Preferences


For context, also check out their previous statement from September 19, which also "reflects our shared commitment to the long-term stability and growth of the Ruby ecosystem" [sic]: https://rubycentral.org/news/strengthening-the-stewardship-o...
saghm
> As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem. In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems.

It took less than two weeks from this statement for them to put out an incident report from them forgetting to change the password on the infrastructure they took from the previous maintainers. I can't say I'm shocked that this didn't actually result in people's confidence in their ability as steward to provide long-term stability for the ecosystem.

jrochkind1
Ruby Central has been the entity responsible for the infrastructure hosting rubygems.org the entire time. Literally since the beginning of rubygems.org. Any hosting bills, contracts, or agreements are in the name of the Ruby Central corporation and always have been, as far as I know. Any "previous maintainers" were working as contractors or employees of Ruby Central, if they were working on infrastructure.

The (open source) source code for rubygems and bundler, the libraries that rubyists use in their apps to manage gem dependencies, are potentially another story.

But the infrastructure, to have passwords to it, for rubygems.org, has been Ruby Central since the beginning of rubygems.org without any break. I don't know why people receiving checks from Ruby Central as contractors would think they had a personal right above Ruby Central to the infrastructure that Ruby Central has been running since long before they received those checks. Them thinking they did is sketchy.

Again, the open source source code, I agree, is another matter with other considerations. It has had many maintainers and contributors over time, including periods where development was not coordinated by Ruby Central. And all the code is owned by it's authors, and licensed MIT-style. But you're talking about passwords to infrastructure...

the_hangman
Genuine question: how do you take something which you have already been paying for?

They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager and logged in a few hours later and changed the root password to lock the legal owners out. Most of the community has turned on the maintainer who did that, it was extremely childish behaviour.

> They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager

Inaccurate:

> Ruby Central also had not removed me as an “owner” of the Ruby Central GitHub Organization. They also had not rotated any of the credentials shared across the operational team using the RubyGems 1Password account.

> I believe Ruby Central confused themselves into thinking the “Ruby Central” 1Password account was used by operators, and they did revoke my access there. However, that 1Password account was not used by the open source team of RubyGems.org service operators. Instead, we used the “RubyGems” 1Password account, which was full of operational credentials. Ruby Central did not remove me from the “RubyGems” 1Password account, even as of today. https://andre.arko.net/2025/10/09/the-rubygems-security-inci...

Ruby Central didn't realize that they hadn't actually revoked any access to the previous maintainers (and that they didn't have the updated root AWS credentials) until two weeks later when André notified them.

shevy-java
They keep on using buzzwords. These Ruby central guys never maintained a single gem used by many people in their life. I have no idea what they are writing, but it feels as if AI is writing their statements. Even then it is of such a poor, repetitive quality that even AI may just accidentally write better "summaries". People lost all trust in Ruby Central - there is no way for them to win back trust here.

IMO it would be better to start from a clean slate; dissolve Ruby Central and bring back the community with a new policy, rules - but that's not going to happen. Ruby Central went the corporate way and that's it. It would just be ironic if, say in 10 years, gem.coop proves to be much more successful whereas Ruby Central still writes the same AI-generated text ("we care for the community even if everyone is now elsewhere already").

the_hangman
Afaik many of the people who were on board to help start gem.coop have stepped back after the recent controversies with Andre Arko, at this point I don’t think it will ever be anything more than a ruby gems mirror
florkbork
I sincerely doubt this without a source

This item has no comments currently.