It took less than two weeks from this statement for them to put out an incident report from them forgetting to change the password on the infrastructure they took from the previous maintainers. I can't say I'm shocked that this didn't actually result in people's confidence in their ability as steward to provide long-term stability for the ecosystem.
The (open source) source code for rubygems and bundler, the libraries that rubyists use in their apps to manage gem dependencies, are potentially another story.
But the infrastructure, to have passwords to it, for rubygems.org, has been Ruby Central since the beginning of rubygems.org without any break. I don't know why people receiving checks from Ruby Central as contractors would think they had a personal right above Ruby Central to the infrastructure that Ruby Central has been running since long before they received those checks. Them thinking they did is sketchy.
Again, the open source source code, I agree, is another matter with other considerations. It has had many maintainers and contributors over time, including periods where development was not coordinated by Ruby Central. And all the code is owned by it's authors, and licensed MIT-style. But you're talking about passwords to infrastructure...
They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager and logged in a few hours later and changed the root password to lock the legal owners out. Most of the community has turned on the maintainer who did that, it was extremely childish behaviour.
Inaccurate:
> Ruby Central also had not removed me as an “owner” of the Ruby Central GitHub Organization. They also had not rotated any of the credentials shared across the operational team using the RubyGems 1Password account.
> I believe Ruby Central confused themselves into thinking the “Ruby Central” 1Password account was used by operators, and they did revoke my access there. However, that 1Password account was not used by the open source team of RubyGems.org service operators. Instead, we used the “RubyGems” 1Password account, which was full of operational credentials. Ruby Central did not remove me from the “RubyGems” 1Password account, even as of today. https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
Ruby Central didn't realize that they hadn't actually revoked any access to the previous maintainers (and that they didn't have the updated root AWS credentials) until two weeks later when André notified them.
IMO it would be better to start from a clean slate; dissolve Ruby Central and bring back the community with a new policy, rules - but that's not going to happen. Ruby Central went the corporate way and that's it. It would just be ironic if, say in 10 years, gem.coop proves to be much more successful whereas Ruby Central still writes the same AI-generated text ("we care for the community even if everyone is now elsewhere already").