where people were getting polarised.
Then he started a blog, built on his companies software, where he constantly shares extreme political opinions. When you are the public face of a company (and framework) and you are publishing your political opinions using your companies platform, you are now bringing politics to work. He’s a hypocrite.
brightball
That is the point though, his hand was forced. He was very politically attacked in a very public manner and has spoken out nonstop ever since.
zahlman
> When you are the public face of a company (and framework) and you are publishing your political opinions using your companies platform, you are now bringing politics to work.
So Tim Cook would be "bringing politics to work" by posting politics on Twitter from an iPhone? Plenty of prominent Python community members, including core devs, have politics on their blogs and also use Python-powered technology (dedicated SSGs like Nikola, but also even Sphinx which is really meant for documentation) to generate and publish pages; is that "bringing politics to work"?
itsnowandnever
right, that's exactly what he did. "politics for me but not for thee"
blasphemers
That's not the case at all. His blog is his personal blog, not 37Signals, and he has never said employees were not allowed to share political opinions outside of work.
I am shocked, SHOCKED, to know that a person who loves to program and just wants to do it would be more productive than people bikeshedding about code of conduct and other matters ;)
itsnowandnever
he's definitely disingenuous, though. I think the "cancel" situation was cringe but the guy posts nativist musings about London and then acts apolitical. look, I get it. the first large generation of professional developers that came up in the web 2.0 era are getting older now so naturally many are becoming more conservative. but a lot of this comes across as some kind of backlash because these guys aren't "cool" anymore. there'd be a lot less drama in this situation in particular if DHH didn't act like he needs the approval of 26 year olds. they're never going to see eye to eye with him because he's an old man at this point so he should have some tact and be the bigger person if he cares about the dev community he was a part of. very similar situation to Musk who used to be adored around the world and now he's seen as a basket case.
busterarm
Good summary. Also the ask for politics to be kept out of company chats is often what I find cited as the _core_ reason for why "DHH is a Nazi" in online discussions. It's _weird_.
I think the real root of peoples' disagreement over what happened there is that rank-and-file employees wanted to assert a lot more control over what their company does than they actually could and they were informed that that wouldn't be acceptable. The six month severance was generous.
DHH is at worst in the middle between left and right in the political spectrum.
Keeping politics out of work place is like an extremely mild stance.
For some reason, people label him as facist...
mijoharas
I don't think that's fair, I mostly thought that until I read his recent blog post[0] where he wished for fewer non-white people in London and praises a far-right fascist figure in England (Tommy Robinson, he was a member of the BNP[1] for while before he started the EDL which was more extreme).
When you're advocating for ethno-nationalism and praising fascists, I don't think you can get mad at people thinking maybe you're a little bit fascist, or can claim to be in the centre politically.
He praised one policy from Tommy Robinson. This doesn't mean he support every single action performed by Tommy Robinson for eternity.
He advocates for stricter immigration laws and is against mass immigration.
He then praises the stricter immigration laws in Denmark. Then, Denmark would be considered facist and ethno-nationalistic by your logic?
> I don't think you can get mad at people thinking maybe you're a little bit fascist, or can claim to be in the centre politically
I'm actually mad that the word fascist is losing its meaning.
Wanting a stricter immigration law is now fascist, and Denmark is basically considered fascist for all these years for having stricter immigration laws praised by DHH...
The label is meaningless now because it's been so over used. At this point a facist is anyone to the right of anarcho-communism. People still trying to use the term are labeling themselves more than anybody else.
Was there ever a mirror of this dustup in the Linux distro community?
I'm unaware of one ever happening, and I'm wondering whether it's because of mere fortune or because there's something about the APT / dpkg model that precludes this kind of messiness.
Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors? This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
zahlman
The fact that you speak of "the Linux distro community" but also "the APT / dpkg model" is already telling. Most distros — i.e., everything not derived from Debian — don't even use the same package format. A lot of the problem has been mitigated simply by letting people choose among competitive suites of alternatives.
That said, there's been quite a bit of drama lately in prominent Linux projects — notably bcachefs, X11 (and the fork XLibre), and the Omarchy distribution (even connected to the current story!).
shevy-java
There was - see old systemd discussions. For instance, how devuan was started.
It is not 1:1 comparable though. Ruby, python etc... have a much more varied community. People contribute code. Only few contribute to the linux kernel directly. There are many more who write "apps", so this could be comparable. Still it feels different to me, since a language community is different to a community that uses different programming languages.
> Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors?
No, I think it is more that people never anticipated that corporations could take over projects. This has become more of a problem in the last years. Who controls github, for instance?
> This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
This is the issue of decentralized hosting versus top-down control. Ruby didn't have that problem in the past. It became more of an issue in the last some years. See DHH having an old tweet where he pointed out that he wants more control; I think this was from 2018. I don't remember it fully but it is on the ruby reddit.
busterarm
Ideologically-rooted dustups are popping off all across open source right now, it seems. Forks-included.
I've even seen unironic claims of certain pieces of technology containing "Hitler particles". That shook me a bit because that's an old in-joke and was always intended to be a joke...
shadowgovt
Who is the in-group for that in-joke?
busterarm
Leftists. It's a Trotsky quote.
phoronixrly
Thank you! I was hoping for this development! Now how about taking away rubygems.org from Shopify?
IshKebab
Is this without the consent of Ruby Central? Sounds like some kind of hostile takeover!
Edit: Seems like maybe a hostile take-back actually.
dismalaf
Ruby Central also announced it on their site.
shevy-java
There are numerous questions here, but also a few answers.
For instance, I pointed out days ago that Hiroshi Shibata did not act solo. Now this is confirmed - it was a matz directive. The main question to ask here is: could he not have made this open AND public from the get go? It would have lessened the confusion for some people.
Unfortunately this also has a few added problems now, because ... say that you are an indie dev or a solo dev. Would you want to "interact" with the ruby core team if they can just oust people at will if they feel they need more top-down control? Or, worse, if they only get money if companies pay them to do so? I am not necessarily saying there was a 1:1 connection with money in mind. For instance, the bin/gem was not designed by the ruby core team, in many ways was a mistake from the get go - see how Rust avoided this by having cargo. But one can not help but wonder how deep that money situation goes. u/jrochkind on reddit pointed that out, e. g. that there is very clearly a connection to ruby losing users and developers in the last ~5 years, and a dry-up of financial assets in general. I agree with him. Even if this was not the case here (though I somewhat suspect money had to do with many things here), the situation for ruby in general is really really bad. Perhaps matz felt that this was the only way forward, who knows. Either way it is not a good situation to be had.
It also shows how ruby is WAY too dependent on rails. If rails sinks, ruby sinks. That is BAD. DHH may contribute to this problem with the "I am the richest neo-boy in the USA" and odd blog entries (that's his though, he can write whatever he wants to), but the moment there is a financial interconnection is the moment there is no longer a fair field. And this is really bad, because it means ruby as such will be pulled by those who have money. Bye bye solo devs - you no longer have a place in the corporate infrastructure. And make no mistake about this: rubygems.org is a pure corporate entity now. Look at the new rules they forced onto everyone: https://blog.rubygems.org/2025/07/08/policies-live.html
"Isn't supply chain security a corporate concern?"
And then he weakly tries to say "no, it isn't because corporations finance us now, it is all about LOVE, HAPPINESS and THE COMMUNITY". But in reality - it absolutely is. Corporations wanted more guarantees and these inrastructure-maintainers said "that's ok - we don't pay these indie devs anything but now we force them into mandatory 2FA, ad-hoc 100.000 restrictions (can not remove your gem past that limit) and any other random crap, such as not paying them anything and having them work for us for free". I am sorry but there are soooooooo many things going wrong here - I totally agree with duckinator. This was a hostile take-over, unfortunately now we also know that it was decided from within ruby-core itself.
Note that I am not saying that it is a bad idea to have something such as gem maintained by the ruby core team, I totally understand the reason for this, and I also pointed at the example of rust/cargo. However had, the infrastructure shouldn't be a money-injection team for the ruby core team - the moment this happens is the moment things no longer work here. And ruby isn't merely the part designed by the core team; it also isn't just rails - you had many more people who contributed to ruby in the form of the ecosystem. Granted, many projects are abandoned (this is also a problem for rubygems.org by the way) but at the least this used to be true in the past.
In a way this is all a bit rubbish, because we see MIT/BSD licences, so people could just fork ruby (not that this is likely; I haven't seen anyone object to matz being an excellent language designer. I also don't think it is a problem if matz and the core team profit from this financially, that's perfectly fine. But the whole ecosystem shouldn't be in such a top-down control where corporations just buy their way into things, with DHH making snide remarks on his blog ("we got rid of the boys controlling the infrastructure now") all of the time while on Shopify's payroll - that is no longer a fair playing field here. Everyone can see this.)
Also, if matz made the decision weeks ago and told Hiroshi to do so, HOW was this fair to Mike McQuaid? The latter said he tried to act as man in the middle. But if the decision was made to finalize on this already prior to that, was Mike told that? If not, how is that fair? Either way I guess Mike gets the most praise from all sides simply for trying.
We'll see what happens, whether people love the new corporate-controlled rubygems.org or prefer gem.coop (which, admittedly, still have to deliver). I favour the latter, like the rising phoenix from the ashes - in part because I hated the new corporate rules that was installed onto rubygems.org, including the crap 100.000 download limit, but in part also because I feel that if gem.coop gets enough momentum overall, they can actually begin to solve NUMEROUS issues in the ruby ecosystem, from documentation to namespaced accounts (users and the ruby code as such, see duckinator's proposal) and so forth. Considering the damage shopify caused while wanting to control more of the ruby ecosystem, I expect them to now send more workers to go and improve rubygems.org as much as possible - and not ruin things in the process. Otherwise they would have only caused damage without any real gains.
The biggest loser in this are actually the folks at RubyCentral. Because ... what have they really ever done for the ruby community? Which high profile gems have they maintained? Just throwing fancy parties isn't going to cut it - Titanic was also sinking when it hit an iceberg. RubyCentral may still celebrate while sinking ...
gls2ro
Can you elaborate on sources about this:
> Now this is confirmed - it was a matz directive.
I did not see any confirmation in this annoucement, do I miss something?
ksec
Most of his comments on this thread are about Matz taking over RubyGems and not happy with it one way or another.
GreenWatermelon
> like the rising phoenix
Speaking of Phoenixes this whole debacle made me start diving into Elixir/Phoenix. My first impression is that I much prefer Ruby as a language, however I'm struggling to even think of using Rails currently.
dorianmariecom
so we get namespaces for gems?
joeldrapper
These projects were not Ruby Central’s in the first place. They were stolen for Ruby Central by a Ruby Core insider, HSBT. This is horrible news.
They were stolen from André Arko, Colby Swandale, David Rodríguez, Ellen, Josef Šimánek, Martin Emde and Samuel Giddins.
rich_kilmer
They did not WRITE RubyGems, they inherited it and evolved it. Chad, David, Jim (RIP), Paul and I wrote RubyGems. I hosted RubyGems from my home in Virginia for several years before we could cover the cost of colocation and stood up RubyForge. Its nice to look at the near history and think that this is all of history but it is not. Ruby Central has always been the stewards of RubyGems and then later, Bundler.
ksec
Thank You, not only for RubyGems and hosting it, but for replying all the accusation and comments that to me are simply bending truth. Such as they wrote RubyGems and somehow Bundler belongs to them. And despite you correcting them multiple times, they still continue with the same narrative.
It may be best in the future direction to have Ruby Central's role on RubyGems and bundler completely eliminated and simply just hand them over to Ruby Core and Ruby Foundation in Japan. I will gladly donate just to avoid any more US politics and drama.
buffington
Get this: I've used what you guys built back then almost every day for the past 20 years. (also, long time no see - we should catch up).
tommica
You guys did an amazing job!
joeldrapper
I’m not talking about who wrote the code. Hundreds of people wrote the code, that’s not particularly relevant. I’m talking about who had maintainership of the code and how those maintainers had agreed to govern the project.
What was your maintainership status when this all kicked off? Were you one of the owners removed by HSBT?
raggi
i can confirm the above. sadly felt a confirmation might actually be helpful because there's some wild stuff around the threads today.
Mystery-Machine
First of all, thank you! It's unbelievable that you built the first version of `gem install` in a single night. It must have been an amazing feeling. I remember the drive when I was doing some hackathon with a few friends. It's the best feeling a software engineer can have.
When you left RubyGems and Bundler (let's call them "Projects") team, you handed over your authority to whoever was left and/or was added later. It doesn't matter in which order things happened. What matters is that Ruby Central _and the rest of the team_ were the stewards of Projects. The important part here being _and the rest of the team_. André had every right to keep being part of that team, and he was for a long time, together with many other team members, all of which were removed by "a representative from Ruby Central". What an inhuman way to remove someone from a Project. "Hire" someone to do the dirty job for you so you don't have to.
The decisions in a team should be done by reaching a team consensus. Not by one actor.
I believe it's for the better that André was removed from the team, but it shouldn't have been done like this. Ruby Central lost their trust in the eyes of many. They could've achieved the same goal in a much better way.
How can I trust an organization with management of something if they failed to manage this whole situation? Claiming this is all in the name of security and then not even knowing how to properly remove access from someone. So much about security...
rich_kilmer
I totally understand and agree that it was handled very poorly.
CaptainOfCoit
So what? NPM wasn't originally owned by Microsoft, nor GitHub, but reality moves forward?
As long as Matz is involved, I have a lot of faith things will get better, not worse, unless you have some strong indication of otherwise. If anything, because things will be nicer.
bhouston
> So what? NPM wasn't originally owned by Microsoft, nor GitHub, but reality moves forward?
NPM was a company and it was acquired and it was voluntary. I don't think you can compare it to this situation - this is more of a messy situation with everything open source collaborations, rather than having clear ownership in a single entity:
Or are you referring to the pre-2014 situation where NPM wasn't VC Funded, but in a more nebulous state? It didn't last that long.
joeldrapper
So it’s okay for Matz to get HSBT to steal people’s open source projects? What if Matz sponsors stole Ruby from him? WTF?
rich_kilmer
I was one of the originating authors of RubyGems along with Jim (RIP), Chad, David and Paul. I hosted RubyGems from my home for the entire community for many years. We never asked nor received anything for that. We wrote RubyGems for the Ruby community. Matz and the Ruby Core team is the right place for RubyGems. This is great news.
sebiwOP
Thanks for sharing.
RIP Jim, I miss him being part of the community.
the_mitsuhiko
> So it’s okay for Matz to get HSBT to steal people’s open source projects?
Where is the theft? The projects were open source, they are still open source.
bmacho
The software is open source, not the project.
The name is not for the taking. You can download the code, modify and release it, but you can't just claim ownership over a product.
Have we got any sources for Matz getting HSBT to steal it? I mean, I get that they're both members of ruby core, but that's a bit of a claim.
dluan
This is a question that I have, HSBT was the one who flipped switches, and it's been unclear to me how those decisions were made.
claudiug
jesus joel. you are really really upset person. I read your stuff on reddit/r/ruby. I understand your frustration but you are so biased. like really really biased.
jcmfernandes
What wasn't factual in Joel's comment?
claudiug
it paints all the stuff like is one person fault. omits to tell like stuff like
- gem.coop -> the person behind have a new tool rv that want to sell it
- they want to sell the rubygems logs to corporatins
- change the root pass at aws once they where remove from the project
small details like this.
jcmfernandes
Let's say all of that is true. Did or didn't RC perform a hostile takeover of the repos?
jaredcwhite
you're leaving out copious amounts of context here so sounds like you are obfuscating on purpose.
Mystery-Machine
Oh, I didn't know that André wants to sell gem.coop and/or rv. Can you please point me to more info about where this intention to sell gem.coop and/or rv was mentioned?
They want to sell some RubyGems logs about corporations (not individuals) using RubyGems API, to...Ruby Central?
As André explained on his site, he was on-call at the time when they were removing him. He acted to protect the service by limiting access. No harmful actions done by him were ever discovered by Ruby Central. It's two entities fighting to remove the other. You can say Ruby Central was right, I can say André was right. But we do know that Ruby Central fired the first shot when they (could've been an actual hacker) removed literally everyone from RubyGems and Bundler projects.
jaredcwhite
I'm sure you're not biased. I'm sure all the people applauding Ruby Central and Ruby Core right now aren't biased. /smh
Remember why the lucky stiff?
The last spat between pro-Israel anti-immigration gang vs the cancel culture gang that resulted in Matz taking over contended code is a perfect illustration.
The Ruby community respected his pseudonymity. Some of us already knew his name.
> many such people in the Ruby community.
In which case, this presumes that the values you share with the Ruby community are positive - otherwise you would be talking about this heterogeneous group in a generally negative way.
This would appear to beg the very question under contention - that the values of the Ruby community are not in fact positive, but toxic; unless you wish to argue that a community can simultaneously profess positive values and still exhibit toxic behaviour.
One position offers historical (and current) examples; the other offers an impressive feat of linguistic gymnastics.
I remember _why and I definitely don't remember him as toxic.
The pickaxe guys coined it. People repeat it without thinking about it.
If matz were to say "jump from the bridge", people would do it, because matz is nice?
Just to point out: I do think matz is nice and a great language designer. That in itself doesn't mean anything. Why would I proxy my own decisions based on any mindless slogan? That makes no sense. Why do people in the ruby ecosystem keep on repeating those pointless slogans?
Exactly, why would you? But ignoring a hypothetical communal bridge jumping situation, do you have a problem with Matz having stewardship over RubyGems? Use your own thinking. If you're okay with it, then... is it because Matz is nice?
I don't think I've ever seen Matz be rude to anyone on the Ruby bug tracker. I've actually witnessed him deal with controversial topics firmly yet gracefully, making decisions that avoid turmoil in the community and that leave no room for escalation into flamewars. Other projects weren't so lucky.
I wrote some Ruby in my teenage years and his conduct certainly made an impression on me. I try to remember this guy whenever I get too angry about stuff. We should all try to be more like him.
That's what the phrase is saying, by the way. It's an encouragement to follow in his footsteps.
The statement is ambiguous. I interpret it as "no child left behind THE STANDARD FOR THEIR AGE". In that interpretation, other kids being ahead of that standard doesn't mean the other kids have to be behind the standard. Every kid could be not "left behind" the standard even if some are ahead of the standard.
Of course, NCLB has a lot of other issues, but I think the name isn't the issue.
If by both statements you mean "all children must be in exactly the same position", yes ... but that's a wilfully obtuse interpretation.
As always, there's a relevant xkcd: https://xkcd.com/1170/
...but seriously, what on earth do you think you're saying here?
* DHH said some things on his blog that some people believe to be deeply racist / fascist (not going to unpack whether they were or not because answering that question is irrelevant to the fact pattern; consult other threads for that debate).
* A Ruby conference run by Ruby Central was asked to deplatform him. Since he's the creator of Rails, they declined.
* In response to their decision, a major sponsor (Sidekiq) pulled out of supporting the conference and Ruby Central in general, to the tune of $250k a year.
* This created a "blood in the water" situation where Shopify hit Ruby Central with an ultimatum: they would back-fill the lost sponsorship for oversight control of Ruby Central (and the gem repository they maintain, rubygems.org). And if Ruby Central didn't take the deal, Shopify was going to pull their funding also, leaving them in dire straits (this, BTW, is a fairly common corporate tactic when multiple partners share support of a service that doesn't independently generate revenue. Look for it in your own business, startup company, and nonprofit dealings!).
* Shopify now de-facto controls rubygems.org and people immediately started backing towards the exits because corporate takeover tends to be a harbinger of enshittification. As if to prove the point, Shopify's folks immediately ham-fisted the access controls, yanking several gem creators from the admin roles of the gems they created. They claim this was a mistake; several in the community do not want to give them a benefit of the doubt they are not believed to have earned.
* Community members are standing up gem.coop as an alternative gem repository.
At this point, it's probable that any attempt to just list the pertinent events isn't going to end up being as neutral as one might hope because even the choice of what context to include or exclude is itself editorial. This is the same lesson people might learn in a high school history class, just applied to something much more recent.
https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
I'm only going by the corporate narrative structure of the director's post, who clearly wants to throw someone under the bus and cover up organizational incompetence. "Open" source has become so despicable.
* DHH is not only considered racist / fascist due to some blog posts, but also for making Hyprland the default DE in Omarchy, developed by someone who goes by the name Vaxry Vaxerski, who is also considered fascist and racist, and thus banned from contributing to freedesktop projects due to supposed breach of CoC:
https://blog.vaxry.net/articles/2024-fdo-and-redhat
* Hyprland and all its contributors are now also considered fascist from taking sponsorship money from 37signals, DHH's company, due to it being an important part of Omarchy.
https://account.hypr.land/sponsors
* Due to the fact that both DHH and Vaxry are both considered fascist / racist, Framework and its CEO (yes, that Framework) are now considered to be supporters of fascism, because Framework is sponsoring and supporting both Omarchy and Hyprland.
https://account.hypr.land/sponsors
* Cloudflare (yes, that Cloudflare) is considered to support fascism because they support Omarchy and the Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
https://blog.cloudflare.com/supporting-the-future-of-the-ope...
* Last but not least, Tobi (Shopify CEO) and thus Shopify are also considered by many to be supporters of fascism when this drama started to unroll for standing by DHH no matter what when activists wanted to deplatform and ban DHH from his own creation (Ruby on Rails). Which makes the Ruby Central drama due to the involvement of Shopify even more interesting:
https://xcancel.com/tobi/status/1970944464303923687
Me? I want to hop in a time machine back to the 90s/early 00s before all this crap started and everybody was just generally nice to each other.
The internet was never nice. It, however, did at one time require technical savvy to use. With that savvy came the understanding that computers and people aren't the same thing, so when the computer emitted something not nice you'd laughed at how quant the technology was instead of getting your emotions all tied up in a knot and try to hold a person accountable like those who have no idea about what's going on around them do.
This methodology is definitely not how you discover fascism. But it is how fascists and communists defined and traced their enemies in the 20th century.
> Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
Do you mean awesomekling? Why is he considered a fascist?
There are definitely actual fascists in tech (like Curtis Yarvin) which I (centrist liberal, not a tankie) fully support deplatforming where possible, but why are they considered fascists?
For instance, DHH and his fancy blog, are not 100% related or relatable to RubyCentral ousting long-term developers. There may be some connection (DHH on shopify's board, tons of ruby developers being paid by shopify and still writing "my opinion is totally unbiased" like byroot did), but there is no 1:1 overlap. For instance, I could not care what DHH writes on his blog any less. rubygems.org changing policies though - that affects me. And if shopify is in part responsible, and DHH sits on shopify and makes decisions, then yes, something changed here. But there are also people who have a vendetta against DHH and they leak into other spaces too. I am not among those people and they shouldn't try to hijack other communities either.
By the way, the Shopify ultimatum also does not explain why all other ruby devs were ousted. Ruby Central lost the narrative here. And, since they accuse Arko as the ultimate bad boy - why haven't they sued him? Why do they continue to refuse to do so? (Because they know their case would be rubbish nonsense and they would have to open up ALL emails, which may make many more people suddenly ... very funky.)
As someone who has sued someone else and won, it can take months for your legal team to gather the facts, decide on strategy, and then file suit.
It's related because it led to Sidekiq dropping their funding, which increased shopify's power over ruby central.
You are alleging that Shopify was retaliating. Do you have any reliable context that Shopify was acting in a retaliatory manner?
Given the power dynamics, the burden of proof is on Shopify to proove it wasn't retaliating at the behest of, or in a misguided attempt to defend DHH's honor.
I have seen the "soft-hostile takeover" executed in other contexts, however. I don't think it's necessary to presume DHH used his influence as a Shopify board member to seal the deal or that he would have ulterior motive in doing so; in my experience, it's sufficient for a company to see a valuable piece of a puzzle they care about go vulnerable to acquisition offers to make the offer (with the corresponding stick). I'm willing to be convinced otherwise in either direction if more information presents itself; all I know is that Shopify put the offer on the table "We'll back-fill your funding gap or we'll make it much worse; your call." And I've seen that offer made in a completely capitalism-red-in-tooth-and-claw "business is business" way in the past.
I prefer the Go solution where the package manager uses the git repos instead of a separate package index that might or might not correspond to the git repos.
I think we have to wait and see how much momentum gem.coop can build. Right now they have promised "things for the future"; they will most likely also deliver eventually. But right now they are not there.
If and when they open beta, though, I'll begin to republish my old gems (not all, some I merged into other gems but most of the core stuff will be back) there. They have some things they should improve on though - documentation (also a problem that ruby doc was separate by the way), namespacing (this is in part also a problem that ruby had no primary way of namespacing; this is also a feature, but it should have a way to separate concerns when possible or wanted).
Anyway, I think we'll soon see what happens - I say people should evaluate again in about half a year or so, say like ... end of May 2026. I think this would be a more realistic time frame.
I do, however had, also suspect that DHH may become the biggest asset to gem.coop - every further snide remark he does on his blog, will gain new people who are upset, and some of those will eventually help contribute and benefit gem.coop. So for the end user this may be a win-win situation since they can install things how they like it, thus having more flexibility. Many can and will stay with rubygems.org, others may prefer gem.coop, many others will probably use and combine both (this may be a bit more difficult; guess gem.coop needs to think of a way to specify different gem sources on a per-gem basis too. Lots of work to be had for certain).
No serious business with real (business) customers will accept that kind of risk and gem.coop will never be a thing outside of hobbyists.
All in all, I don't see sound judgement from Andre Arko or from RubyCentral. That seems the common takeaway from neutral third parties https://archive.md/SEzoV
> Regarding Arko’s blog post about his removal, McQuaid [Homebrew Maintainer] told me it’s good that Arko is crediting other people for their contribution and that he’s following open source principles of community and transparency, but that “his ‘transparency’ here has been selective to things that benefit him/his narrative, he seems unwilling or unable to admit that he failed as a leader in being unwilling or unable to introduce a formal governance process long before this all went down or appoint a meaningful successor and step down amicably.”
He logged in and changed the password after the board emailed him and told him his services were terminated. That includes/specifically mentions his on-call services. His response claims only silence from the board and that he was just performing his on-call duties.
I've been a corporate stooge for 25 years or so now. On call duties are one of my main responsibilities. I would NEVER probe out which logins I still have access to after receiving notice of termination. He admits to doing this in multiple places.
All his justifications are that he was under contract to do work that he was already notified was terminated. Everything that follows either tells me that he has bad judgment, that he's lying (by omissions), or in the worst case totally delusional.
If he was so worried about operational takeover, why did he _change a password_ without notifying anyone else with operational capabilities that he was doing so? Nobody reasonable would _ever_ do that. There's a certain amount of upfront communication and CYA required of reasonable actors in this space and he doesn't have it (Not that Ruby Central did any better).
So no, I won't be changing my mind, and I don't know why you put "(again)" in there.
> we gave stewardship of RubyGems
I didn't sign anything.
I also remember the original creators of rubygems. How old is Ruby Central? 10 years? 15 years? There were several years before that.
- Corporate entity doesn't have copyright over your creative output. Just because word can open and view ("run") your novel does not give them ownership.
- Locking your access completely on your resources would be akin to a ransomware attack or account compromise
Would you label those actions hostile? Or just accept it as right because "maintain security"?
If you would label the above hypothetical actions as hostile (if not outrageous overreach, something akin to theft?); what is fundamentally different to what Ruby Central did by taking over the source code of a GitHub repository?
The "maintainers" weren't volunteers. They were paid employees.
Also none of the ones complaining were the original authors of gem nor bundler.
You work for Microsoft as an independent contractor, as a night watchman/groundskeeper. So do a number of others. You were hired because you and your crew of weirdos were writing the story of advanced gardening and building maintenace; which people including those at many famous and powerful companies used and found useful. A number of years ago someone said "huh, maybe these guys should get funding", and a few others agree; and Microsoft ends up in charge of distributing that funding.
The above still happens. They have locked your computer with a ransomware message that says "we will give you back access if you get rid of one of you". To lock your computer, which is airgapped, it would require someone with admin privileges to your computer to walk in and manually do this. It turns out one of your has colleagues done this, added an account for the Director of Night Maintenance at Microsoft to your machine.
You and almost all of the "paid employees", again, a number of whom are independent contractors, resign in protest; leaving only the person who tampered with your computer.
https://bsky.app/profile/duckinator.bsky.social/post/3lz6exz...
> The behavior Ruby Central exhibited was so egregious that I sincerely thought someone's account had been compromised at one point
During this chaos; which all happened between September 9 and September 18;
- at midday LA time/2:40pm New York time; Microsoft terminates the contract with one specific individual; who was the one they demanded the group gets rid of if they wanted access back - 8 hours later, that person locks the doors; changes nothing else, etc.
Some basic analysis about the situation you need to do:
- Did the actions on September 19th, even if you believe it was a crime of the most serious nature, justify the actions on Sept 9-18 where Microsoft took access, said whoopsie, then did it again?
- Treating the Sept 19 actions as a crime; did the person who did it do so with a criminal intent? (Mens rea). Did they intend harm? Or were they indifferent to the harm caused? Should this be prosecuted, has that person provided justification or similar that could in any way be reasonable doubt?
- If the actions on September 19 are a crime in your viewpoint; would paying/influencing someone to lock the accounts of all of the maintainers also be a crime? Why or why not?
Note that you'll want to read https://www.law.cornell.edu/uscode/text/18/1030
First off, was anything involved a "protected computer"? No, probably not, not by the legal definition there; yes by what we as laypeople would assume.
But, let's roll with the assumption it's "literally a crime" and not a civil matter; but apply that standard equally.
> (4)knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
* Is the draft novel/rubygems source code a thing of value? Yes. $5000 worth? Tricky to say with the open source licencing! But RC were distributing $ to maintain it; and that cost them more than $5000/year. Cost does not equal value; but I think we can argue yes, kinda here.
> (7)with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
* Did anyone attempt to extort anyone else to remove a person? (Get rid of x if you want access back!) * Did that have value? (Gee, I hope the treasurer didn't post, it was about the funding deadlines/only to have that walked back!) Also a bit murky as the value isn't coming from the extortion directly, only indirectly.
> (b)Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
* Did anyone conspire? (Two or more people agree to criminal act, followed by an overt act)
Can you plausibly see how if you try to apply US law to argue one individual on one side is a criminal; that same law would likely make the other side just as criminal; if not more so?
---
> none of the ones complaining were the original authors of gem nor bundler.
Doesn't hold water.
From the individual: https://andre.arko.net/2025/09/25/bundler-belongs-to-the-rub...
"I joined the team at a pivotal moment, in February 2010, as the 0.9 prototype was starting to be re-written yet another time into the shape that would finally be released as 1.0. By the time Carl, Yehuda, and I released version 1.0 together in August 2010, we had fully established the structure and commands that Bundler 2.7.2 still uses today."
IE: Claims to be a significant contributor, predating any "stewardship" by RubyCentral. I would argue this can be born out by contributions and the fact he proposed the darned merger with RC in the first place; and that merger assigns no intellectual property rights or similar.
It tripples the attack surface making it more vulernable to having security vulnerabilities.
It took less than two weeks from this statement for them to put out an incident report from them forgetting to change the password on the infrastructure they took from the previous maintainers. I can't say I'm shocked that this didn't actually result in people's confidence in their ability as steward to provide long-term stability for the ecosystem.
The (open source) source code for rubygems and bundler, the libraries that rubyists use in their apps to manage gem dependencies, are potentially another story.
But the infrastructure, to have passwords to it, for rubygems.org, has been Ruby Central since the beginning of rubygems.org without any break. I don't know why people receiving checks from Ruby Central as contractors would think they had a personal right above Ruby Central to the infrastructure that Ruby Central has been running since long before they received those checks. Them thinking they did is sketchy.
Again, the open source source code, I agree, is another matter with other considerations. It has had many maintainers and contributors over time, including periods where development was not coordinated by Ruby Central. And all the code is owned by it's authors, and licensed MIT-style. But you're talking about passwords to infrastructure...
They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager and logged in a few hours later and changed the root password to lock the legal owners out. Most of the community has turned on the maintainer who did that, it was extremely childish behaviour.
Inaccurate:
> Ruby Central also had not removed me as an “owner” of the Ruby Central GitHub Organization. They also had not rotated any of the credentials shared across the operational team using the RubyGems 1Password account.
> I believe Ruby Central confused themselves into thinking the “Ruby Central” 1Password account was used by operators, and they did revoke my access there. However, that 1Password account was not used by the open source team of RubyGems.org service operators. Instead, we used the “RubyGems” 1Password account, which was full of operational credentials. Ruby Central did not remove me from the “RubyGems” 1Password account, even as of today. https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
Ruby Central didn't realize that they hadn't actually revoked any access to the previous maintainers (and that they didn't have the updated root AWS credentials) until two weeks later when André notified them.
IMO it would be better to start from a clean slate; dissolve Ruby Central and bring back the community with a new policy, rules - but that's not going to happen. Ruby Central went the corporate way and that's it. It would just be ironic if, say in 10 years, gem.coop proves to be much more successful whereas Ruby Central still writes the same AI-generated text ("we care for the community even if everyone is now elsewhere already").
> As a Japanese developer, I’ve been worried about the direction things were going, so it’s reassuring to see this.
I am actually much more worried now. I don't live in the USA; I don't live in Japan. To me it seems as if Japan and the USA are totally over-dominating in the ruby ecosystem. While this is understandable that it is Japan (local community, I get it, this is different to english-speaking ones), I am absolutely upset that the USA has so much proxy-influence here. But I guess there is nothing that can be done. I guess in Python the USA also over-dominates. I just think this sucks really.
I'm considering switching to Erlang, which was developed at a corporation from the start and appears to be drama and cancel free.
I would love to see such options become available in Europe (insofar as additional options existing, not taking away the ones that already exist). But that would require some extremely successful European companies working to change it.
Why? Japanese culture is more conservative, less prone to knee jerk decisions, and Ruby is their biggest home grown programming language.
I'm also not American nor Japanese and I think this is the best possible outcome.
Candidly its decentralized nature when it comes to "packages" is one of its strengths. It does have downsides, and yes GitHub could be at issue at some point.
After this, after NPM compromises (left pad and more recently the supply chain attacks) why we arent seeing more community driven changes around decentralization and venturing is beyond me.
> While repository ownership has moved, Ruby Central will continue to share management and governance responsibilities for RubyGems and Bundler in close collaboration with the Ruby core team.
Andre has previously maintained that he owns a trademark on Bundler and he will enforce it against Ruby Central.
=> https://andre.arko.net/2025/09/25/bundler-belongs-to-the-rub...
So Ruby Central transfers "ownership" of Bundler to Ruby Core. Ruby Central gets to continue to maintain Bundler, and Ruby Core is stuck with the liability. If Andre wants to enforce his trademark, he now has to sue Japan-based Ruby Core and risk the bad optics of that.
Well,
1. He's not fighting Ruby Central anymore, he'd be fighting the Ruby core team.
2. He's going to have a tough time asserting copyright on a name he didn't come up with on a project which shipped v1 before he joined.
3. If he believes the trademark belongs to the community, the right thing to do would be to transfer it to Ruby Core then, right?
Add also at the bottom a short comment, so the other replies don't look wrong. Somethig like:
Edit: fixed can -> cannot
I think there are a gazillion questions left. But, I also agree that the future will tell, e. g. we'll have to see how popular gem.coop will become (if they become popular). And I also, despite my disagreements, think that it may have been better to solve installations of ruby projects from the get go, e. g. Rust + cargo. But I also see this as separate from a service such as rubygems.org (or whoever provides any infrastructure). The question of who develops functionality can be separate, I have no strong preference here. And, I also agree that having both bin/gem and bin/bundle is not good. There should be a unified API (or two - a simple one maintained by ruby core, and then people can build extra functionality into their own variants).
Sadly this all also may end up like this:
https://xkcd.com/927/
What I liked about bin/gem was its simplicity. Bundler brought a few new things or easier things to the table. "gem" should make it much easier to use any source though, including gem.coop.
I'm sorry for Ruby people that are negatively impacted, tho.
Lastly, Matz is the best!
It also seems like rubygems.org could simply fork the rubygems code, perform whatever 'security and governance' changes they believed were needed in their fork, and run with that?
Isn't that the open source way of handling disagreements in direction?
Not really. Shopify threatened to pull funding for them which set the whole thing in motion
Because I once installed your project, I need to:
- Take over all of the accounts/access you AND all of your friends/co-maintainers used in connection with it
- Tell you it was a mistake, give back access temporarily
- Do it again!
- Have one of my board members who happens to be the treasurer say it was about the $
- Make a straight to camera YouTube post Addressing The Concerns
- Make a first "continuing our series of transparency" blog post a week later, where I use a dense corporate laden dialect to claim it was for the betterment of all mankind and definitely not about the $; because I need you to understand Where We Are Now; What This Is and What This Isn't.
- Open a Google forms question submission box.
- Smear your reputation, because you had an idea once about tracking which packages go to which companies; so I'll insinuate that you want to read everyone's mail and snoop through their undergarments drawer. What's that? My actions affected much more than just you? Quiet now, we're reshaping the narrative to smear you.
- Answer no questions, explaining that we chose to give you a regular series of Friday updates; but also We Want to Move On from the back and forth but also in that same publication have another go at the smear, because it partially worked.
- Donate the project to my state library, to take some of the heat off of me
Isn't that so much easier than typing "git clone" and "git remote add"?
(I am consistently flummoxed that a handful of people here are buying this narrative; instead of as you point out... Just applying a smidgeon of critical analysis about the usage of tools that the majority of us must use day to day and coming to the conclusion you do. Instead of doing this or accepting this conclusion, there's a frothy passion it seems for Appeal to Authority/Argument from Authority where any excuse, flaw, etc on the part of the maintainers is used to justify the whole chain of events.
It seems like it hits 5-7 facts and people can no longer manage them in short term memory, go and look at more than what is presented to them by a single party, etc; so they just default to the easiest mental shortcut.
For some reason I keep falling into the trap that "people are more educated, capable of critical thinking, and have easier access to data than ever before in history"; which I rationally know is not true)
I don't believe this has anything to do with DHH.
https://github.com/rubygems/rfcs/pull/61
Why is there (seemingly) no public offer to former maintainers to rejoin, or acknowledgement of wrongdoing having been done as part of this? It's practically zero cost to do that; as the Ruby core team is (largely) not the party that inflicted harm.
Politeness? Conspiracy to have done this all along? Cultural differences around public vs private opinions? Something else?
What would we think if this wasn't a software project but a hijacked community bus, being passed from party to party, pretending nothing is untoward about the whole situation while the passengers are still aboard? "Oh good, the new bus drivers are politely accepting the keys from the hijackers; all is well!"?
Edit: https://www.reddit.com/r/ruby/comments/1o8zz3e/comment/njywb... No discussion with maintainers
In my 17ish-year involvement with Ruby, I can't think of one.
It's good to hear Ruby core team took the ownership. Thank you Matz.
See especially Mike McQuaid's summaries. He did a bunch of mediation and comms work to make the situation digestible to outsiders. Check his recent posts (at time of writing) on https://bsky.app/profile/mikemcquaid.com
Tensions within the community were heightened because its loudest voice and most recognizable figurehead has opinions that aren’t all that popular and he made them loud and clear as he’s a loud thinker.
For instance, who effectively controls the ruby ecosystem? See ad-hoc restrictions such as 100.000 downloads - past that point you are disowned from your own gem. I always felt that was a direct attack on independent developers. They could have forked those gems just fine (the licence permits this for most gems after all), but nope, they forbid you to remove your own (!!!) code.
https://reproducible-builds.org/
By using signed packages. Why is this even a question.
With central repo you may expect that they operate under increasingly stronger security standards and even if you missed malicious update, there’s higher chance that it was taken down by someone else. In decentralized environment your risks are higher and attention surface bigger.
The fact is that even the “canonical” CA’s can’t be automatically trusted, but here we are. CA is just one shitty implementation of WoT that has been near-universally imposed on us and most people simply accept as a necessity of life, but it isn’t necessarily the only way. It’s just how it is right now.
From https://www.hackerneue.com/item?id=44991636 :
> Native Containers are bare-metal host images as OCI Images which can be stored in OCI Container Registries (or Artifact registries because packages too). GitHub, GitLab, Gitea, GCP, and AWS all host OCI Container/Artifact Registries
So, packages there too would simplify.
Re: "RPM 6.0 Released with OpenPGP Improvements and Signature Checking by Default" (2025) and Sigstore and PyPI and SLSA.dev and key revocation transparency: https://www.hackerneue.com/item?id=45354568
Nerdctl supports various snapshot, lazy start, and distributed cloud storage container stores: https://www.hackerneue.com/item?id=45270468
Ruby has:
And also for signatures now there's sigstore-ruby and Trusted Publishing.sigstore-ruby: https://github.com/sigstore/sigstore-ruby
guides.rubygems.org/trusted-publishing: https://guides.rubygems.org/trusted-publishing/ :
> Trusted publishing is a mechanism for uploading gems to RubyGems.org without using long-lived secret credentials. [..]
> Trusted Publishing is a term for using OpenID Connect (OIDC) to exchange short-lived identity tokens between a trusted third-party service and RubyGems.org. This allows obtaining short-lived API tokens in an automated environment (such as CI) without having to store long-lived API tokens or username/password credentials.
I'm not counting something like C++ where there's effectively no "packages" to speak of.
Go packages have the source baked into the package name. It would be like needing to say `require "github.com/sparklemotion/nokogiri"` rather than what we do today, `require "nokogiri"` and then if you want to change the source wrapping `gem "nokogiri"` in an alternate `source` block.
dselect solved this ages ago with its mirrors, but at some point it seems every major package manager decided that was unnecessary complexity ("why bother? It's not like a package repo just goes down") and left it out when they built their alternatives.
So, from time to time, when a domain in the Internet goes sour it's a huge problem (whereas were a Debian mirror to go sour I'd add like one line to a config file and never notice the issue again, assuming dpkg doesn't automatically identify the problem and route around it).
- almost every package is hosted on GitHub and that url is baked in to consumers of those packages
- the go proxy: https://flak.tedunangst.com/post/what-the-go-proxy-has-been-...
However I would say all ecosystems have issues, regardless of the approach, because 99% of the developers have no clue on what they depend on, and there are plenty of ways to mess up with ecosystem.
Btw, I’m definitely not saying anything is doing this really well yet, but I do think Linux distributions are a pretty good implementation of it. I think it would be pretty difficult to stamp out Linux and Linux packages.
Deno does also but I'm less clear on well how that is working out for them.
I'm not familiar with the technical details, but at first glance it appears pretty centralised.
https://docs.deno.com/runtime/fundamentals/modules/#https-im...
All go package imports are proxied via Google.
https://drewdevault.com/2022/05/25/Google-has-been-DDoSing-s...
https://drewdevault.com/2021/08/06/goproxy-breaks-go.html
Not that defaults don't matter, just offering the extra detail. And, as the post goes on to explain, this change seems to cause its own set of dependency issues.
I've been working on Homebrew for 16 years and leading it for some proportion of that and this all "smells" like a more sustainable long-term solution than anything we've seen happen in the last year. Some proposals sounded nicer but were not going to be acceptable to one or more sides.
Ruby already provides a vendored version of RubyGems and (more recently) Bundler so this seems appropriate. It also separates the "running a web service" which has guaranteed hosting costs, requires on-call, etc. from "running an open source CLI/library" which has no guaranteed costs.
It will be interesting to see what the Gem.coop folks do now (disclaimer: I helped them with their governance process). If there's some competition for rubygems.org as a server implementation that feels like a good thing for the community overall.
Good luck to all involved on all sides.
Rails is still a good web framework within its limits. If you want to build a small, modest complexity web app with like 1 or 2 developers and under maybe 6 months of active development, modest traffic needs, etc, it's a good way to get everything up and running fast with best-practices for everything.
The lack of types may start to pinch some once you get an order of magnitude more developer-months into the app than that. Lack of overall speed, threading issues, and memory usage may be an issue once you get a few orders of magnitude more traffic. But while you're within those limits, I think you'll get features out on it faster than any other language or framework.
As they say, a lot more startups have died due to not being able to iterate fast enough in the early stages than from their traffic capacity, hosting efficiency, and bug count once they get into serious growth.
Of course lets silently ignore Github, Gitlab, Shopify and others: all small, modest complexity web apps built with Ruby on Rails. Look at Shopify last year black friday numbers and come back and tell us how Ruby is fit only for modest traffic.
Would they be where they are today if there weren't been built at that moment with Ruby?
Both these questions are hard to answer without connecting the dots, looking backward.
Github was started in 2007, Shopify in 2006, Gitlab in 2011, Whop in 2021
It takes a long time approximately for a company to get out of the medium zone and go really big. So the only answer for this is we don't really know.
For any programming language you can find similar stories.
I tried to answer this question 6 years ago by analysing company data from YCombinator and TechStars: https://github.com/lucianghinda/programming-languages-in-sta...
Here is some data I found back then in 2019:
- Ruby companies raised 13 Billion dollars
- Python companies raised 11 billion dollars
- Java companies raised 1.5 billion dollars
- PHP companies raised 1.4 billion dollars
- Go companies raised 1.3 billion dollars
- Node.js companies raised 800 million dollars
Of course this data is 6 years old and it was based on the initial programming language and also it is about funding amount and not revenue.
I did not had time these days to update the data there.
I think how many quality devs you can hire with that language is really the only question that matters 90% of the time (ballparking), so long as the language is designed for that use case, like don't use assembly to write a production webapp.
I don't know many devs that code with Ruby, I know of more devs that code in rust and Go which are newer by at least a decade? so the question of what actual benefits it has is important.
For Go, it makes it hard to mess up error handling and easy to deploy your apps since it's all a static blob, but memory footprint and optimization can be challenging at times. For rust, it takes a long time to do things, so fast shipping timelines might not be a good fit. For Ruby, does it have anything that makes it more secure, faster to code with,resilient to failure, easier to scale,etc...? I don't think anyone answered that here.
What can it do _better_ that the other languages you listed can't or can't as well?
Big legacy companies who have invested heavily into Ruby cannot switch but every shop I’ve been at often started new services in non-Ruby (mostly Go but have seen plenty of Node/TS as well or Rust for that matter).
If I were to start a new app Ruby would be far from my first choice and the biggest reason are types. After being in the weeds of big Rails apps while also working with Go/Ts/typed Python, Ruby seems very fragile in big codebases. Sorbet is also not enough.
I find “BDFLs” and open source communities so incredibly interesting. Especially in the context of geopolitics and state entities. Linux!
This stuff is PHD material for sociology and polisci post-grads and I’m so interested in following the progression of history with these types of things.
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2f...
See that question asked:
"Isn't supply chain security a corporate concern?"
He tries to bring arguments to invalidate that. And failed in an epic manner. Now people are more suspicious than before. Kind of strange to see, too.
Not up until the incident that motivated him to resign, anyway.
I feel like BDFLs are akin to the concept of village elders; they're not immune to corruption or scandal, but they often have this beloved status that can paper over a lot of cracks. That's probably dependant on their leadership style - the hard headed (Linus, DHH) vs the grandfatherly (Matz, Van Rossum).
Which, going back to your note on geopolitics, leads me to wonder: Is it just that more power corrupts more, or is it that (modern-day definitions of) democracy require a desire for power? I guess as the "FL" part of "BDFL" comes to bite more of the communities, we'll see better how different succession styles have different effects. I also wonder if the analytical nature of the individuals within the "populations", and inability to police defectors will mean uprisings will be more successful, either in causing BDFL attitude adjustments, or just overturning the community completely (for example, there's already a lot of momentum for a complete fork of Rails)
(Edit: having submitted this, I now see others have had very similar thoughts! Definitely an excellent conversation topic)
I think a lot of this is due to how so much is a scandal these days, for better and worse. (I'm obviously going to keep politics as much out of my response as possible.)
A few decades ago, people could have political views without ostracizing roughly 50% of the global population, or generally causing a ruckus at the holiday family dinner. (Obviously politics + holiday dinners has been an issue for a long time, but back then it was just something people tried to sweep under the rug. Now? Holiday dinners are getting cancelled or families are splitting up.)
It used to be that a scandal in the OSS community required you killing your wife (thinking back to ReiserFS). Now, a remark on Twitter is all it takes.
Again, I am absolutely not taking sides here. I'm just noticing a difference in the times, and agreeing that it is indeed interesting to watch.
People are far more happy to cling to the tribe they choose, and the tribe that has their back, over the tribe they were born to. Then, there are those who see that trend as dangerous to society (where, in many cases, society is really just a proxy for their own power or social status - ironically as viewed through their own chosen tribes more than the tribe they were born to)
That is to say, I don't think it's the political views that are splitting the families. Individuals have decided that care for each other should come secondary to those political views. I feel like there used to be a certain amount of care in the "sweeping under the rug" - it was the tribe against the world, it was protecting the family image as much as it was protecting the individual from society. These days, being a thing "in private" means being a thing alone, and that's no longer a compelling thought when external tribes are willing to embrace you.
Which probably applies to software tribes just as much as family ones.
This is ahistorical.
Not only was it the norm forever to ostracize entire sections of your society (protestant vs catholic and lots of other religions, black vs white, any form of non-hetero behavior, the Roma people and any form of outsider)
It often was the law
Americans shot their family members over whether we should own black people or not.
My french and white ancestors were expelled to Louisiana, intermarried with black people, and then when the US bought the french land, they introduced laws that made such families illegal.
Reagan made a hobby of publicly claiming his coworkers were communist. Thought that maybe we should be allowed to form unions? 100 years ago that was enough to get you investigated by the senate. Americans voted for him so hard the Democratic party is still floundering to have support. "We should allow unions" or "we should regulate companies" is still half-verbotten.
Do you know how many kids are still kicked out of their homes for the crime of being born gay?
This idea of "You used to be able to hold diverse opinions in public" is outright wrong. This past never existed.
Weird Christians in the US have tried to cancel things like Harry Potter and halloween for gods sake. They took a teacher to trial for teaching evolution. They made playing pen and paper RPGs a sin! When preachers molested kids, they shunned the kids
Being too chummy with another guy in public was a scandal! Being a woman who wanted an education was a scandal! Getting pregnant out of wedlock was a scandal that would tear apart families. Getting divorced was verbotten. Expressing support for social policy could get you fired, or murdered
Bush Jr literally said "You're either with us or against us" about supporting a criminal war and America pitched a globally public fit when other countries did not pledge allegiance.
The diference is that with an open source licence, the comunity can just fork the project (assuming they have enough developers), so the BDFL must master the art of herding cats.
A country has clear phisical borders and tanks, and people can't fork them and ignore the old power structure.
I think there's going to be an interesting and complicated churn as several major projects under the BDFL model have their Ds succeed at passing the torch, struggle to pass the torch, struggle to realize the torch needs to be passed, or take the torch and do their best to burn the whole project down so it can't outlive them.
At the same time, I would like more information around how the Gem supply chain will be handled, particularly how Rubygems and Bundler will be protected against supply chain attacks, which are becoming endemic.
Is Ruby ecosystem doing well?
Hoping for some context
> Shopify demanded that Ruby Central take full control of the RubyGems
https://joel.drapper.me/p/rubygems-takeover
One interesting thing is that Ruby Central then said "Board decisions are independent and not contingent on funding."[2].
Doesn't inspire a lot of trust when there is a statement from a board member saying "we did this because of funding".
I'm more inclined to believe Joel's account.
[0] A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
[1] https://apiguy.substack.com/p/a-board-members-perspective-of...
[2] https://rubycentral.org/news/our-stewardship-where-we-are-wh...
I can tell you that two people with direct knowledge of the situation told me that Shopify demanded that Ruby Central take full control of the RubyGems GitHub organisation and packages.
You can believe that I am lying if you want. But I can’t directly cite my sources in this case.
For the DHH thing he wrote a recent blog post where he said he wants fewer non-white people in London and praises an english far-right fascist figure (Tommy Robinson)[1].
Not really sure about the Shopify stuff. I've heard people aren't too fond of Tobi (the C.E.O. I think), and he's buddies with DHH, but it could just be general distrust of a big company trying to exert control of an open source project (through Ruby Central).
[0] https://xkcd.com/1053/
[1] https://world.hey.com/dhh/as-i-remember-london-e7d38e64
No, it turns out DHH really wrote a blog post complaining not enough people in London are white (even though they’re British) and praising a famous British fascist.
The rest is very much still confusing, some kind of opportunistic power plays and typical open source chaos.
[0] https://www.hackerneue.com/item?id=45303239
gem.coop matures and people move to it
Or ruby central gets their crap together and regains some trust.
It's definitely a win that the tool entry point is now managed by competent people with a good track record that aren't involved in the current drama.
As far as I can tell, this doesn't fairly reflect what actually happened. Ruby users were free to keep their own political views to their own blogs, just as DHH does. Reading world dot hey dot com slash dhh is not in any way required in order to use Ruby, participate in the development of Ruby or anything else along those lines.
There are a lot of prominent developers in the Python community whose politics I strongly disagree with. I got banned from the main discussion forum as a result of objecting to hidden Code of Conduct enforcement principles which (in my view) attempted to bring (many of) those politics in through the back door. (And in the process of getting into that meta argument, and doing research, I encountered several previous unpleasant incidents on the forum and on the mailing list that preceded it.)
But I would never start arguments with people in that space over things they wrote on their blogs. I would not go onto, say, the CPython issue tracker to complain about how certain people needed to be removed from the project because of things they said in their own spaces (like we saw with, for example, Opalgate). If I wanted to talk about someone else's politics — or my own — I would and could use my own blog for that.
The mere fact of people knowing DHH's politics emphatically does not politicize Ruby, Rails or any related project. To the extent that Python development has become politicized, that's a consequence of actual enacted policy, not the political beliefs of steering committee members, PSF board members etc. DHH putting this content on his blog was part of the effort to have it not in the workplace. And, in point of fact, that does keep it out of 37Signals board rooms.
- Politics at work were becoming a huge problem at 37Signals
- They asked that politics be kept out of company chats, but encouraged people to be political active on non-work channels/social media/etc even during work hours
- People lost their minds at this incredibly reasonable request which then blew up on the internet
- They offered any employee 6 months severance if they weren't comfortable with the new policy. About 1/3 of the company took it.
- Rails Conf dis-invited the creator of Rails
- Obviously, this was not going to sit well as people were trying to create a very public political flex against DHH and at that point, he started getting much more vocal about the problem of politics sweeping into every aspect of life.
In the following years...
- DHH becomes very publicly outspoken against politics infecting everything
- 37 Signals publishes another successful book
- Ships much more quickly as all of the people constantly distracted by politics at work are no longer in the building
- Starts the Rails World conference to great success
- Rails Conf shuts down
- DHH ships Omarchy which is getting significant support
So the end result has been that a bunch of people tried to essentially "cancel" DHH and the result was him having virtually non-stop, resounding success while publicly speaking out against those who created the problem in the first place...because some people really do just want to build cool things regardless of your politics.
but you've omitted his recent "contributions", where he went completely off the rails
have a read of this https://world.hey.com/dhh/as-i-remember-london-e7d38e64
it's completely unacceptable, and he's promoting a self proclaimed fascist white nationalist (Tommy Robinson)
> but you've omitted
I'm not that poster, but it was objectively correct to omit that, because it was as an objective matter of fact not "at work".
It does. Not. Matter. In this context what his beliefs are, or how they look to you through your lens.
In exactly the same way that, for example, the political views of GNOME and Xorg developers are not relevant to the development of those projects, and only become relevant when they get discussed in development spaces. (Or, you know, when they become the motivation for explicit interference in XLibre development.)
Other than his mention of Tommy Robinson, it is not radical or unacceptable to say "Wow, my city has changed radically in the past 20 years and is losing its identity".
If the center and the left completely reject the validity of national identity and the expectation of immigrant integration to British identity, then you leave people with those sentiments running into the only open arms left: the far-right and the rest of their agenda.
As a liberal, even a progressive in my own mind, I still recognize that completely open borders are a problem and that we should expect all people coming to a country to want to learn the language and integrate with the native community and customs. This concept is compatible with respecting cultural diversity and immigrant populations and their civil rights.
And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
FINALLY - I don't see how this kind of hard-fork-over-politics maneuver helps change minds in the long run. It only generates bitterness.
He explicitly cited race, not "British identity" he quoted a Wikipedia page where he took stats excluding non-white British.
I don't think he was arguing the point you're attributing to him.
what does DHH, a Dane, who as far as I'm aware has never lived in London (and certainly doesn't now), know about London/the UK?
absolutely fuck all
he should keep his trap shut, in the same way Elon Musk should stop attempting to stoke nationalist fires in a foreign nation
I am also a (British, not American) liberal, and I agree with your comments about integration
the UK has an integration problem that successive political leaders have attempted to brush under the carpet, whilst ignoring the electorate's desire for a reduced rate of immigration
but the sort of nativist crassness displayed in that blog post is not the answer
and leads down a very nasty road that we thought we had defeated forever 60 years ago
> And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
I'm afraid this type of authoritarianism always seems to come with a labour government
""" Does Tommy Robinson call himself a "fascist" or "white nationalist"?
No — Tommy Robinson (real name Stephen Yaxley-Lennon) does not call himself a fascist or white nationalist. He consistently rejects those labels, describing himself instead as a patriot, free-speech activist, or anti-Islamist campaigner. To summarize the record:
* Public statements:
Robinson has said things like “I’m not a racist, I’m not a fascist — I’m a working-class lad from Luton who’s standing up for my country.” In interviews (e.g., BBC Panorama, ITV, and various YouTube appearances), he has explicitly denied being a fascist or white nationalist.
* Affiliations:
He co-founded the English Defence League (EDL), which has been widely described by journalists and researchers as far-right and anti-Muslim.
However, he left the EDL in 2013 saying it had become associated with racism and extremist elements he could no longer control. """
Maybe TR is a fascist or white nationalist, but he isn't a self-proclaimed one.
Then he started a blog, built on his companies software, where he constantly shares extreme political opinions. When you are the public face of a company (and framework) and you are publishing your political opinions using your companies platform, you are now bringing politics to work. He’s a hypocrite.
So Tim Cook would be "bringing politics to work" by posting politics on Twitter from an iPhone? Plenty of prominent Python community members, including core devs, have politics on their blogs and also use Python-powered technology (dedicated SSGs like Nikola, but also even Sphinx which is really meant for documentation) to generate and publish pages; is that "bringing politics to work"?
I think the real root of peoples' disagreement over what happened there is that rank-and-file employees wanted to assert a lot more control over what their company does than they actually could and they were informed that that wouldn't be acceptable. The six month severance was generous.
Keeping politics out of work place is like an extremely mild stance.
For some reason, people label him as facist...
When you're advocating for ethno-nationalism and praising fascists, I don't think you can get mad at people thinking maybe you're a little bit fascist, or can claim to be in the centre politically.
[0] https://world.hey.com/dhh/as-i-remember-london-e7d38e64
[1] https://en.wikipedia.org/wiki/British_National_Party
He praised one policy from Tommy Robinson. This doesn't mean he support every single action performed by Tommy Robinson for eternity.
He advocates for stricter immigration laws and is against mass immigration.
He then praises the stricter immigration laws in Denmark. Then, Denmark would be considered facist and ethno-nationalistic by your logic?
> I don't think you can get mad at people thinking maybe you're a little bit fascist, or can claim to be in the centre politically
I'm actually mad that the word fascist is losing its meaning.
Wanting a stricter immigration law is now fascist, and Denmark is basically considered fascist for all these years for having stricter immigration laws praised by DHH...
At worst, this view is centered.
There's nothing wrong with promoting or protecting the interests of native or indigenous people over those of immigrants or foreigners.
Heterodox opinion in some circles, but this is not some fringe belief, nor is it "fascist."
https://x.com/awesomekling/status/1979601199927083373?s=46
I'm unaware of one ever happening, and I'm wondering whether it's because of mere fortune or because there's something about the APT / dpkg model that precludes this kind of messiness.
Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors? This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
That said, there's been quite a bit of drama lately in prominent Linux projects — notably bcachefs, X11 (and the fork XLibre), and the Omarchy distribution (even connected to the current story!).
It is not 1:1 comparable though. Ruby, python etc... have a much more varied community. People contribute code. Only few contribute to the linux kernel directly. There are many more who write "apps", so this could be comparable. Still it feels different to me, since a language community is different to a community that uses different programming languages.
> Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors?
No, I think it is more that people never anticipated that corporations could take over projects. This has become more of a problem in the last years. Who controls github, for instance?
> This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
This is the issue of decentralized hosting versus top-down control. Ruby didn't have that problem in the past. It became more of an issue in the last some years. See DHH having an old tweet where he pointed out that he wants more control; I think this was from 2018. I don't remember it fully but it is on the ruby reddit.
I've even seen unironic claims of certain pieces of technology containing "Hitler particles". That shook me a bit because that's an old in-joke and was always intended to be a joke...
Edit: Seems like maybe a hostile take-back actually.
For instance, I pointed out days ago that Hiroshi Shibata did not act solo. Now this is confirmed - it was a matz directive. The main question to ask here is: could he not have made this open AND public from the get go? It would have lessened the confusion for some people.
Unfortunately this also has a few added problems now, because ... say that you are an indie dev or a solo dev. Would you want to "interact" with the ruby core team if they can just oust people at will if they feel they need more top-down control? Or, worse, if they only get money if companies pay them to do so? I am not necessarily saying there was a 1:1 connection with money in mind. For instance, the bin/gem was not designed by the ruby core team, in many ways was a mistake from the get go - see how Rust avoided this by having cargo. But one can not help but wonder how deep that money situation goes. u/jrochkind on reddit pointed that out, e. g. that there is very clearly a connection to ruby losing users and developers in the last ~5 years, and a dry-up of financial assets in general. I agree with him. Even if this was not the case here (though I somewhat suspect money had to do with many things here), the situation for ruby in general is really really bad. Perhaps matz felt that this was the only way forward, who knows. Either way it is not a good situation to be had.
It also shows how ruby is WAY too dependent on rails. If rails sinks, ruby sinks. That is BAD. DHH may contribute to this problem with the "I am the richest neo-boy in the USA" and odd blog entries (that's his though, he can write whatever he wants to), but the moment there is a financial interconnection is the moment there is no longer a fair field. And this is really bad, because it means ruby as such will be pulled by those who have money. Bye bye solo devs - you no longer have a place in the corporate infrastructure. And make no mistake about this: rubygems.org is a pure corporate entity now. Look at the new rules they forced onto everyone: https://blog.rubygems.org/2025/07/08/policies-live.html
This also reminds me of Pypi, by the way:
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2f...
Quote:
"Isn't supply chain security a corporate concern?"
And then he weakly tries to say "no, it isn't because corporations finance us now, it is all about LOVE, HAPPINESS and THE COMMUNITY". But in reality - it absolutely is. Corporations wanted more guarantees and these inrastructure-maintainers said "that's ok - we don't pay these indie devs anything but now we force them into mandatory 2FA, ad-hoc 100.000 restrictions (can not remove your gem past that limit) and any other random crap, such as not paying them anything and having them work for us for free". I am sorry but there are soooooooo many things going wrong here - I totally agree with duckinator. This was a hostile take-over, unfortunately now we also know that it was decided from within ruby-core itself.
Note that I am not saying that it is a bad idea to have something such as gem maintained by the ruby core team, I totally understand the reason for this, and I also pointed at the example of rust/cargo. However had, the infrastructure shouldn't be a money-injection team for the ruby core team - the moment this happens is the moment things no longer work here. And ruby isn't merely the part designed by the core team; it also isn't just rails - you had many more people who contributed to ruby in the form of the ecosystem. Granted, many projects are abandoned (this is also a problem for rubygems.org by the way) but at the least this used to be true in the past.
In a way this is all a bit rubbish, because we see MIT/BSD licences, so people could just fork ruby (not that this is likely; I haven't seen anyone object to matz being an excellent language designer. I also don't think it is a problem if matz and the core team profit from this financially, that's perfectly fine. But the whole ecosystem shouldn't be in such a top-down control where corporations just buy their way into things, with DHH making snide remarks on his blog ("we got rid of the boys controlling the infrastructure now") all of the time while on Shopify's payroll - that is no longer a fair playing field here. Everyone can see this.)
Also, if matz made the decision weeks ago and told Hiroshi to do so, HOW was this fair to Mike McQuaid? The latter said he tried to act as man in the middle. But if the decision was made to finalize on this already prior to that, was Mike told that? If not, how is that fair? Either way I guess Mike gets the most praise from all sides simply for trying.
We'll see what happens, whether people love the new corporate-controlled rubygems.org or prefer gem.coop (which, admittedly, still have to deliver). I favour the latter, like the rising phoenix from the ashes - in part because I hated the new corporate rules that was installed onto rubygems.org, including the crap 100.000 download limit, but in part also because I feel that if gem.coop gets enough momentum overall, they can actually begin to solve NUMEROUS issues in the ruby ecosystem, from documentation to namespaced accounts (users and the ruby code as such, see duckinator's proposal) and so forth. Considering the damage shopify caused while wanting to control more of the ruby ecosystem, I expect them to now send more workers to go and improve rubygems.org as much as possible - and not ruin things in the process. Otherwise they would have only caused damage without any real gains.
The biggest loser in this are actually the folks at RubyCentral. Because ... what have they really ever done for the ruby community? Which high profile gems have they maintained? Just throwing fancy parties isn't going to cut it - Titanic was also sinking when it hit an iceberg. RubyCentral may still celebrate while sinking ...
> Now this is confirmed - it was a matz directive.
I did not see any confirmation in this annoucement, do I miss something?
Speaking of Phoenixes this whole debacle made me start diving into Elixir/Phoenix. My first impression is that I much prefer Ruby as a language, however I'm struggling to even think of using Rails currently.
They were stolen from André Arko, Colby Swandale, David Rodríguez, Ellen, Josef Šimánek, Martin Emde and Samuel Giddins.
It may be best in the future direction to have Ruby Central's role on RubyGems and bundler completely eliminated and simply just hand them over to Ruby Core and Ruby Foundation in Japan. I will gladly donate just to avoid any more US politics and drama.
What was your maintainership status when this all kicked off? Were you one of the owners removed by HSBT?
When you left RubyGems and Bundler (let's call them "Projects") team, you handed over your authority to whoever was left and/or was added later. It doesn't matter in which order things happened. What matters is that Ruby Central _and the rest of the team_ were the stewards of Projects. The important part here being _and the rest of the team_. André had every right to keep being part of that team, and he was for a long time, together with many other team members, all of which were removed by "a representative from Ruby Central". What an inhuman way to remove someone from a Project. "Hire" someone to do the dirty job for you so you don't have to. The decisions in a team should be done by reaching a team consensus. Not by one actor. I believe it's for the better that André was removed from the team, but it shouldn't have been done like this. Ruby Central lost their trust in the eyes of many. They could've achieved the same goal in a much better way. How can I trust an organization with management of something if they failed to manage this whole situation? Claiming this is all in the name of security and then not even knowing how to properly remove access from someone. So much about security...
As long as Matz is involved, I have a lot of faith things will get better, not worse, unless you have some strong indication of otherwise. If anything, because things will be nicer.
NPM was a company and it was acquired and it was voluntary. I don't think you can compare it to this situation - this is more of a messy situation with everything open source collaborations, rather than having clear ownership in a single entity:
https://github.blog/news-insights/company-news/npm-is-joinin...
Or are you referring to the pre-2014 situation where NPM wasn't VC Funded, but in a more nebulous state? It didn't last that long.
Where is the theft? The projects were open source, they are still open source.
The name is not for the taking. You can download the code, modify and release it, but you can't just claim ownership over a product.
- gem.coop -> the person behind have a new tool rv that want to sell it
- they want to sell the rubygems logs to corporatins
- change the root pass at aws once they where remove from the project
small details like this.
They want to sell some RubyGems logs about corporations (not individuals) using RubyGems API, to...Ruby Central?
As André explained on his site, he was on-call at the time when they were removing him. He acted to protect the service by limiting access. No harmful actions done by him were ever discovered by Ruby Central. It's two entities fighting to remove the other. You can say Ruby Central was right, I can say André was right. But we do know that Ruby Central fired the first shot when they (could've been an actual hacker) removed literally everyone from RubyGems and Bundler projects.