There is some more context on a post[1] in /r/ruby, including the fact that the maintainers and others had been working on a proposal[2] for a formalized organizational governance structure as recently as yesterday. The latter also adds some context into Mike McQuaid's involvement: the proposal was influenced by the structure put in place by the Homebrew project.
I'm trying to help, where I can, to mediate. On a call right now about this. Had 4 in the last 24 hours with affected parties past and present on both sides.
I'm not involved beyond just caring a lot about Ruby.
"Ruby Central has been the RubyGems maintainer and operator since the beginning. They paid people to work on it (including this now disgruntled former contractor).
They're improving their practices and protocols. This is good."
> We want to express our deep gratitude to the many cohorts of maintainers who have contributed to Bundler and RubyGems over the past two decades. Ruby tooling would not be what it is today without their dedication and leadership. Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of *openness and collaboration*
- The bolded part doesn’t track with locking out the entire team without notice or explanation.
- “Thanks for the hard work, the adults will take it from here” rarely works out.
> We thank the maintainers and respect their legacy.
After removing them without explanation, cutting them off projects they have maintained over a decade and ignoring them when they asked for restoration or dialogue. I feel sad for the maintainers. This is not how they deserve to be treated.
So essentially they randomly cut off a bunch of long time maintainers for some vague legal and/or security reasons. If there was real reason to do that in a hurry, that's what we need to see, not a corporate PR message.
If they're trying to strengthen security, this feels like an odd way to go about it.
Making unplanned unexpected changes to GitHub ownership and removing people with lots of experience and institutional knowledge with little notice (based on the original story) and presumably no great hand-over, feels risky and not a great way to improve people's trust in their governance.
> Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service.
Several of the people removed are employees or contractors of Ruby Central. This doesn't pass the smell test. Not to mention it's post-facto in that they did all of this before notifying anyone.
Aren’t supply chain attacks caused by package maintainer accounts being compromised? I suppose too many people with keys to the package repository itself is also liability, but those accounts being compromised just hasn’t been what is happening.
I think the fear from Ruby Central might have been that, had they communicated openly, a maintainer/community member with admin access could do their own hostile take-over, and that that would expose Ruby Central to some legal liability, if not a complete loss of control.
I'm not in a position where I'd have to make a decision like this, and I don't have all the information, but I like to think that if I had made a decision like this, I'd show some more respect in the aftermath.
Something more akin to: "That was really awful, I'm sorry. We were suddenly faced with the severity of our legal exposure and had to immediately lock everything down. It's not a reflection of trust or anything, it was legally what had to be done. Now that we've taken stock and are now squared away, we have to make a more explicit controls framework, and we hope we can make it up to you, make this right, and have you lead as a maintainer again."
...Then again, maybe this wasn't about legal exposure. Or maybe it was and former contributors/maintainers are getting apologetic emails right now...
The recent actions taken by Ruby Central - removing long-time RubyGems and Bundler maintainers without warning, seizing administrative access, and consolidating control under a small, centralized group - represent a serious breach of trust within the Ruby ecosystem.
This was not a misunderstanding. It was a hostile takeover of key infrastructure, undermining both the long-standing maintainers and the broader community that relies on RubyGems and Bundler every day.
The Ruby ecosystem thrives on collaboration, openness, and mutual respect. What we've witnessed over the past week violates those principles. Ruby Central's actions - unilateral access revocations, exclusion of experienced volunteers, and refusal to engage in transparent dialogue - are not just organizational missteps. They're a threat to the decentralized and community-driven spirit that has sustained Ruby for decades.
I oppose this power grab.
Even more concerning is the idea that contributor access could become contingent on employment status or ideological alignment. Whether someone is employed by Ruby Central - or holds left-leaning, right-leaning, or apolitical views - should have no bearing on their ability to contribute to open source. Merit, dedication, and community trust must remain the foundation.
If Ruby Central is serious about supporting the Ruby community, they must:
- Immediately restore access to all maintainers removed during this incident.
- Publicly commit to a transparent, community-driven governance model, similar to what the RubyGems team had begun drafting.
- Respect the autonomy of open source maintainers, regardless of whether they are employed by Ruby Central.
- Acknowledge the harm caused by these actions and engage in meaningful dialogue to rebuild trust.
The Ruby community has always been about people - diverse, passionate, and united by a love for a beautiful language. It's time we demand that the institutions claiming to represent us act accordingly.
And if Ruby Central does not do this we must pressure sponsors to stop funding Ruby Central and ultimately; if all else fails, we must build and maintain our own infrastructure unencumbered by these shenanigans. Also, in order to re-establish trust in the community; the people responsible for causing this ruckus should be fired.
> "Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of openness and collaboration."
what do they mean by openness, it doesn't even say who wrote this
It is indeed surprising such change wouldn't be immediately followed by a public announcement, but they've been founding and managing RubyGems for a very long time now, so it's not even clear to me how this can be a "takeover".
I'll happily join with my pitchfork if it turns out this is indeed a malevolent move, but until I've read their side of the story, I'd rather wait and see.
Feel bad for the RubyGems community, sending my gratitude and empathy. Ruby was a leap in my career, and i have a soft spot for the language and community
I'll wait for RubyCentral's side on this, but on the face of what's written, these actions do not seem to be transparent or in good faith. Is there something posted from RubyCentral's side?
I wish the Ruby community strength, and a transition over to a community-owned org, one way or another.
(With NPM, WordPress, now this - seems like package repositories are becoming a flashpoint of corporate takeovers..)
Could someone with more insight as to the decision-making at Ruby Central weigh in on what's going on here? Between this and drama with the conferences over the years I'm just confused. They've been busy launching podcasts and doing fundraising, email campaigns and all that. Has there been a change in leadership?
> The unstated reason for this change was that many of the existing Rubygems maintainers have recently quit (including their only full-time engineer) due to their continued relationship with DHH.
Can someone expand on what this means? Is it a continued relationship between Ruby Central and DHH, or the maintainers and DHH? Why does the other party have a problem with that?
EDIT:
It seems the post was clarified since I copy/pasted this, and it's RC and DHH. Why do the maintainers have a problem with this? I though the stated reason was about RC removing everyone's access with no warning.
The idea that Ruby Central is "attacking" its own project -- that it has secured funding for -- for a decade plus, is not really based in reality. Not sure what goes on in their "Github Enterprise", but their vanilla github is pretty transparent. Marty has been doing good work in the repo as of late around the Orgs feature. I rely on rubygems.org, and my fork of rubygems.org on a daily basis.
The project is an objective public-good. It's sad that a former employee is attempting to burn it all down. I guess they thought it was all about them and not the millions of DAU's the platform has served without fail since inception. Contractors will come and go.
What are the OPs contributions even? I don't see a single commit from her handle on the 24 month view (below). Correct me if I'm wrong.
Hasn't Ruby Central always 'owned' RubyGems.org, Bundler, and all related infra?
Removing existing maintainers from the project isn't good - and hopefully it's a temporary oversight as Ruby Central gets things set up in the new org. Either bad communication from Ruby Central - or they really did made a bad mistake here (maybe even with the best intentions, given recent NPM issues).
Edit: It seems like there's a lot more to the story here. Many volunteer RubyGems/Bundler maintainers have left because they disagree with decisions that Ruby Central (the nonprofit organization) has made and it seems like all of this is fallout related to that.
I took comfort in the fact that the ruby community seemed miraculously immune from these petty disputes and takeovers from the benevolent entity running the service. Seems like that’s not the case anymore :(
Ruby Central's whole thing is they maintain, develop, and secure bundler and ruby gems. Marty was previously a lead at Ruby Central and recently came back to RC as their Open Source Lead. It sounds like there was a clusterfuck getting the repo switched over but I'm not seeing how this is an attack on Ruby gems. Am I missing something?
I think the missing piece here is that almost every person publicly involved with RubyGems’ development has left the project in recent weeks. I don’t have any special insight here, but from an outsider’s perspective it seems as through Ruby Central is trying to turn a former “host” relationship into a “control” relationship.
For those like me who are not Ruby users/devs, it might be good to explain who exactly Ruby Central is? I assumed they were analogous to Python Soft Foundation or Linux Foundation etc. as the entity of maintainers/owners/whatever of Ruby.
But it seems that they have nothing to do with the ruby-lang.org site where the Ruby binaries itself are distributed. Instead, their own site appears to primarily list them as responsible for organizing an annual conference?
And who owned the RubyGems infrastructure before this takeover? The website (and domain that the client actually calls to get the gems, presumably) seem to have already been part of Ruby Central, so what exactly changed here ownership wise, beyond just kicking the maintainers?
(unrelated -- seeing a mention of DHH here reminded me that I haven't seen anything of the Matt/WP drama in a long time on HN -- time to go Google whatever the resolution of that was)
Until a few years ago, RubyCentral was very similar to the Python Software Foundation in that it managed all the infrastructure and the main conferences - everything except language development.
A few years ago, RubyCentral lost power when the Rails Foundation was created (most of the Ruby world revolves around Rails). The Rails Foundation organizes its own yearly conference, and RubyCentral stopped hosting theirs.
However, RubyCentral still controls the package management tools and the package registry.
[+] [-] ilikepi|6 months ago|reply
[1]: https://old.reddit.com/r/ruby/comments/1nkzszc/ruby_centrals...
[2]: https://github.com/rubygems/rfcs/pull/61
[+] [-] mikemcquaid|6 months ago|reply
I'm not involved beyond just caring a lot about Ruby.
[+] [-] swat535|6 months ago|reply
"Ruby Central has been the RubyGems maintainer and operator since the beginning. They paid people to work on it (including this now disgruntled former contractor).
They're improving their practices and protocols. This is good."
https://x.com/dhh/status/1969168477475786830
[+] [-] thomascountz|6 months ago|reply
https://rubycentral.org/news/strengthening-the-stewardship-o...
[+] [-] DannyPage|6 months ago|reply
- The bolded part doesn’t track with locking out the entire team without notice or explanation.
- “Thanks for the hard work, the adults will take it from here” rarely works out.
[+] [-] krmbzds|6 months ago|reply
After removing them without explanation, cutting them off projects they have maintained over a decade and ignoring them when they asked for restoration or dialogue. I feel sad for the maintainers. This is not how they deserve to be treated.
[+] [-] jmuguy|6 months ago|reply
[+] [-] raesene9|6 months ago|reply
Making unplanned unexpected changes to GitHub ownership and removing people with lots of experience and institutional knowledge with little notice (based on the original story) and presumably no great hand-over, feels risky and not a great way to improve people's trust in their governance.
[+] [-] loloquwowndueo|6 months ago|reply
[+] [-] TehCorwiz|6 months ago|reply
Several of the people removed are employees or contractors of Ruby Central. This doesn't pass the smell test. Not to mention it's post-facto in that they did all of this before notifying anyone.
[+] [-] bradgessler|6 months ago|reply
[+] [-] corytheboyd|6 months ago|reply
[+] [-] sussmannbaka|6 months ago|reply
[+] [-] yxhuvud|6 months ago|reply
[+] [-] tarellel|6 months ago|reply
[+] [-] thomascountz|6 months ago|reply
I'm not in a position where I'd have to make a decision like this, and I don't have all the information, but I like to think that if I had made a decision like this, I'd show some more respect in the aftermath.
Something more akin to: "That was really awful, I'm sorry. We were suddenly faced with the severity of our legal exposure and had to immediately lock everything down. It's not a reflection of trust or anything, it was legally what had to be done. Now that we've taken stock and are now squared away, we have to make a more explicit controls framework, and we hope we can make it up to you, make this right, and have you lead as a maintainer again."
...Then again, maybe this wasn't about legal exposure. Or maybe it was and former contributors/maintainers are getting apologetic emails right now...
[+] [-] michaelem|6 months ago|reply
[+] [-] krmbzds|6 months ago|reply
This was not a misunderstanding. It was a hostile takeover of key infrastructure, undermining both the long-standing maintainers and the broader community that relies on RubyGems and Bundler every day.
The Ruby ecosystem thrives on collaboration, openness, and mutual respect. What we've witnessed over the past week violates those principles. Ruby Central's actions - unilateral access revocations, exclusion of experienced volunteers, and refusal to engage in transparent dialogue - are not just organizational missteps. They're a threat to the decentralized and community-driven spirit that has sustained Ruby for decades.
I oppose this power grab.
Even more concerning is the idea that contributor access could become contingent on employment status or ideological alignment. Whether someone is employed by Ruby Central - or holds left-leaning, right-leaning, or apolitical views - should have no bearing on their ability to contribute to open source. Merit, dedication, and community trust must remain the foundation.
If Ruby Central is serious about supporting the Ruby community, they must:
- Immediately restore access to all maintainers removed during this incident.
- Publicly commit to a transparent, community-driven governance model, similar to what the RubyGems team had begun drafting.
- Respect the autonomy of open source maintainers, regardless of whether they are employed by Ruby Central.
- Acknowledge the harm caused by these actions and engage in meaningful dialogue to rebuild trust.
The Ruby community has always been about people - diverse, passionate, and united by a love for a beautiful language. It's time we demand that the institutions claiming to represent us act accordingly.
And if Ruby Central does not do this we must pressure sponsors to stop funding Ruby Central and ultimately; if all else fails, we must build and maintain our own infrastructure unencumbered by these shenanigans. Also, in order to re-establish trust in the community; the people responsible for causing this ruckus should be fired.
Ruby-Level Sponsors (Top Tier): Alpha Omega, Shopify, Sidekiq
Gold-Level Sponsor Flagrant
Silver-Level Sponsors: Cedarcode, DNSimple, Fastly, Gusto, Honeybadger, Sentry
[+] [-] type0|6 months ago|reply
> "Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of openness and collaboration."
what do they mean by openness, it doesn't even say who wrote this
[+] [-] byroot|6 months ago|reply
Who is "we"? And what did they witness?
All we got right now is one side of the story.
It is indeed surprising such change wouldn't be immediately followed by a public announcement, but they've been founding and managing RubyGems for a very long time now, so it's not even clear to me how this can be a "takeover".
I'll happily join with my pitchfork if it turns out this is indeed a malevolent move, but until I've read their side of the story, I'd rather wait and see.
Edit: 35 minutes later, here we go: https://rubycentral.org/news/strengthening-the-stewardship-o...
[+] [-] simonw|6 months ago|reply
What's with the "contingent on employment status or ideological alignment" bit about? That's not been mentioned anywhere else so far.
Were those parts (or indeed your entire comment) written with the help of an LLM?
[+] [-] anilgulecha|6 months ago|reply
I'll wait for RubyCentral's side on this, but on the face of what's written, these actions do not seem to be transparent or in good faith. Is there something posted from RubyCentral's side?
I wish the Ruby community strength, and a transition over to a community-owned org, one way or another.
(With NPM, WordPress, now this - seems like package repositories are becoming a flashpoint of corporate takeovers..)
[+] [-] eutropia|6 months ago|reply
[+] [-] swilk001|6 months ago|reply
[+] [-] brightball|6 months ago|reply
[+] [-] davidw|6 months ago|reply
I'm just reposting it though. I haven't followed any of this myself.
[+] [-] mijoharas|6 months ago|reply
Can someone expand on what this means? Is it a continued relationship between Ruby Central and DHH, or the maintainers and DHH? Why does the other party have a problem with that?
EDIT: It seems the post was clarified since I copy/pasted this, and it's RC and DHH. Why do the maintainers have a problem with this? I though the stated reason was about RC removing everyone's access with no warning.
[+] [-] unknown|6 months ago|reply
[deleted]
[+] [-] jacques_chester|6 months ago|reply
This is not what I had in mind and now I'm embarrassed that I helped make it possible.
[+] [-] choilive|6 months ago|reply
[+] [-] jacques_chester|6 months ago|reply
[+] [-] k33n|6 months ago|reply
The project is an objective public-good. It's sad that a former employee is attempting to burn it all down. I guess they thought it was all about them and not the millions of DAU's the platform has served without fail since inception. Contractors will come and go.
What are the OPs contributions even? I don't see a single commit from her handle on the 24 month view (below). Correct me if I'm wrong.
https://github.com/rubygems/rubygems.org/graphs/contributors...
[+] [-] dcchambers|6 months ago|reply
Removing existing maintainers from the project isn't good - and hopefully it's a temporary oversight as Ruby Central gets things set up in the new org. Either bad communication from Ruby Central - or they really did made a bad mistake here (maybe even with the best intentions, given recent NPM issues).
Edit: It seems like there's a lot more to the story here. Many volunteer RubyGems/Bundler maintainers have left because they disagree with decisions that Ruby Central (the nonprofit organization) has made and it seems like all of this is fallout related to that.
[+] [-] ornornor|6 months ago|reply
Sorry for all the maintainers, that must suck.
[+] [-] scragz|6 months ago|reply
[+] [-] drbragg|6 months ago|reply
[+] [-] woodruffw|6 months ago|reply
[+] [-] krmbzds|6 months ago|reply
[+] [-] Lio|6 months ago|reply
At the least this looks like a very destructive and poorly communicated move.
[+] [-] unknown|6 months ago|reply
[deleted]
[+] [-] moritonal|6 months ago|reply
[+] [-] robin_reala|6 months ago|reply
[+] [-] Alifatisk|6 months ago|reply
[+] [-] baggy_trough|6 months ago|reply
https://rubycentral.org/about/
[+] [-] nomdep|6 months ago|reply
The Rails Foundation will start its own central gem registry and set of forked tools.
Then, RailsCentral will lose its sponsors and fade into irrelevance.
[+] [-] nomdep|6 months ago|reply
https://x.com/dhh/status/1969051000867610709
[+] [-] morpheuskafka|6 months ago|reply
But it seems that they have nothing to do with the ruby-lang.org site where the Ruby binaries itself are distributed. Instead, their own site appears to primarily list them as responsible for organizing an annual conference?
And who owned the RubyGems infrastructure before this takeover? The website (and domain that the client actually calls to get the gems, presumably) seem to have already been part of Ruby Central, so what exactly changed here ownership wise, beyond just kicking the maintainers?
(unrelated -- seeing a mention of DHH here reminded me that I haven't seen anything of the Matt/WP drama in a long time on HN -- time to go Google whatever the resolution of that was)
[+] [-] nomdep|6 months ago|reply
A few years ago, RubyCentral lost power when the Rails Foundation was created (most of the Ruby world revolves around Rails). The Rails Foundation organizes its own yearly conference, and RubyCentral stopped hosting theirs.
However, RubyCentral still controls the package management tools and the package registry.
[+] [-] jfjjsjdjdjdj|6 months ago|reply
But, none of these are a good idea. Any level of centralization leads to disappointment eventually.
[+] [-] jhealy|6 months ago|reply