Ruby Central Takes Over RubyGems

André Arko (via Reddit):

As chronicled by my teammate Ellen, the RubyGems team is no more. I wish the best of luck to everyone taking on the herculean task of keeping package management functional and working for the entire Ruby community.

Ellen Dash (PDF, Lobsters):

On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:

• renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
• added non-maintainer Marty Haught of Ruby Central, and
• removed every other maintainer of the RubyGems project.

[…]

On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams.

By doing this, he took control for himself and other full-time employees of Ruby Central.

She calls it a “hostile takeover.”

Ruby Central (Reddit):

As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem. In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems. Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service.

In addition, with the recent increase of software supply chain attacks, we are taking proactive steps to safeguard the Ruby gem ecosystem end-to-end. To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed. This includes both our production systems and GitHub repositories. In the near term we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights.

[…]

Looking forward, our goal is to move these projects into a healthier, more transparent and community-centered governance model that is more in line with OSS development.

It seems natural be skeptical since they started out with the opposite of transparency.

Freedom Dumlao:

People are asking for some kind of statement from the Ruby Central board, but this is a small group of volunteers spread out all over the globe. We are software developers and makers and builders first. We don’t have some big PR machine or communications team. It’s just us. And we’re suddenly overwhelmed by feedback from our community that we aren’t equipped to quickly respond to.

[…]

So what really happened? From my perspective it’s far more boring (or should have been) than anyone is making it out to be. Ruby Central has been responsible for RubyGems and Bundler for a long time. This isn’t a new development, and I’m honestly very confused about the confusion.

What isn’t confusing is that supply chains are under attack. We can see this in recent attacks on RubyGems and also in major attacks on other ecosystems that have made global news. Companies that depend on Ruby count on Ruby Central to ensure they are not at risk. Some of those companies are sponsors of Ruby Central and some are not, but all have a legitimate need to know that they can tell their users that the software they are using is safe.

[…]

If Ruby Central made a critical mistake, it’s here. Could these conversations have been happening in public? Could the concerns we were hearing from companies, users and sponsors could have been made more apparent? Probably. But I remind you we don’t have a “communications team”, no real PR mechanism, we are all just engineers who (like many of you I’m sure) go heads down on a problem until it’s solved.

Martin Emde:

You say “What isn’t confusing is that supply chains are under attack.”

Then you remove the people most prepared to respond. The attack surface are was increased by changing the ownership from people who have owned and maintained these repositories independently for decades.

You said “Ruby Central has been responsible for RubyGems and Bundler for a long time.”

But this is incorrect. Ruby Central has been a gracious sponsor of PEOPLE who work on an OSS library.

[…]

Again, sorry to be a broken record, but how did you propose to control the repositories to which you had no access until Sep 9? You needed someone to add you first by breaking our existing OSS governance model.

Joel Drapper (Hacker News):

1. Ruby Central was struggling for money.
2. Sidekiq withdrew its $250,000/year sponsorship for Ruby Central because they platformed DHH at RailsConf 2025.
3. Shopify demanded that Ruby Central take full control of the RubyGems GitHub repositories and the bundler and rubygems-update gems, threatening to withdraw funding if Ruby Central did not comply.
4. HSBT jumped the gun and implemented the takeover plan adding Marty Haught as an owner and reducing maintainers permissions before Marty had discussed this with the maintainers.

[…]

The RubyGems source code and GitHub organisation was not owned by Ruby Central, even though Ruby Central operated a service with the same name.

[…]

Bluesky threads reveal that Rafael França (Shopify / Rails Core) saw this [rv] tool as a threat[…]

Previously:

• Automattic vs. WP Engine
• Longstanding CocoaPods Vulnerabilities
• NPM Packages Sabotaged
• GitHub’s Commitment to npm Ecosystem Security

Update (2025-10-17): Jared White (via Hacker News):

I will offer my own timeline of events which transpired earlier this year.

Josef Šimánek (via Hacker News):

I understand there have been real problems in the community over the years. Some of the maintainers who were removed had conflicts, and there were reasonable reasons why a demand for change existed.

But this is not the way to fix those problems. Ruby Central acted with a deus ex machina approach — coming down like a “hand of God” to forcibly reset the situation. That is not how you contribute to a community. That is not how open source works.

So while I can acknowledge some of Ruby Central’s concerns, their actions have left me no choice.

• I am leaving any cooperation with Ruby Central.
• And since they will most likely require a CLA (Contributor License Agreement) for future work, I will no longer be able to contribute at all.

Justin Searls (via Hacker News):

I don’t have the answers to what’s going on in 2025. A few details have been shared with me—details that would contradict fact-checks and timelines others have pieced together and published—but I can’t pretend to have a clear picture of what actually happened, why no one is setting the record straight, or when we’ll have clarity on what the future holds. All I can do is offer a little bit of context to explain why I’m dubious of the dominant narrative that has taken shape online. Namely, I don’t believe this is a cut-and-dry case of altruistic open-source maintainers being persecuted by oppressive corporate interests.

Yukihiro Matsumoto (via Hacker News):

Despite this crucial role, RubyGems and Bundler have historically been developed outside the Ruby organization on GitHub, unlike other major components of the Ruby ecosystem.

To provide the community with long-term stability and continuity, the Ruby core team, led by Matz, has decided to assume stewardship of these projects from Ruby Central. We will continue their development in close collaboration with Ruby Central and the broader community.

[…]

Repository ownership will transition to the Ruby core team to ensure long-term stability and alignment with the broader Ruby ecosystem. It will continue being managed by Ruby Central, now jointly with the Ruby core team.

This makes sense, though I wonder what “jointly” really means here. What happens if at some point Ruby Central and the core team disagree?

GitHub Open-source Software Programming Ruby Ruby on Rails Shopify Web

2 Comments RSS · Twitter · Mastodon

---

---

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ