Gem.coop

>It kind of feels like this fork is the better-maintained piece of software now.

Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?

Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?

I personally cannot think of a new ruby gems or bundler feature from the past decade that I noticed or cared about. That isn't to say that there aren't any; I just don't know what they are.

I don't plan on switching to a rubygems fork that does not offer technical/security benefits over the original.

They can win me over with a gem distribution site that requires code signing out of the box and a bundler that enforces it out of the box.

re: funding model, looks like it's TBD[0]

[0] https://bsky.app/profile/indirect.io/post/3m2j2pcinz22j

I think right off the bat since they chose .coop as their TLD, a lot of corporate firewalls auto-block them and they have immediately decided to fight an uphill battle to get allow-listed to be a gem repo.

This does not bode well for the team having the socio-technical savviness to see this project through.

The main page itself provides little to no info so I’m going to make a few assumptions that, to me, seem logical:

1. It must depend on RubyGems in order to stay in sync, because people publish to RubyGems.

2. It has no UI to search or view gems, so still depends on RubyGems for that.

Ignoring any question about technical detail or implementation: there is zero practical reason or motivation to switch unless I am ideologically aligned with the maintainers and their reasoning.

As such, there is zero reason to even entertain the idea of switching in a professional context. At best I’d have to care enough to remember it for personal projects.

So it is with almost any fork. It’ll either converge with the mainline after achieving its goals, take over as the new status quo, or fade into obscurity. If I don’t have any direct stake in that then I’m going to wait it out.

This isn’t to discredit or discount the work or the reasoning, of course. It arguably has a far better standing than forking Rails because of DHH.

It's bittersweet.

The suckiest thing is if the fork pans out, it will look a lot like JS: "Which package manager do you want to use?". That beautiful simplicity of "just use bundler and ruby gems" will be gone.

One thing I will give them massive credit for is walking-the-walk. There wasn't really that much complaining for the aggrieved maintainers of RubyGems. They made a public statement describing their grievances, then quietly got to work on a fork. Taking on a fork of RubyGems seems impossible and foolish, but they now have a non-zero chance of succeeding because they're doing it.

Most people I've talked to inside of big orgs are going to stick with the "safe boring" thing, which will probably be RC backed by Shopify. They will probably throw security bureaucracy at the problem, which will make SOC 2, ISO 270001 auditors. I don't think we'll see a lot of innovation coming from RC since the executive director is non-technical and has demonstrated a very ham-fisted approach to running the organization that seems to be out of touch with developers.

On the flip side, I think if gems.coop takes off, it will be because it's a "better mousetrap". One of the people behind it, André, is working on https://rv.dev, which promises to be a faster, "all-in-one", tool for managing ruby versions, gem dependencies, and even has an "npx-like" run this from from the CLI, the right version of Ruby will install, the gems will install, and it will run. That's a much better DX that I could see developers going for.

I've seen discussions on the periphery of adding namespaces to gems, bringing in checksums, and overall taking a more aggressive technical approach to security. I could see that "winning" over a long enough timeframe if RC continues on their current course.

From a fund-raising PoV, I'm starting to put together the clues that André believes organizations with the means to pay for OSS infrastructure should pay for it. I think I agree with this point-of-view and think it's a path for funding that's more transparent than "A group of donors". I hope we start to see infrastructure run in a manner where the costs are accurately estimated, then divided by the number of companies with the means to pay to arrive at the price.

There's absolutely on consensus on my final point, but I think the root cause of RC's catastrophic failure is having too much of a concentration of funding from a few donors. If you're new to this drama, a major donor pulled funding from RC because they didn't ideologically agree with a conference guest. The details are out there if you want to dive into it, but to keep this thread on point, I hope Ruby Co-op figures out how to spread out their funding model across 100's or 1000's so this doesn't happen again.

> It kind feels like this fork is the better maintained piece of software now.

Which fork of what software..?

> We’re excited to introduce gem.coop – a new server for gems in the Ruby ecosystem.

This is a new hosting service for gems, not a fork of bundler. Or is there missing context?

I believe the CDN is provided for free by Fastly. Not sure about other funding at the moment.

> So, ignoring everything that got us here, what do people think about this?

It's fine. Keeps all the complainers away from the larger ecosystem.

I personally trust Ruby Central, 37signals, Shopify, DHH, Tobi, Matz and others over the guy who was launching a startup to compete with rubygems while being a maintainer for rubygems.

I'm starkly opposed to this ridiculous fragmenting of the community. They can and should all go work out contribution agreements with RubyCentral and get over their egos.

To take the maximally negative view of things:

    - uv is a cool tool, but Astral has signaled their intention to have it tie in nicely to paid services.
    - that's a nice moat!
    - Andre & friends saw that in the Python community (and uv's success) and decided they could do the same for Ruby
    - Their collective announces rv and now wants to make us dependent on them & friends for Ruby Gems.
    - After Hashicorp and others, I'm extremely wary of orgs luring me in with free shit.  Hashicorp is maybe the lightest example of this but they're very intentional about enterprise-walling business-essential features.
    - I don't want the Ruby ecosystem dependent on one party or even a tiny collective of people.  This is just as bad to me as the Ruby Central situation right now.

This reads like a hit piece based on a personal vendetta. I'd be careful how much weight to give this.

To follow up here, it sure sounds like Andre is not entirely acting in good faith.

https://rubycentral.org/news/rubygems-org-aws-root-access-ev... discusses that a precipitating event was Andre asking for a copy of the http access logs to monetize them.

I think this is confirmed by Mike Perham's comment in https://www.reddit.com/r/ruby/comments/1o2bxol/comment/ninn6...

> In this case I have first hand knowledge since he pitched me on the idea: would Sidekiq, being a big sponsor of Ruby Central in the past, be interested if rubygems could somehow use the remote IP to identify the companies downloading the sidekiq gem so I could use that to upsell those companies

yeah, but still, the maintainers need to be paid for their time and expertise. not to mention, although bandwidth and storage is cheap, somebody still have to foot the bill. i suggest people donate to this project.

The git protocol is more complex and harder to scale. It's especially wasteful if people are going to redownload all packages every time their amnesiac CI runs.

Single-file archives are much easier to distribute.

Digests and signatures have standard algorithms, not unique to git. Key/identity management is the hard part, but git doesn't solve it for you (if you don't confuse git with GitHub).

Someone has to run the git server. Then, someone has to find the git server to pull each gem from, since not every git server is likely to be up-to-date with the each gem, or the correct version. Since these are all decentralized, each individual owner of a git server has to independently scale as more people start using each one.

The benefit to being centralized is... everything is in one place. Everything scales at once. Every update is available at the same time.

We did this back in the day using artifactory and co. to proxy NPM and a few other package managers as well as docker containers and some other things. No third party service going down could keep us from deploying.

Not everyone does it because as a solo developer or a small team, as it feels like pointless overhead.

Well, rubygems (the software) can pull from any git repository. So we kind of have it already anyway.

You've seen golang's package... situation?... and you still think switching to Git is a good idea?

Exactly. Go already adopts that.

I believe the hosting is already covered.

Mostly good. Monopolies stagnate. Competition helps drive innovation.

In open source too.

hard disagree. For a project like this, all members should be paid a fair, but not "get rich" sum. There are companies out there that pay EVERYONE the same salary, all the way from CEO to janitor. Mysteriously, those companies don't have folks trying to hijack things, because nobody benefits.

It's almost like removing money from the equation stops all the nasty stuff that happens inside organizations. Who'd have thought?

It has code signing. It's just optional, inconvenient, and so unused because of Tragedy of the Commons and complacency. https://guides.rubygems.org/security/

https://www.benjaminfleischer.com/2013/11/08/how-to-sign-you...

What does “fash problem” mean?

It's a package repository. A link to an Ansible repository or whatever doesn't need to be in the first announcement.

> This leads me to think this project is not about the code but about the people.

Trust is of utmost importance to a package repository. Even more so than code. A hostile takeover, like the one that occurred with RubyGems, fundamentally undermines that trust. In contrast, an alternative run by the original maintainers who have built years of trust, represents a positive shift.

Unfortunately, it seems that your conclusion was drawn before your justifications. When you invent justification though, at least make sure you don't undermine your own position. Where's the prominent link to the Git repo on rubygems.org top page?

https://web.archive.org/web/20251003112525/https://rubygems....

Source lives here: https://github.com/gem-coop

-> In my opinion they are now deliberately making the community angry.

This is one thing I think hasn't been talked about explicitly enough within the community (that I see at least) yet, Ruby Central seems to be actively trolling the 'other side' of this situation. It reads to me like they know they have the lawyer power to defend their castle and are enjoying pissing down on people and telling them it's raining. Oh and you should enjoy that because it means there will be flowers soon... or something.

I think the dialogue of 'are they acting in good faith' only works in so far as they even care about the rest of the Ruby community at all. If they are indeed bad actors (motivated purely by greed, ambition, ego, etc) then they are not ever going to come clean and they would let the whole Ruby community die before they admit defeat or wrongheadedness. My favorite term for these types of actors is SCUM - Sufficiently Clever and Uncaring Malefactors.

No.

Imagine if someone came into your house and changed all of the locks on you/your family, because "security". You had built that house from your original designs but the other party claims they own it now because they happen to manage a series of rental listings for houses built to your design. You had even made it so the plans could be copied and modified in private; if "security" were a real concern with about 10 minutes effort to do so.

Would you agree that it is right, do nothing? Or would you rebuild something new, given how little time it takes to copy the plans.

Swap "house design" for "software project" and "rental listings" for "running an instance of your software project" and you have the current situation.

Developers are free to choose the party they trust more.

The best "technical" benefit from this is that if one goes down, you could switch to the other in a pinch, so arguably better than the status quo even if you disagree with the organizational/"political" motives.

Drama and forking aren't going to kill Ruby. This is a move like the one from Freenode to LiberaChat: hostile entities take over $thing, sensible people move on to $newthing, the new normal settles around $newthing.

As for DHH, he's a far-right racist.

https://jakelazaroff.com/words/dhh-is-way-worse-than-i-thoug...

Silencing and excluding such people from open source is the right thing to do because failure to do so means forcing others to interact with people who are hostile to their very existence.

If who you vote for will put me into a torture camp (or otherwise devalues my life or personhood), then I can't work with you, so no it is not irrelevant.

(neither the "me" nor the "you" here refer to you or me personally ofc.)

I've been in the "keep work and politics" separate camp most of my life. However, with the lines that have been crossed recently, where literal democracy and freedom are at stake, I don't think people have the luxury of keeping work and politics separate any longer. Fascism is bad and people cannot be silent.

Not everyone involved in open source has a boss. I don't care what a boss would hypothetically do to me, so that's not helpful guidance.

Completely agreed. Sorry, other folks, but you have no right to gatekeep my speech in any way in a professional context. Are you a family member? Then sure, we can have a discussion. Am I a member of your private club or otherwise dependent on your approval of my thoughts or beliefs? Then let's talk. Otherwise, leave me alone. You (the collective you) don't get to decide what I am and am not allowed to think and believe.

I could be wrong but it may be that some have an additional agenda to try to make e. g. competition to Ruby Central fail. You can see this on ruby-reddit, e. g. by u/f9ae8221b - either way I think the by far best strategy for gem.coop is to address all concerns and statements made, including the wrong ones. Simply be better than rubygems.org - everywhere. (Also, u/f9ae8221b is super-impatient; why can't he wait for a while? Rome was not built in a day, it is strange how he thinks to know the future. I don't know the future - let's wait and see. In the worst case gem.coop will fail; in the best case it'll fix numerous issues, including, by the way, gem/bundler not having had the same functionality. And namespacing too; and inactive accounts, and so on, and so forth. There is a ton of things to do.)

Flagging is definitely getting abused more on HN lately. The consensus seems to be that politics and/or morals are irrelevant outside of personal affairs so we must not have these conversations here.

I wrote this comment with what I understand to be the relevant context: https://news.ycombinator.com/item?id=45490531

+1.

Brigading

Remove flags 2025, all the best stuff is in https://news.ycombinator.com/active. I don't even use Ruby right now, have no dog in whatever drama is behind this, but I don't see what's so offensive about knowing Gem.coop is now a thing.

Just some background: there is a controversy in the Ruby community[0][2] around the governance of the rubygems project. It has been maintained for a long time by employees of Ruby Central but not in a corporate capacity. There was a recent hostile takeover of this project by the Ruby Central corporate arm.

The most likely reason it was flagged from my perspective is that David Heinemeier Hansson (who created rails) is kind of the figurehead of this community and he has controversial opinions[1] which people believe make him unfit to represent their community. The controversy has manifested as people speaking out against DHH in his position. So this post seems to have been flagged for being "political" because it is seemingly in opposition to rubygems for the DHH reason.

0: https://hn.algolia.com/?dateRange=pastMonth&page=0&prefix=fa...

1: https://davidcel.is/articles/rails-needs-new-governance (this article has a lot of examples from DHH's blog)

2: https://news.ycombinator.com/item?id=45348390

This article was the most nuanced I found while everything was still hot. https://archive.ph/SEzoV

In short, a hostile takeover forced by Shopify through Ruby Central.

It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf against the wishes of the sponsors, losing them a lot of sponsorship money, as well as community support.

https://joel.drapper.me/p/rubygems-takeover/

As I understood it, to secure (their words) the supply chain, they took ownership of the code and repo (which others disputed as being owned by them) and kicked out users from Github.

It is said the underlying cause is that devs push rv which is threatening RubyGems.

Based on the comments getting downvoted, it feels like some brigading going on.

why's (poignant) Guide to Ruby

This cannot be a response, as it was posted days before this was released.

The response you link to was published on September 30, 2025, so it's not the response to gem.coop? I'd say gem.coop is the response to Ruby Central's actions?