> Ruby Central’s actions during this period were taken in response to a breakdown in a working relationship with an individual who had significant access to infrastructure and code
> [...]
> At the time, we believed a serious risk had been introduced to RubyGems and related services.
> [...]
> The review was ultimately inconclusive because key logs required for a complete analysis were no longer available. We recognize that this creates continued uncertainty.
So, after all that finger wagging and posturing around how the new RC regime was right to oust the previous maintainers, it turns out none of their justifications had any basis in fact? In all honestly this has just been one rake-step after another and I can't imagine how anyone could continue to be confident in their decision making.
Perhaps gem.coop might win out just by virtue of not putting themselves in these positions unnecessarily.
Not a rubyist so just curious on the background and if this is the “good” or the “bad” side in the spat? What’s the other side and what has been the broader community impact?
From what I can tell, this story is primarily about personalities. The community essentially ended up with several factions, but I’ll try to explain this without it degenerating into the schoolyard fighting that it appears to be.
1. Ruby Central is the surviving Ruby non-profit that another Ruby non-profit, Ruby Together merged with. This is where part of the legal ambiguity/dispute comes from that will make sense in (2).
2. RubyGems (the code, GitHub repo, etc) and RubyGems.org are two separate things. RubyGems code appears to not have been legally transferred in the merger. RubyGems.org is run by Ruby Central, but this transfer is also extremely muddy.
3. For reasons in dispute, Ruby Central seized the GitHub repos of RubyGems. It is not clear they have the legal or ethical right to do this (based on the evidence, I believe they do not and they have committed theft).
4. Ruby Central has made various noises about the need to do this for security and other things despite the extremely sloppy nature of the takeover.
5. Ruby Central then “gave” RubyGems to the Ruby core team without resolving anything in what appears to be an attempt to try and end the controversy.
Read the above, but tl;dr is that Shopify executed a hostile takeover of Ruby Central for its own benefit, at the expense of long-term maintainers and the general community. I'm not sure if there's been any real change since then, but there are many reasons not to trust anything that the board says at this point.
IMHO, Ruby Central keeps trying to find a way to frame all of this in a good light, but it seems like they keep falling flat. They tried doing filtered Q&A avoiding all the obvious questions that people hostile to what happened would ask, temporarily providing transparency reports that didn’t really say much. It all felt like very incompetent damage control.
I think they were hoping that handing it off to the Ruby core team would allow them to move on, but that requires ownership of their failings or at least actions that demonstrate that they will be better moving forward and none of that has happened.
Not sure he's "on the outs", he on Shopify's board.
Sidekiq's solo dev (Mike Perham) has for many years made a generous donation to Ruby Central. He informed them that he didn't want his money to be spent platforming dhh at their conference, they ignored his request, he stopped his annual donations.
Me too, and because of that I feel it's even more important to use language like racist, white nationalist, and fascist when describing him and his ilk, because that's what they are. Softening the language only leads to those beliefs becoming more normalized than they already are.
If you’d like to read, in his own words, his “coming out” as an ultra right wing racist piece of shit, feel free to look on his blog for the post titled “As I Remember London.”
Shopify and/or its technical leadership worked its connections to oust a Rubygems maintainer they saw as a threat to Ruby projects Shopify has invested in.
This was especially provocative because it involved Ruby Central asserting control over Rubygems, which it does not own.
It was (by credible accounts) a "preemptive strike" on this maintainer, and thus was not communicated to other RG maintainers, who were understandably angry.
The statement from RC at the time sounded like lot of CYA, and this doesn't read as all that sincere either.
That’s what it looks like to me, but I haven’t yet seen a good explanation of their motive. Why would the development of `rv` be such a threat to them?
I know specific individuals hate Andre and have had beef with him for years, but it’s hard to see what might have motivated Shopify and specifically Ufuk Kayserilioglu to carry this out.
> Why would the development of `rv` be such a threat to them?
Well, package managers and language bundlers/runtimes are the hottest new luxury item for big tech - maybe they're worried rv gets bought in the same way that Anthropic bought bun, and OpenAI bought uv (Astral). Though at the time, none of that had happened yet.
> Ruby Central’s actions during this period were taken in response to a breakdown in a working relationship with an individual who had significant access to infrastructure and code.
This is the first time they’ve actually admitted that this was all about Andre.
> At the time, we believed a serious risk had been introduced to RubyGems and related services.
And what’s more, they didn’t even try to remove Andre’s access to AWS until he told them to.
> As stewards of services relied upon by millions of developers, we took that risk seriously and made the decision to act quickly to protect that infrastructure.
That’s not what Freedom said. Freedom said they needed to act quickly or lose funding.
> A full, independent security audit has now been completed. The review was ultimately inconclusive because key logs required for a complete analysis were no longer available. We recognize that this creates continued uncertainty.
This makes it sound like there was some big security incident that they had to respond to. What actually happened is they forgot to remove Andre’s access to AWS and he told them and then they removed it. That’s it.
> Our intent was to stabilize a situation that was quickly escalating to work toward an amicable resolution.
If you watch the meeting (linked above) it’s clear that’s not what they were doing. This is a new spin they’ve come up with to justify it.
> Ruby Central did not initiate litigation and has consistently sought a path that would allow the community to move forward without prolonged conflict.
That is not what I’ve heard, but I’ll wait for others to post details of what’s happening in this space.
> At the same time, we recognize that aspects of how this situation was handled and communicated did not meet the expectations of the community.
They keep trying to admit fault in communication as if communication was the problem in an attempt to distract us from the fact they literally stole open source projects in a hostile GitHub takeover and used their privileges as administrators of RubyGems.org to take over the `bundler` package.
I really want to like Ruby; it's my Smalltalk-lite for small projects, because it's easier to run and get going than spinning up VMs. However, it's retarded shit like this drama that makes me move away from languages.
Some estimates are about two million but I think that’s an extremely loose definition of Ruby Developer.
I run rubyschema.org which maintains the rubocop JSON schema that’s pulled via schema store. I can see there are about 21k unique downloads each month, which I think is a pretty reasonable lower bound.
Most text editors will pull this schema when opening a project with Rubocop.
> Ruby Central’s actions during this period were taken in response to a breakdown in a working relationship with an individual who had significant access to infrastructure and code > [...] > At the time, we believed a serious risk had been introduced to RubyGems and related services. > [...] > The review was ultimately inconclusive because key logs required for a complete analysis were no longer available. We recognize that this creates continued uncertainty.
So, after all that finger wagging and posturing around how the new RC regime was right to oust the previous maintainers, it turns out none of their justifications had any basis in fact? In all honestly this has just been one rake-step after another and I can't imagine how anyone could continue to be confident in their decision making.
Perhaps gem.coop might win out just by virtue of not putting themselves in these positions unnecessarily.
this is why having a growing ecosystem is very important.
ruby's lack of growth has caused certain people, organizations etc to have an outsize influence for good or bad on the ecosystem.
some people have felt unwelcome altogether.
sad but true
Not a rubyist so just curious on the background and if this is the “good” or the “bad” side in the spat? What’s the other side and what has been the broader community impact?
From what I can tell, this story is primarily about personalities. The community essentially ended up with several factions, but I’ll try to explain this without it degenerating into the schoolyard fighting that it appears to be.
1. Ruby Central is the surviving Ruby non-profit that another Ruby non-profit, Ruby Together merged with. This is where part of the legal ambiguity/dispute comes from that will make sense in (2).
2. RubyGems (the code, GitHub repo, etc) and RubyGems.org are two separate things. RubyGems code appears to not have been legally transferred in the merger. RubyGems.org is run by Ruby Central, but this transfer is also extremely muddy.
3. For reasons in dispute, Ruby Central seized the GitHub repos of RubyGems. It is not clear they have the legal or ethical right to do this (based on the evidence, I believe they do not and they have committed theft).
4. Ruby Central has made various noises about the need to do this for security and other things despite the extremely sloppy nature of the takeover.
5. Ruby Central then “gave” RubyGems to the Ruby core team without resolving anything in what appears to be an attempt to try and end the controversy.
In the background of all of this appears to be a lack of trust, dhh posting crap like this: https://world.hey.com/dhh/as-i-remember-london-e7d38e64, resulting in a fight about the future of the Ruby ecosystem.
https://joel.drapper.me/p/rubygems-takeover/
Read the above, but tl;dr is that Shopify executed a hostile takeover of Ruby Central for its own benefit, at the expense of long-term maintainers and the general community. I'm not sure if there's been any real change since then, but there are many reasons not to trust anything that the board says at this point.
IMHO, Ruby Central keeps trying to find a way to frame all of this in a good light, but it seems like they keep falling flat. They tried doing filtered Q&A avoiding all the obvious questions that people hostile to what happened would ask, temporarily providing transparency reports that didn’t really say much. It all felt like very incompetent damage control.
I think they were hoping that handing it off to the Ruby core team would allow them to move on, but that requires ownership of their failings or at least actions that demonstrate that they will be better moving forward and none of that has happened.
Wait, I had no idea dhh was on the outs now. This is the first I've heard of this. I have to go look for more information about this. What did he do?
Not sure he's "on the outs", he on Shopify's board.
Sidekiq's solo dev (Mike Perham) has for many years made a generous donation to Ruby Central. He informed them that he didn't want his money to be spent platforming dhh at their conference, they ignored his request, he stopped his annual donations.
If you want to read about dhh's colorful blog posts and tweets: https://jakelazaroff.com/words/dhh-is-way-worse-than-i-thoug...
Colorful is an odd way to spell "vocally bigoted".
I get downvoted here when I call him a racist.
Me too, and because of that I feel it's even more important to use language like racist, white nationalist, and fascist when describing him and his ilk, because that's what they are. Softening the language only leads to those beliefs becoming more normalized than they already are.
I would recommend as a starting point this beautiful piece from November: https://okayfail.com/2025/in-praise-of-dhh.html
He came out as a white nationalist [1]. And he's always been contentious.
[1] https://jakelazaroff.com/words/dhh-is-way-worse-than-i-thoug...
If
MINASWAN...
WTFIDHHSAFA???
If you’d like to read, in his own words, his “coming out” as an ultra right wing racist piece of shit, feel free to look on his blog for the post titled “As I Remember London.”
Shopify and/or its technical leadership worked its connections to oust a Rubygems maintainer they saw as a threat to Ruby projects Shopify has invested in.
This was especially provocative because it involved Ruby Central asserting control over Rubygems, which it does not own.
It was (by credible accounts) a "preemptive strike" on this maintainer, and thus was not communicated to other RG maintainers, who were understandably angry.
The statement from RC at the time sounded like lot of CYA, and this doesn't read as all that sincere either.
That’s what it looks like to me, but I haven’t yet seen a good explanation of their motive. Why would the development of `rv` be such a threat to them?
I know specific individuals hate Andre and have had beef with him for years, but it’s hard to see what might have motivated Shopify and specifically Ufuk Kayserilioglu to carry this out.
> Why would the development of `rv` be such a threat to them?
Well, package managers and language bundlers/runtimes are the hottest new luxury item for big tech - maybe they're worried rv gets bought in the same way that Anthropic bought bun, and OpenAI bought uv (Astral). Though at the time, none of that had happened yet.
> Ruby Central’s actions during this period were taken in response to a breakdown in a working relationship with an individual who had significant access to infrastructure and code.
This is the first time they’ve actually admitted that this was all about Andre.
> At the time, we believed a serious risk had been introduced to RubyGems and related services.
This doesn’t add up. Access was revoked and then temporarily restored. Nothing about this was mentioned in the meeting that took place before the access was removed again. See https://archive.org/details/gmt-20250917-160422-recording-64...
And what’s more, they didn’t even try to remove Andre’s access to AWS until he told them to.
> As stewards of services relied upon by millions of developers, we took that risk seriously and made the decision to act quickly to protect that infrastructure.
That’s not what Freedom said. Freedom said they needed to act quickly or lose funding.
https://apiguy.substack.com/p/a-board-members-perspective-of...
> A full, independent security audit has now been completed. The review was ultimately inconclusive because key logs required for a complete analysis were no longer available. We recognize that this creates continued uncertainty.
This makes it sound like there was some big security incident that they had to respond to. What actually happened is they forgot to remove Andre’s access to AWS and he told them and then they removed it. That’s it.
> Our intent was to stabilize a situation that was quickly escalating to work toward an amicable resolution.
If you watch the meeting (linked above) it’s clear that’s not what they were doing. This is a new spin they’ve come up with to justify it.
> Ruby Central did not initiate litigation and has consistently sought a path that would allow the community to move forward without prolonged conflict.
That is not what I’ve heard, but I’ll wait for others to post details of what’s happening in this space.
> At the same time, we recognize that aspects of how this situation was handled and communicated did not meet the expectations of the community.
They keep trying to admit fault in communication as if communication was the problem in an attempt to distract us from the fact they literally stole open source projects in a hostile GitHub takeover and used their privileges as administrators of RubyGems.org to take over the `bundler` package.
I really want to like Ruby; it's my Smalltalk-lite for small projects, because it's easier to run and get going than spinning up VMs. However, it's retarded shit like this drama that makes me move away from languages.
I don’t think there are “millions” of Ruby developers. It’s a large community but hyperbole doesn’t serve anyone.
Some estimates are about two million but I think that’s an extremely loose definition of Ruby Developer.
I run rubyschema.org which maintains the rubocop JSON schema that’s pulled via schema store. I can see there are about 21k unique downloads each month, which I think is a pretty reasonable lower bound.
Most text editors will pull this schema when opening a project with Rubocop.