Ruby Central Takes Over RubyGems
André Arko (via Reddit):
As chronicled by my teammate Ellen, the RubyGems team is no more. I wish the best of luck to everyone taking on the herculean task of keeping package management functional and working for the entire Ruby community.
Ellen Dash (PDF, Lobsters):
On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
- renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
- added non-maintainer Marty Haught of Ruby Central, and
- removed every other maintainer of the RubyGems project.
[…]
On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams.
By doing this, he took control for himself and other full-time employees of Ruby Central.
She calls it a “hostile takeover.”
As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem. In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems. Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service.
In addition, with the recent increase of software supply chain attacks, we are taking proactive steps to safeguard the Ruby gem ecosystem end-to-end. To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed. This includes both our production systems and GitHub repositories. In the near term we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights.
[…]
Looking forward, our goal is to move these projects into a healthier, more transparent and community-centered governance model that is more in line with OSS development.
It seems natural be skeptical since they started out with the opposite of transparency.
People are asking for some kind of statement from the Ruby Central board, but this is a small group of volunteers spread out all over the globe. We are software developers and makers and builders first. We don’t have some big PR machine or communications team. It’s just us. And we’re suddenly overwhelmed by feedback from our community that we aren’t equipped to quickly respond to.
[…]
So what really happened? From my perspective it’s far more boring (or should have been) than anyone is making it out to be. Ruby Central has been responsible for RubyGems and Bundler for a long time. This isn’t a new development, and I’m honestly very confused about the confusion.
What isn’t confusing is that supply chains are under attack. We can see this in recent attacks on RubyGems and also in major attacks on other ecosystems that have made global news. Companies that depend on Ruby count on Ruby Central to ensure they are not at risk. Some of those companies are sponsors of Ruby Central and some are not, but all have a legitimate need to know that they can tell their users that the software they are using is safe.
[…]
If Ruby Central made a critical mistake, it’s here. Could these conversations have been happening in public? Could the concerns we were hearing from companies, users and sponsors could have been made more apparent? Probably. But I remind you we don’t have a “communications team”, no real PR mechanism, we are all just engineers who (like many of you I’m sure) go heads down on a problem until it’s solved.
You say “What isn’t confusing is that supply chains are under attack.”
Then you remove the people most prepared to respond. The attack surface are was increased by changing the ownership from people who have owned and maintained these repositories independently for decades.
You said “Ruby Central has been responsible for RubyGems and Bundler for a long time.”
But this is incorrect. Ruby Central has been a gracious sponsor of PEOPLE who work on an OSS library.
[…]
Again, sorry to be a broken record, but how did you propose to control the repositories to which you had no access until Sep 9? You needed someone to add you first by breaking our existing OSS governance model.
- Ruby Central was struggling for money.
- Sidekiq withdrew its $250,000/year sponsorship for Ruby Central because they platformed DHH at RailsConf 2025.
- Shopify demanded that Ruby Central take full control of the RubyGems GitHub repositories and the
bundlerandrubygems-updategems, threatening to withdraw funding if Ruby Central did not comply.- HSBT jumped the gun and implemented the takeover plan adding Marty Haught as an owner and reducing maintainers permissions before Marty had discussed this with the maintainers.
[…]
The RubyGems source code and GitHub organisation was not owned by Ruby Central, even though Ruby Central operated a service with the same name.
[…]
Bluesky threads reveal that Rafael França (Shopify / Rails Core) saw this [rv] tool as a threat[…]
Previously:
- Automattic vs. WP Engine
- Longstanding CocoaPods Vulnerabilities
- NPM Packages Sabotaged
- GitHub’s Commitment to npm Ecosystem Security
2 Comments RSS · Twitter · Mastodon
That HN discussion, litigating if DHH is a nazi, fascist or both, and anyone disagreeing is downvoted to oblivion. Seems like this is the community that was ostracized in this case.
This is a good comment:
> It took a fair amount of reading between the lines, but here's what appears to have happened: 1) People and entities with partial control over RubyGems attempted to cancel DHH. 2) In response, elements aligned with DHH kicked the former out of RubyGems. 3) Everyone involved is now attempting to legitimize their motives as "good engineering."
>
> In other words, "When you play the game of thrones, you win or you die."
I guess the cycle is about 100 years. Everyone forgot what happens when every little thing becomes politicized, and ideology becomes more important than life itself.
