Ruby communuty has always been quite toxic, though.
Remember why the lucky stiff?
The last spat between pro-Israel anti-immigration gang vs the cancel culture gang that resulted in Matz taking over contended code is a perfect illustration.
I don't like talking about a heterogeneous group of people in a generally negative way. I try to stick to the people I perceive as sharing the same values that are important to me. And there are many such people in the Ruby community.
My recollection is that some people in the community knew his identity. His sudden disappearance invited a lot of people to dig into it, many of which were not even Ruby people to begin with. There was even a newspaper article written about him years after. I would not attribute all that digging to the Ruby community. If anything I remember people being very respectful at the time.
The pickaxe guys coined it. People repeat it without thinking about it.
If matz were to say "jump from the bridge", people would do it, because matz is nice?
Just to point out: I do think matz is nice and a great language designer. That in itself doesn't mean anything. Why would I proxy my own decisions based on any mindless slogan? That makes no sense. Why do people in the ruby ecosystem keep on repeating those pointless slogans?
The phrase has been weaponized in the past many times. Some figures in the community are almost as far from "nice" as possible, but you're not allowed to call that out, because "it's not nice".
> but you're not allowed to call that out, because "it's not nice".
I don't know about the Ruby community, but I've seen this sort of complaint made about many other online spaces (including HN) and my general finding is that it simply isn't true. The problem is that for a proper call-out, both form and content matter, and most people in a mindset to make call-outs don't seem very interested in norms surrounding either of those things. Especially the part where part of good form is accepting that not all kind, well-meaning people have the same moral values and calculus.
Try calling out Python's inner circle politely while they are openly rude to you. You do know that you also have keep up the pretense of Kim Yong Un as a glorious and benevolent leader even if he imprisoned some of your relatives. This is a response to your generalization, I do not know anything about Ruby politics.
(I'm assuming this is a throwaway account from someone with some insight into the PSF, and not some random person who just happened to choose this subthread as an entry into participating in the HN community. If I'm wrong about that, I'd strongly urge you to reconsider your approach.)
> Try calling out Python's inner circle politely while they are openly rude to you.
...You do know who you're responding to, right? I have first-hand experience of that (https://zahlman.github.io/posts/2024/07/31/an-open-letter-to...). (Although I don't think most of their rudeness is intentional; it seems to come from a failure to understand that not everyone has the same social norms.) I spoke in generalities for a reason.
The current situation is ultimately mostly about callouts of DHH, which are happening all over the place (including here) and the form and substance of most of those callouts is... not good.
Is being nice equivalent to jumping off a bridge? I think it's relatively simple to comprehend and also harmless. The guy who built this thing is nice, let's try to continue that tradition so that our community doesn't turn to shit.
I don't think I've ever seen Matz be rude to anyone on the Ruby bug tracker. I've actually witnessed him deal with controversial topics firmly yet gracefully, making decisions that avoid turmoil in the community and that leave no room for escalation into flamewars. Other projects weren't so lucky.
I wrote some Ruby in my teenage years and his conduct certainly made an impression on me. I try to remember this guy whenever I get too angry about stuff. We should all try to be more like him.
That's what the phrase is saying, by the way. It's an encouragement to follow in his footsteps.
> Why would I proxy my own decisions based on any mindless slogan?
Exactly, why would you? But ignoring a hypothetical communal bridge jumping situation, do you have a problem with Matz having stewardship over RubyGems? Use your own thinking. If you're okay with it, then... is it because Matz is nice?
I know what you mean about mindless aspirational slogans. "No child left behind" is logically the same as "no child gets ahead". But trying to convince the Ruby community to be nice, by the example of their founder, isn't in that category. And if Matz told me to jump off of a bridge, he has enough stored up credibility that I'd at least consider it.
Not necessarily. Your logic only holds if you assume the "behind" refers to other children.
The statement is ambiguous. I interpret it as "no child left behind THE STANDARD FOR THEIR AGE". In that interpretation, other kids being ahead of that standard doesn't mean the other kids have to be behind the standard. Every kid could be not "left behind" the standard even if some are ahead of the standard.
Of course, NCLB has a lot of other issues, but I think the name isn't the issue.
It seems to be to be literal rather than obtuse to observe that it is necessary for some children to fall behind in order for others to get ahead. The slogan on its face is a wish for equality of outcome. But it's catchier than ”no child failing to meet minimum standards”.
I'm not convinced that yours is the only literal way to read it. The question of who exactly is doing the "leaving behind" is implicit, but it always sounded to me like it was the adults, not the other children. I don't think it's any less literal to interpret it as making sure some adults linger behind with the children who are behind rather than all of them running ahead with the children who go faster. The phrase isn't "no children are behind", which would be the literal representation of what you're saying; "left behind" is a bit ambiguous, and while I think you can make the case that the ambiguity is a problem, I don't think it's nearly as clear-cut as you're saying that there's only one literal way to read it.
In the long run, having multiple sources like gem.coop is probably a safer and more robust solution. But for RubyGems specifically, the trust was fully lost, through several layers - maintainers, community members, sponsors, etc. There's still open questions that probably need to be resolved like the funding and data privacy stuff, but I think most folks in ruby land will be supportive of this.
* DHH said some things on his blog that some people believe to be deeply racist / fascist (not going to unpack whether they were or not because answering that question is irrelevant to the fact pattern; consult other threads for that debate).
* A Ruby conference run by Ruby Central was asked to deplatform him. Since he's the creator of Rails, they declined.
* In response to their decision, a major sponsor (Sidekiq) pulled out of supporting the conference and Ruby Central in general, to the tune of $250k a year.
* This created a "blood in the water" situation where Shopify hit Ruby Central with an ultimatum: they would back-fill the lost sponsorship for oversight control of Ruby Central (and the gem repository they maintain, rubygems.org). And if Ruby Central didn't take the deal, Shopify was going to pull their funding also, leaving them in dire straits (this, BTW, is a fairly common corporate tactic when multiple partners share support of a service that doesn't independently generate revenue. Look for it in your own business, startup company, and nonprofit dealings!).
* Shopify now de-facto controls rubygems.org and people immediately started backing towards the exits because corporate takeover tends to be a harbinger of enshittification. As if to prove the point, Shopify's folks immediately ham-fisted the access controls, yanking several gem creators from the admin roles of the gems they created. They claim this was a mistake; several in the community do not want to give them a benefit of the doubt they are not believed to have earned.
* Community members are standing up gem.coop as an alternative gem repository.
This is missing an important part of the story that makes the Ruby Central side look relatively better, which is that one of the existing maintainers offered to help fill the funding gap in exchange for being allowed to monetize the server logs. https://rubycentral.org/news/rubygems-org-aws-root-access-ev...
Your addition also misses an important part where the only reason he was able to do that was because the servers were forcibly taken from the previous owners for the ostensible purpose of security, but the new regime forgot to change the passwords as part of that.
At this point, it's probable that any attempt to just list the pertinent events isn't going to end up being as neutral as one might hope because even the choice of what context to include or exclude is itself editorial. This is the same lesson people might learn in a high school history class, just applied to something much more recent.
That's not accurate; the monetization proposal happened before the revocation of permissions. The controversy about various accesses that may or may not have been unauthorized (depending on whose story you believe) came later.
Perfect neutrality is unachievable but that doesn't mean that every possible way of presenting the facts is equally valid, or even that it's impossible to distinguish presentations that are or aren't missing important context (see, e.g., the surprising success of Twitter's Community Notes).
Wait, you think the former maintainer breaking into Ruby Central's AWS account and changing its root password makes the former maintainers look better?
Arko kind of did address it in his most recent blog post. He claims he was doing what was in Ruby Central's best interest.
Unfortunately for him he basically admitted to a crime because it came after he was terminated. He tried appealing to community and whatnot but anyone who's ever worked for a corporation knows that once you're terminated, it doesn't matter if HR forgot to take away your credentials or not, you simply don't attempt to access anything ever again. Having keys to something doesn't make you the owner.
Unclear, but I think it might have been something like, find out (via reverse IP lookups) which big companies depend on which gems, and then use that information to market consulting services to those companies.
That description is not sinister. Its just marketing. An example of sinister would be to sell those logs to someone who could instigate a supply chain attack targeting some of those companies.
Yes it does. He's refuting that in this part of the post:
> When they finally did reply, they seem to have developed some sort of theory that I was interested in “access to PII”, which is entirely false. I have no interest in any PII, commercially or otherwise. As my private email published by Ruby Central demonstrates, my entire proposal was based solely on company-level information, with no information about individuals included in any way. Here’s their response, over three days later.
A very specific denial. "I didn't propose this specific type of monetization". Would be better if he followed up with "Yes, I proposed monetization, but what I had in mind was this more specific, benign form of monetization:"
I'm only going by the corporate narrative structure of the director's post, who clearly wants to throw someone under the bus and cover up organizational incompetence. "Open" source has become so despicable.
I can't comment on any authenticity. Others here apparently dispute Andre's version, who clearly says he was on call:
"As this situation occurred, I was the primary on-call. My contractual, paid responsibility to Ruby Central was to defend the RubyGems.org service against potential threats."
But Ruby Core is not the same thing as Ruby Central, apparently? This blog post says, "To provide the community with long-term stability and continuity, the Ruby core team, led by Matz, has decided to assume stewardship of these projects from Ruby Central. We will continue their development in close collaboration with Ruby Central and the broader community." What, if anything, is the relationshp between Ruby Core and gem.coop?
There is none. gem.coop is run by people who were previously involved with RubyGems and Bundler before they were ousted or resigned; AFAIK none of those people are part of Ruby Core.
This is not 100% correct though; I mean, your summary is good, don't get me wrong so I upvoted it. But it conflates a few issues that are not 100% related.
For instance, DHH and his fancy blog, are not 100% related or relatable to RubyCentral ousting long-term developers. There may be some connection (DHH on shopify's board, tons of ruby developers being paid by shopify and still writing "my opinion is totally unbiased" like byroot did), but there is no 1:1 overlap. For instance, I could not care what DHH writes on his blog any less. rubygems.org changing policies though - that affects me. And if shopify is in part responsible, and DHH sits on shopify and makes decisions, then yes, something changed here. But there are also people who have a vendetta against DHH and they leak into other spaces too. I am not among those people and they shouldn't try to hijack other communities either.
By the way, the Shopify ultimatum also does not explain why all other ruby devs were ousted. Ruby Central lost the narrative here. And, since they accuse Arko as the ultimate bad boy - why haven't they sued him? Why do they continue to refuse to do so? (Because they know their case would be rubbish nonsense and they would have to open up ALL emails, which may make many more people suddenly ... very funky.)
It’s related because from the outside it looks like DHH is pulling strings to spitefully oust the folks who brought up concerns about his radical, hateful views. So you may not care what he has to say, but if he uses his influence to exclude folks who do care, and it causes you a problem, maybe it is related after all.
I'm sure it's a total coincidence that Shopify (on whose board DHH sits) coincidentally became an active participant on toppling the maintainers soon after they criticized DHH.
Given the power dynamics, the burden of proof is on Shopify to proove it wasn't retaliating at the behest of, or in a misguided attempt to defend DHH's honor.
What you believe and what you can document are two separate things.
Per the concept of "innocent until proven guilty", there is no burden on Shopify to prove they didn't do what you believe. The burden is on you to provide evidence for the motivations behind their actions.
I personally doubt Tobi got Shopify to where it was by making rash decisions based on emotions and drama.
Not only does one have to do the right thing, one has to be seen doing the right thing, because actual malfeasance and the appearance of malfeasance are indistinguishable on the outside. Though I wouldn't be surprised if Tobi/Shopify doesn't care for what the little people think, so this rule-of-thumb may not apply.
Your second para is appeal to authority. A former CEO of mine (not a billionaire though, but a mere centimillionaire) was a drama magnet, thin-skinned, and a vengeful little shit.
> Given the power dynamics, the burden of proof is on Shopify to prooave it wasn't retaliating at the behest of, or in a misguided attempt to defend DHH's honor.
That’s just a way of saying “I don’t have any evidence of what I’m claiming”
I don't have any signal one way or the other on whether Shopify retaliated; the fact DHH is on their board I learned from this thread.
I have seen the "soft-hostile takeover" executed in other contexts, however. I don't think it's necessary to presume DHH used his influence as a Shopify board member to seal the deal or that he would have ulterior motive in doing so; in my experience, it's sufficient for a company to see a valuable piece of a puzzle they care about go vulnerable to acquisition offers to make the offer (with the corresponding stick). I'm willing to be convinced otherwise in either direction if more information presents itself; all I know is that Shopify put the offer on the table "We'll back-fill your funding gap or we'll make it much worse; your call." And I've seen that offer made in a completely capitalism-red-in-tooth-and-claw "business is business" way in the past.
* DHH is not only considered racist / fascist due to some blog posts, but also for making Hyprland the default DE in Omarchy, developed by someone who goes by the name Vaxry Vaxerski, who is also considered fascist and racist, and thus banned from contributing to freedesktop projects due to supposed breach of CoC:
* Hyprland and all its contributors are now also considered fascist from taking sponsorship money from 37signals, DHH's company, due to it being an important part of Omarchy.
* Due to the fact that both DHH and Vaxry are both considered fascist / racist, Framework and its CEO (yes, that Framework) are now considered to be supporters of fascism, because Framework is sponsoring and supporting both Omarchy and Hyprland.
* Cloudflare (yes, that Cloudflare) is considered to support fascism because they support Omarchy and the Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
* Last but not least, Tobi (Shopify CEO) and thus Shopify are also considered by many to be supporters of fascism when this drama started to unroll for standing by DHH no matter what when activists wanted to deplatform and ban DHH from his own creation (Ruby on Rails). Which makes the Ruby Central drama due to the involvement of Shopify even more interesting:
> I want to hop in a time machine back to the 90s/early 00s before all this crap started and everybody was just generally nice to each other.
The internet was never nice. It, however, did at one time require technical savvy to use. With that savvy came the understanding that computers and people aren't the same thing, so when the computer emitted something not nice you'd laughed at how quant the technology was instead of getting your emotions all tied up in a knot and try to hold a person accountable like those who have no idea about what's going on around them do.
It turns out "the words the person are saying aren't the person" turned out to be a polite fiction as people who had been saying awful things for years online turned out to go on to act on those ideas.
We tried "Don't feed the trolls." It's how we got where we are now.
People have always acted upon their (awful) ideas. In fact, the internet (DARPANET) itself was created as a tool to help combat exactly that. However, that is completely independent from what is emitted from a computer screen. To try to somehow bind them together is logically incoherent. Which technically-minded folks understand, but now that the technology has become so accessible that anyone can use it...
> However, that is completely independent from what is emitted from a computer screen
We may just be working under different definitions. Are you claiming that when I type things into, say, Hacker News and hit reply, the words you read aren't the words I wrote?
Or are you asserting the "person" of the words in the computer is not the same person I am behind the keyboard?
I'd argue that the latter is the disproven hypothesis. It turns out people who said awful things online were actually awful people; they may not show it as often in public, but they weren't different human beings. Broadly speaking, they believed the things they said and tended to act on them in real life.
Laughing off things on the computer as not real was how at least one shooting went unchecked.
> Hyprland and all its contributors are now also considered fascist from taking sponsorship money from 37signals
This methodology is definitely not how you discover fascism. But it is how fascists and communists defined and traced their enemies in the 20th century.
While I am all for making conscious choices on what to support I can't take anything phrased like that seriously "all is contributors".
Hyprland, while inferior (imo) in some aspects to sway on the wayland tiling manager landscape is a fine piece of software that I use on my non-work computer (I still use sway for stability).
Back on the topic: I reiterate I'd be happy to avoid using or supporting projects based on non-purely technical issues (discussion on "pure technicality" omitted for brevity).
It's just... What, do I need to know every persons imo completely irrelevant opinions on whatever du jour hot political topic? Maybe the answer could be yes,
I would be fine with dropping Hyprland support, maybe I will after digging a bit more. But this whole thing just reeks to me of terminally informed and ragebaited people looking for a platform to vomit their completely irrelevant opinions, actions speak more (e.g. fostering a dangerous environment _adjacent to the project_ based on discrimination).
I just feel I want to nope out of this industry and everything related to it, it's very overwhelming.
> What, do I need to know every persons imo completely irrelevant opinions on whatever du jour hot political topic?
No. But if they're using their social capital they've built via their software contributions (like DHH) to spread racist nonsense, then maybe it's worth considering alternatives, or at the very least, stop supporting those projects.
Sure, but I think there's a spectrum when making that decision:
"should keep their bullshit to themselves" <---> "should perhaps take leadership and avoid having their public channel a cesspool" <---> "actively encourages/participates in discriminatory practices" <---> "raging maniac hurting people, rallying for X"
Specifically on the topic of RubyGems:
I couldn't care less about what DHH posts or not, I certainly care that he uses his position to influence a chain of actors to interfere with something that always worked just because X.
I couldn't care less about the other side on the "cancel" mission, I care about influencing a chain of actors to interfere with something that always worked just because Y.
Please quarantine your political polarization/culture wars bullshit, non-anglo countries don't need it.
Turns out guilt by association is problematic whether it’s a Gestapo tactic or a terminally online one.
People need to step back and breathe. It’s possible to feel one thing about a (frankly shite) blog post and its author without tarring everybody within six degrees of separation with the same brush, and it’s quite unsettling that people find such nuance so difficult.
I know vaxry made/allowed childish & offensive comments about trans folks, but has this gotten worse? Why is he considered a full on fascist now?
> Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
Do you mean awesomekling? Why is he considered a fascist?
There are definitely actual fascists in tech (like Curtis Yarvin) which I (centrist liberal, not a tankie) fully support deplatforming where possible, but why are they considered fascists?
And there are tons more posts that show that some people are not exactly nice towards him on his X timeline.
Also there's direct proof of these accusations out there but I will not link to those out of professional courtesy for those involved (yes, some people still have that).
I was on his side for the first link because I dont like people who have not contributed making PRs to change inoffensive wording either, but its unfortunate and disappointing to see him defending people like Kirk or dhh.
It should also be noted Lunduke is also not neutral and has his own political agenda.
I think we have to wait and see how much momentum gem.coop can build. Right now they have promised "things for the future"; they will most likely also deliver eventually. But right now they are not there.
If and when they open beta, though, I'll begin to republish my old gems (not all, some I merged into other gems but most of the core stuff will be back) there. They have some things they should improve on though - documentation (also a problem that ruby doc was separate by the way), namespacing (this is in part also a problem that ruby had no primary way of namespacing; this is also a feature, but it should have a way to separate concerns when possible or wanted).
Anyway, I think we'll soon see what happens - I say people should evaluate again in about half a year or so, say like ... end of May 2026. I think this would be a more realistic time frame.
I do, however had, also suspect that DHH may become the biggest asset to gem.coop - every further snide remark he does on his blog, will gain new people who are upset, and some of those will eventually help contribute and benefit gem.coop. So for the end user this may be a win-win situation since they can install things how they like it, thus having more flexibility. Many can and will stay with rubygems.org, others may prefer gem.coop, many others will probably use and combine both (this may be a bit more difficult; guess gem.coop needs to think of a way to specify different gem sources on a per-gem basis too. Lots of work to be had for certain).
Even if you're not an old-timer and don't remember what Ruby Together was like, the AWS root password changing shenanigans, presumably done by Arko, is enough of a red flag that nothing he's associated with has any credibility.
No serious business with real (business) customers will accept that kind of risk and gem.coop will never be a thing outside of hobbyists.
I agree with busterarm's take. Andre Arko's story omits specific concerns like ssh'ing into Rubygems in Japan 9 days after the debacle. Further, his narrative excludes his termination email and instead focuses on generic platitudes his boss sent the group, to somehow prove Andre didn't know he was fired.
All in all, I don't see sound judgement from Andre Arko or from RubyCentral. That seems the common takeaway from neutral third parties https://archive.md/SEzoV
> Regarding Arko’s blog post about his removal, McQuaid [Homebrew Maintainer] told me it’s good that Arko is crediting other people for their contribution and that he’s following open source principles of community and transparency, but that “his ‘transparency’ here has been selective to things that benefit him/his narrative, he seems unwilling or unable to admit that he failed as a leader in being unwilling or unable to introduce a formal governance process long before this all went down or appoint a meaningful successor and step down amicably.”
No, it won't because I can read the timelines and see what he's omitting.
He logged in and changed the password after the board emailed him and told him his services were terminated. That includes/specifically mentions his on-call services. His response claims only silence from the board and that he was just performing his on-call duties.
I've been a corporate stooge for 25 years or so now. On call duties are one of my main responsibilities. I would NEVER probe out which logins I still have access to after receiving notice of termination. He admits to doing this in multiple places.
All his justifications are that he was under contract to do work that he was already notified was terminated. Everything that follows either tells me that he has bad judgment, that he's lying (by omissions), or in the worst case totally delusional.
If he was so worried about operational takeover, why did he _change a password_ without notifying anyone else with operational capabilities that he was doing so? Nobody reasonable would _ever_ do that. There's a certain amount of upfront communication and CYA required of reasonable actors in this space and he doesn't have it (Not that Ruby Central did any better).
So no, I won't be changing my mind, and I don't know why you put "(again)" in there.
Notice how this was taking over a GitHub repository from an entire team of maintainers, through deceit; and now we are all a few weeks in and you have seemingly accepted the narrative that this is now one bad apple justifies every action taken before and since, with no questions answered, with a wave of inconsistencies (it's about the money/no, the treasurer is wrong it's not about the money!), etc.
No, it's not. I haven't weighed in on that at all in this thread. This thread is very specifically about Andre Arko's credibility and the credibility of projects that associate with him.
Regardless of what Ruby Central did, his own actions warrant every bit of criticism he's getting. Stop trying to redirect the narrative. There are other threads where that discussion is happening.
You can view Ruby Central as being in the wrong all you want and I won't argue with you, but that doesn't mean Arko is not-wrong as well. It's not zero-sum.
Arko explained why he changed the password; I agree that he should have communicated the change. Now, does that justify the hostile takeover of the projects? C'mon... folks, there was a hostile takeover of two projects. Will we, as a community, ignore that?
I don't understand how Matz accepted this as-is. Taking over these projects without addressing the takeover makes them toxic assets that will taint the Ruby community for a long, long time.
I can't believe that long gone maintainers still had root access, or any access at all to the core platform. Its has been wild to see ruby community members getting upset with modern and established security norms, for a platform that runs a lot of the web. Its not 2006 anymore, and we aren't just running random curl commands off the net to get rails installed. Scary to think how naive the backlash has been. Having an unmaintained security posture that is inherently insecure, just blows my mind. That supply chain was wide open to attacks, may still be, but at least someone tried to bring security up to this decade.
This is just the tooling though, not "rubygems.org" which is still owned by a hostile entity (depending on where you sit on this), so not sure how this would restore any trust?
As a co-author of RubyGems and one of the original Board members of Ruby Central, they are not a hostile entity. They are the entity that we gave stewardship of RubyGems and we/they have hosted it for its entire existence.
I disagree. The actions are orthogonal to your claim - they eliminated everyone else from there. How is that not hostile? Duckinator has been 100% right here.
> we gave stewardship of RubyGems
I didn't sign anything.
I also remember the original creators of rubygems. How old is Ruby Central? 10 years? 15 years? There were several years before that.
Ruby Central started in 2001. I was one of the early Board members, along with Chad Fowler and David Alan Black. We put on every Ruby conference until Ruby became more popular to support multiple conferences. We started coding RubyGems (although the name originated in 2001 at the first RubyConf in Florida) in 2003 at the RubyConf in Austin TX. We sat around a table the first night with a CVS repo on a USB drive and passed it around and committed code until we had a functioning gem command. I demoed it in my talk the next day with the first "gem install". Gem versioning, gemspec, gem command, gem server were all built that first night. Obviously tons of changes since then!
That really doesn't matter. I think what happened could be described as "hostility" towards the community, that's what my impression was, it was appearing like a hostile takeover of the github repositories/organization with no discussion, no community involvement, no transparency. Obviously not everybody will agree especially not people working at Ruby Central.
Apparently so. That shouldn't be a surprise; Amazon Web Services turned out to be hostile to WikiLeaks, CDDB's hosting turned out to be hostile to the community that built CDDB, coal mining company towns were hostile to miners' unions, and, in the final analysis, turkey farmers are hostile to the turkeys.
Imagine if you opened up your laptop to discover Microsoft windows has locked you out of a your entire machine, because you were writing a novel in RTF and it could be opened in Microsoft Word. Microsoft's executives started posting they "took control of the your machine/the novel to maintain security".
- Corporate entity doesn't have copyright over your creative output. Just because word can open and view ("run") your novel does not give them ownership.
- Locking your access completely on your resources would be akin to a ransomware attack or account compromise
Would you label those actions hostile? Or just accept it as right because "maintain security"?
If you would label the above hypothetical actions as hostile (if not outrageous overreach, something akin to theft?); what is fundamentally different to what Ruby Central did by taking over the source code of a GitHub repository?
This is a bad analogy. André Arko was a contractor employed by Ruby Central. His employer terminated his contract. He continued to access their server which is literally a crime.
The "maintainers" weren't volunteers. They were paid employees.
Also none of the ones complaining were the original authors of gem nor bundler.
> As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem. In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems.
It took less than two weeks from this statement for them to put out an incident report from them forgetting to change the password on the infrastructure they took from the previous maintainers. I can't say I'm shocked that this didn't actually result in people's confidence in their ability as steward to provide long-term stability for the ecosystem.
Ruby Central has been the entity responsible for the infrastructure hosting rubygems.org the entire time. Literally since the beginning of rubygems.org. Any hosting bills, contracts, or agreements are in the name of the Ruby Central corporation and always have been, as far as I know. Any "previous maintainers" were working as contractors or employees of Ruby Central, if they were working on infrastructure.
The (open source) source code for rubygems and bundler, the libraries that rubyists use in their apps to manage gem dependencies, are potentially another story.
But the infrastructure, to have passwords to it, for rubygems.org, has been Ruby Central since the beginning of rubygems.org without any break. I don't know why people receiving checks from Ruby Central as contractors would think they had a personal right above Ruby Central to the infrastructure that Ruby Central has been running since long before they received those checks. Them thinking they did is sketchy.
Again, the open source source code, I agree, is another matter with other considerations. It has had many maintainers and contributors over time, including periods where development was not coordinated by Ruby Central. And all the code is owned by it's authors, and licensed MIT-style. But you're talking about passwords to infrastructure...
Genuine question: how do you take something which you have already been paying for?
They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager and logged in a few hours later and changed the root password to lock the legal owners out. Most of the community has turned on the maintainer who did that, it was extremely childish behaviour.
> They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager
Inaccurate:
> Ruby Central also had not removed me as an “owner” of the Ruby Central GitHub Organization. They also had not rotated any of the credentials shared across the operational team using the RubyGems 1Password account.
> I believe Ruby Central confused themselves into thinking the “Ruby Central” 1Password account was used by operators, and they did revoke my access there. However, that 1Password account was not used by the open source team of RubyGems.org service operators. Instead, we used the “RubyGems” 1Password account, which was full of operational credentials. Ruby Central did not remove me from the “RubyGems” 1Password account, even as of today. https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
Ruby Central didn't realize that they hadn't actually revoked any access to the previous maintainers (and that they didn't have the updated root AWS credentials) until two weeks later when André notified them.
They keep on using buzzwords. These Ruby central guys never maintained a single gem used by many people in their life. I have no idea what they are writing, but it feels as if AI is writing their statements. Even then it is of such a poor, repetitive quality that even AI may just accidentally write better "summaries". People lost all trust in Ruby Central - there is no way for them to win back trust here.
IMO it would be better to start from a clean slate; dissolve Ruby Central and bring back the community with a new policy, rules - but that's not going to happen. Ruby Central went the corporate way and that's it. It would just be ironic if, say in 10 years, gem.coop proves to be much more successful whereas Ruby Central still writes the same AI-generated text ("we care for the community even if everyone is now elsewhere already").
Afaik many of the people who were on board to help start gem.coop have stepped back after the recent controversies with Andre Arko, at this point I don’t think it will ever be anything more than a ruby gems mirror
Really appreciate Matz stepping up to take on this difficult situation.
As a Japanese developer, I’ve been worried about the direction things were going, so it’s reassuring to see this.
Stepping up how? It was always clear that Hiroshi Shibata didn't act solo without approval. I am not saying he knew the outcome before that, but WHEN was the decision made to take over gems + bundler? I have a slight suspicion that this may have been decided upon months ago already.
> As a Japanese developer, I’ve been worried about the direction things were going, so it’s reassuring to see this.
I am actually much more worried now. I don't live in the USA; I don't live in Japan. To me it seems as if Japan and the USA are totally over-dominating in the ruby ecosystem. While this is understandable that it is Japan (local community, I get it, this is different to english-speaking ones), I am absolutely upset that the USA has so much proxy-influence here. But I guess there is nothing that can be done. I guess in Python the USA also over-dominates. I just think this sucks really.
Yes. At least Ruby was always strongly Japanese though. In Python European and Asian developers are overtly exploited, with U.S. corporations and their employed stooges holding the reins of power.
I'm considering switching to Erlang, which was developed at a corporation from the start and appears to be drama and cancel free.
American salaries are typically wildly higher, both on the low end and on the high end. It's often remote work. There are more jobs and more variety of jobs, on an absolute scale, than any particular locality. There may be more of a job ladder, and less stigma to wanting to climb it. There are some other cultural aspects as well.
I would love to see such options become available in Europe (insofar as additional options existing, not taking away the ones that already exist). But that would require some extremely successful European companies working to change it.
My comment was unclear. I am American. I think I am familiar with these differences. You seem to agree with me that in light of these aspects, referring then to American company employees as stooges is exaggerated. Regarding Asia of course it's a different topic, and I am unfamiliar with it. Obviously some American companies are bad but I just question the comment I responded to, that's all. And I don't understand "stigma to climbing it." Depending on the country, of course, but I didn't think there was stigma. Europeans compete for prestige like the rest of us. Don't they? Some do, some don't, of course.
Different money and different attitudes.
Trying to get paid more than your peers if you're appropriately skilled isn't social kryptonite here in the states.
This is only a win for Ruby Central. They haven't conceded anything and they've convinced Ruby Core to endorse them as the correct and true maintainers of RubyGems.
> While repository ownership has moved, Ruby Central will continue to share management and governance responsibilities for RubyGems and Bundler in close collaboration with the Ruby core team.
Andre has previously maintained that he owns a trademark on Bundler and he will enforce it against Ruby Central.
So Ruby Central transfers "ownership" of Bundler to Ruby Core. Ruby Central gets to continue to maintain Bundler, and Ruby Core is stuck with the liability. If Andre wants to enforce his trademark, he now has to sue Japan-based Ruby Core and risk the bad optics of that.
I think there are a gazillion questions left. But, I also agree that the future will tell, e. g. we'll have to see how popular gem.coop will become (if they become popular). And I also, despite my disagreements, think that it may have been better to solve installations of ruby projects from the get go, e. g. Rust + cargo. But I also see this as separate from a service such as rubygems.org (or whoever provides any infrastructure). The question of who develops functionality can be separate, I have no strong preference here. And, I also agree that having both bin/gem and bin/bundle is not good. There should be a unified API (or two - a simple one maintained by ruby core, and then people can build extra functionality into their own variants).
What I liked about bin/gem was its simplicity. Bundler brought a few new things or easier things to the table. "gem" should make it much easier to use any source though, including gem.coop.
I spend most of my time writing go (among other languages).
Candidly its decentralized nature when it comes to "packages" is one of its strengths. It does have downsides, and yes GitHub could be at issue at some point.
After this, after NPM compromises (left pad and more recently the supply chain attacks) why we arent seeing more community driven changes around decentralization and venturing is beyond me.
It also seems like rubygems.org could simply fork the rubygems code, perform whatever 'security and governance' changes they believed were needed in their fork, and run with that?
Isn't that the open source way of handling disagreements in direction?
No, no, no, this isn't the open source way at all! I can't believe you aren't getting it still!
Because I once installed your project, I need to:
- Take over all of the accounts/access you AND all of your friends/co-maintainers used in connection with it
- Tell you it was a mistake, give back access temporarily
- Do it again!
- Have one of my board members who happens to be the treasurer say it was about the $
- Make a straight to camera YouTube post Addressing The Concerns
- Make a first "continuing our series of transparency" blog post a week later, where I use a dense corporate laden dialect to claim it was for the betterment of all mankind and definitely not about the $; because I need you to understand Where We Are Now; What This Is and What This Isn't.
- Open a Google forms question submission box.
- Smear your reputation, because you had an idea once about tracking which packages go to which companies; so I'll insinuate that you want to read everyone's mail and snoop through their undergarments drawer. What's that? My actions affected much more than just you? Quiet now, we're reshaping the narrative to smear you.
- Answer no questions, explaining that we chose to give you a regular series of Friday updates; but also We Want to Move On from the back and forth but also in that same publication have another go at the smear, because it partially worked.
- Donate the project to my state library, to take some of the heat off of me
Isn't that so much easier than typing "git clone" and "git remote add"?
(I am consistently flummoxed that a handful of people here are buying this narrative; instead of as you point out... Just applying a smidgeon of critical analysis about the usage of tools that the majority of us must use day to day and coming to the conclusion you do.
Instead of doing this or accepting this conclusion, there's a frothy passion it seems for Appeal to Authority/Argument from Authority where any excuse, flaw, etc on the part of the maintainers is used to justify the whole chain of events.
It seems like it hits 5-7 facts and people can no longer manage them in short term memory, go and look at more than what is presented to them by a single party, etc; so they just default to the easiest mental shortcut.
For some reason I keep falling into the trap that "people are more educated, capable of critical thinking, and have easier access to data than ever before in history"; which I rationally know is not true)
As best I've been able to understand it, a dislike of DHH led to the opportunity for those with a dislike of André to do all the stuff under discussion. I doubt we'll ever know the whole story, but in the absence of any of the additional context that some people claim exists (but haven't made public), this seems to be the most coherent explanation for what happened.
Why is there (seemingly) no public offer to former maintainers to rejoin, or acknowledgement of wrongdoing having been done as part of this? It's practically zero cost to do that; as the Ruby core team is (largely) not the party that inflicted harm.
Politeness? Conspiracy to have done this all along? Cultural differences around public vs private opinions? Something else?
What would we think if this wasn't a software project but a hijacked community bus, being passed from party to party, pretending nothing is untoward about the whole situation while the passengers are still aboard? "Oh good, the new bus drivers are politely accepting the keys from the hijackers; all is well!"?
Unless there is some yet-unnamed party with enough credibility and enough money to do a proper takeover from Ruby Central, this was always the inevitable way forward.
In my 17ish-year involvement with Ruby, I can't think of one.
See especially Mike McQuaid's summaries. He did a bunch of mediation and comms work to make the situation digestible to outsiders. Check his recent posts (at time of writing) on https://bsky.app/profile/mikemcquaid.com
Changed hands a couple times with “unclear” transition details at best. How it came about wasn’t all that transparent.
Tensions within the community were heightened because its loudest voice and most recognizable figurehead has opinions that aren’t all that popular and he made them loud and clear as he’s a loud thinker.
Does that mean RubyCentral or anyone associated with them no longer have admin access to RubyGems GitHub organization? Watching the debacle unfold made me much less trusting of their "stewardship".
It's good to hear Ruby core team took the ownership. Thank you Matz.
seems to me they can happily go back to contributing to the tools, and at the same time ignore the fact that rubygems.org exists, by running gem.coop or whatever else.
Other than personal preference, are there any features that make Ruby worth considering for new apps? As a user, my experience with gems hasn't been great. I don't know any Ruby, I'm just asking out of curiosity.
Ruby by itself is still a pretty decent scripting language. I still think Rake is highly underrated as a command runner.
Rails is still a good web framework within its limits. If you want to build a small, modest complexity web app with like 1 or 2 developers and under maybe 6 months of active development, modest traffic needs, etc, it's a good way to get everything up and running fast with best-practices for everything.
The lack of types may start to pinch some once you get an order of magnitude more developer-months into the app than that. Lack of overall speed, threading issues, and memory usage may be an issue once you get a few orders of magnitude more traffic. But while you're within those limits, I think you'll get features out on it faster than any other language or framework.
As they say, a lot more startups have died due to not being able to iterate fast enough in the early stages than from their traffic capacity, hosting efficiency, and bug count once they get into serious growth.
I’ve been writing Ruby profesionally for over a decade and while the writing has been on the wall for almost the entire time, it’s more certain than ever that Ruby is on its last legs.
Big legacy companies who have invested heavily into Ruby cannot switch but every shop I’ve been at often started new services in non-Ruby (mostly Go but have seen plenty of Node/TS as well or Rust for that matter).
If I were to start a new app Ruby would be far from my first choice and the biggest reason are types. After being in the weeds of big Rails apps while also working with Go/Ts/typed Python, Ruby seems very fragile in big codebases. Sorbet is also not enough.
I've used Ruby off and on since the hype train started with DHH's early videos showing how easily you can make a blog in Rails. Oof, that was published 20 years ago! I wouldn't use it for anything beyond simple shell scripts these days. You're better off with Go for back-end work.
The key question here is how exactly the supply chain attacks will be prevented. If you consider release of new version of a library some sort of transaction, it's easy to see then the difference with cryptocurrencies: in crypto transaction can be automatically verified, but with software releases it is impossible. It is hard to imagine hundreds of hostings on the same very high trust level, so either risks become significant or there are several, but not many hostings which everyone can trust. If Number of hostings << Number of users, then it's not truly decentralized and there still exists a different risk, when there's some sort of political split between some of them. Summarizing all of that, I don't know if decentralization is a solution at all. Transparent community ownership over a centralized solution is much better.
The supply chain attack is not the only argument here, though.
For instance, who effectively controls the ruby ecosystem? See ad-hoc restrictions such as 100.000 downloads - past that point you are disowned from your own gem. I always felt that was a direct attack on independent developers. They could have forked those gems just fine (the licence permits this for most gems after all), but nope, they forbid you to remove your own (!!!) code.
If it’s PKI and there’s verification on each stage, maybe. Just different sort of centralization. If keys are self-issued, it’s still a problem. Say, you add a new dependency from a repository XXX. A new version is released signed by another key, which appears to be legitimate. What are you going to do? Run full KYC on new credentials? Distrust the new dependency version and fork the library? Just ignore assuming that repo has verified it?
With central repo you may expect that they operate under increasingly stronger security standards and even if you missed malicious update, there’s higher chance that it was taken down by someone else. In decentralized environment your risks are higher and attention surface bigger.
> Native Containers are bare-metal host images as OCI Images which can be stored in OCI Container Registries (or Artifact registries because packages too). GitHub, GitLab, Gitea, GCP, and AWS all host OCI Container/Artifact Registries
So, packages there too would simplify.
Re: "RPM 6.0 Released with OpenPGP Improvements and Signature Checking by Default" (2025) and Sigstore and PyPI and SLSA.dev and key revocation transparency:
https://news.ycombinator.com/item?id=45354568
> Trusted publishing is a mechanism for uploading gems to RubyGems.org without using long-lived secret credentials. [..]
> Trusted Publishing is a term for using OpenID Connect (OIDC) to exchange short-lived identity tokens between a trusted third-party service and RubyGems.org. This allows obtaining short-lived API tokens in an automated environment (such as CI) without having to store long-lived API tokens or username/password credentials.
Go, for some values of "distributed". The vast majority of go packages are hosted on GitHub, but nothing stops anyone from hosting elsewhere and Go has explicit support for indirection such that anyone can use a vanity domain that happens to point at GitHub or wherever.
Go packages have the source baked into the package name. It would be like needing to say `require "github.com/sparklemotion/nokogiri"` rather than what we do today, `require "nokogiri"` and then if you want to change the source wrapping `gem "nokogiri"` in an alternate `source` block.
Go's one weakness is that the package source is baked into the package data in a not-automatically-fungible way. And if pkg.go.dev ever becomes a threat vector, we're gonna have a bad time.
dselect solved this ages ago with its mirrors, but at some point it seems every major package manager decided that was unnecessary complexity ("why bother? It's not like a package repo just goes down") and left it out when they built their alternatives.
So, from time to time, when a domain in the Internet goes sour it's a huge problem (whereas were a Debian mirror to go sour I'd add like one line to a config file and never notice the issue again, assuming dpkg doesn't automatically identify the problem and route around it).
Nowadays there are, as vcpkg and conan step by step win the earths of the C and C++ communities, and then there are the distro specific ones, if someone is happy enough with rpm/deb + pkg-config.
However I would say all ecosystems have issues, regardless of the approach, because 99% of the developers have no clue on what they depend on, and there are plenty of ways to mess up with ecosystem.
Not that defaults don't matter, just offering the extra detail. And, as the post goes on to explain, this change seems to cause its own set of dependency issues.
Sadly yes. They probably have no other choice, because what else would they do with their time? Do the unthinkable and create gems other people would use? That would be too much work.
As someone who spent a bunch of time talking before and after this all went down with current and past RubyGems maintainers, RubyCentral employees, Gem.coop maintainers and Ruby Core folks: this seems like the best outcome that was actually attainable.
I've been working on Homebrew for 16 years and leading it for some proportion of that and this all "smells" like a more sustainable long-term solution than anything we've seen happen in the last year. Some proposals sounded nicer but were not going to be acceptable to one or more sides.
Ruby already provides a vendored version of RubyGems and (more recently) Bundler so this seems appropriate. It also separates the "running a web service" which has guaranteed hosting costs, requires on-call, etc. from "running an open source CLI/library" which has no guaranteed costs.
It will be interesting to see what the Gem.coop folks do now (disclaimer: I helped them with their governance process). If there's some competition for rubygems.org as a server implementation that feels like a good thing for the community overall.
Thank you for your work in this arena and trying to add clarity. As a business owner and longtime rubyist, I'm very happy Ruby Core is taking stewardship here and that maybe we can put this tempest in a teapot behind us.
This is a fascinating and seemingly unusual development that will look obvious in history.
I find “BDFLs” and open source communities so incredibly interesting. Especially in the context of geopolitics and state entities. Linux!
This stuff is PHD material for sociology and polisci post-grads and I’m so interested in following the progression of history with these types of things.
I don't think BDFLs are a problem. Nobody questioned, say, guido design of python or matz' design of ruby as such. The issue here is primarily about who controls the ruby ecosystem. Interestingly python also had a somewhat similar discussion in the past; you can see this indirectly if you look at pypi:
I feel like BDFLs are akin to the concept of village elders; they're not immune to corruption or scandal, but they often have this beloved status that can paper over a lot of cracks. That's probably dependant on their leadership style - the hard headed (Linus, DHH) vs the grandfatherly (Matz, Van Rossum).
Which, going back to your note on geopolitics, leads me to wonder: Is it just that more power corrupts more, or is it that (modern-day definitions of) democracy require a desire for power? I guess as the "FL" part of "BDFL" comes to bite more of the communities, we'll see better how different succession styles have different effects. I also wonder if the analytical nature of the individuals within the "populations", and inability to police defectors will mean uprisings will be more successful, either in causing BDFL attitude adjustments, or just overturning the community completely (for example, there's already a lot of momentum for a complete fork of Rails)
(Edit: having submitted this, I now see others have had very similar thoughts! Definitely an excellent conversation topic)
> I feel like BDFLs are akin to the concept of village elders; they're not immune to corruption or scandal, but they often have this beloved status that can paper over a lot of cracks.
I think a lot of this is due to how so much is a scandal these days, for better and worse. (I'm obviously going to keep politics as much out of my response as possible.)
A few decades ago, people could have political views without ostracizing roughly 50% of the global population, or generally causing a ruckus at the holiday family dinner. (Obviously politics + holiday dinners has been an issue for a long time, but back then it was just something people tried to sweep under the rug. Now? Holiday dinners are getting cancelled or families are splitting up.)
It used to be that a scandal in the OSS community required you killing your wife (thinking back to ReiserFS). Now, a remark on Twitter is all it takes.
Again, I am absolutely not taking sides here. I'm just noticing a difference in the times, and agreeing that it is indeed interesting to watch.
No, I agree. That said, I think a lot of that particular shift is down to a) increased individualism b) an emphasis on the healing power of personal boundaries and c) the rejection of unity as an overriding good.
People are far more happy to cling to the tribe they choose, and the tribe that has their back, over the tribe they were born to. Then, there are those who see that trend as dangerous to society (where, in many cases, society is really just a proxy for their own power or social status - ironically as viewed through their own chosen tribes more than the tribe they were born to)
That is to say, I don't think it's the political views that are splitting the families. Individuals have decided that care for each other should come secondary to those political views. I feel like there used to be a certain amount of care in the "sweeping under the rug" - it was the tribe against the world, it was protecting the family image as much as it was protecting the individual from society. These days, being a thing "in private" means being a thing alone, and that's no longer a compelling thought when external tribes are willing to embrace you.
Which probably applies to software tribes just as much as family ones.
>A few decades ago, people could have political views without ostracizing roughly 50% of the global population
This is ahistorical.
Not only was it the norm forever to ostracize entire sections of your society (protestant vs catholic and lots of other religions, black vs white, any form of non-hetero behavior, the Roma people and any form of outsider)
It often was the law
Americans shot their family members over whether we should own black people or not.
My french and white ancestors were expelled to Louisiana, intermarried with black people, and then when the US bought the french land, they introduced laws that made such families illegal.
Reagan made a hobby of publicly claiming his coworkers were communist. Thought that maybe we should be allowed to form unions? 100 years ago that was enough to get you investigated by the senate. Americans voted for him so hard the Democratic party is still floundering to have support. "We should allow unions" or "we should regulate companies" is still half-verbotten.
Do you know how many kids are still kicked out of their homes for the crime of being born gay?
This idea of "You used to be able to hold diverse opinions in public" is outright wrong. This past never existed.
Weird Christians in the US have tried to cancel things like Harry Potter and halloween for gods sake. They took a teacher to trial for teaching evolution. They made playing pen and paper RPGs a sin! When preachers molested kids, they shunned the kids
Being too chummy with another guy in public was a scandal! Being a woman who wanted an education was a scandal! Getting pregnant out of wedlock was a scandal that would tear apart families. Getting divorced was verbotten. Expressing support for social policy could get you fired, or murdered
Bush Jr literally said "You're either with us or against us" about supporting a criminal war and America pitched a globally public fit when other countries did not pledge allegiance.
> I find “BDFLs” and open source communities so incredibly interesting. Especially in the context of geopolitics and state entities. Linux!
The diference is that with an open source licence, the comunity can just fork the project (assuming they have enough developers), so the BDFL must master the art of herding cats.
A country has clear phisical borders and tanks, and people can't fork them and ignore the old power structure.
I think you're absolutely right. We are starting to reach the age where a combination of large cooperative non-corporate tech projects and the Internet (that, partially at least, enabled them) are putting us in a place where the actual mortality of project owners matters. The "L" in BDFL is a finite constraint.
I think there's going to be an interesting and complicated churn as several major projects under the BDFL model have their Ds succeed at passing the torch, struggle to pass the torch, struggle to realize the torch needs to be passed, or take the torch and do their best to burn the whole project down so it can't outlive them.
Well - I'd actually argue that it would be better and simpler if there would be just one binary. How it is called is IMO secondary. It would be better if the whole API would be unified. Bundler came later though.
At the same time, I would like more information around how the Gem supply chain will be handled, particularly how Rubygems and Bundler will be protected against supply chain attacks, which are becoming endemic.
rubygems.org will still be operated by Ruby Central, though, so you still have to trust them. Given the state of affairs, this is less than ideal, but it’s probably a better outcome than nothing changing.
Alive and well. I write Ruby every day and enjoy doing so. It's the only thing that consistently got better for me in the last 10+ years without losing it's simplicity and joy. Ruby is truly a programmer's best friend.
Oh no, looks like you're one of today's (unlucky) 10000[0]. (For context I only heard about all this recently).
For the DHH thing he wrote a recent blog post where he said he wants fewer non-white people in London and praises an english far-right fascist figure (Tommy Robinson)[1].
Not really sure about the Shopify stuff. I've heard people aren't too fond of Tobi (the C.E.O. I think), and he's buddies with DHH, but it could just be general distrust of a big company trying to exert control of an open source project (through Ruby Central).
This isn't true according to this article: https://www.404media.co/how-ruby-went-off-the-rails/. Joel has a terrible habit of not citing his sources so I'm not sure if the post in question is the same but this seems to nullify that argument. TBF I do think there was pressure from Shopify to get compliance and security in order but saying "Shopify demanded that Ruby Central take full control of the RubyGems" is just plain not true.
The rubygems treasurer who is on the board said funding was conditional on doing this[0][1].
One interesting thing is that Ruby Central then said "Board decisions are independent and not contingent on funding."[2].
Doesn't inspire a lot of trust when there is a statement from a board member saying "we did this because of funding".
I'm more inclined to believe Joel's account.
[0] A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
Ruby Central is making legal threats to its critics, so I hope you can see why people don’t feel safe to come forward on the record.
I can tell you that two people with direct knowledge of the situation told me that Shopify demanded that Ruby Central take full control of the RubyGems GitHub organisation and packages.
You can believe that I am lying if you want. But I can’t directly cite my sources in this case.
I never said you were lying. I said the quote that person pulled from your article isn't true. IIRC your article came out before the one I linked came out.
this is good and I hope this puts a lot of the drama in the rearview mirror. younger developers coming across Ruby must be like "wtf" about this situation. very peculiar to have these projects so politicised and I say that to the people that "try and keep politics out" (DHH) more than anyone. making your politics known and then being like "but you're not allowed to have an opinion on it" is't cute or clever. it's childish and everyone everywhere deserves to be treated with more respect than that.
But how does this solve anything? People will still not trust Ruby Central. And rubygems.org is under control by Ruby Central, even IF ruby core tries to jump in to the rescue.
He's also in a bit of a unique situation because of his public political profile was essentially forced.
- Politics at work were becoming a huge problem at 37Signals
- They asked that politics be kept out of company chats, but encouraged people to be political active on non-work channels/social media/etc even during work hours
- People lost their minds at this incredibly reasonable request which then blew up on the internet
- They offered any employee 6 months severance if they weren't comfortable with the new policy. About 1/3 of the company took it.
- Rails Conf dis-invited the creator of Rails
- Obviously, this was not going to sit well as people were trying to create a very public political flex against DHH and at that point, he started getting much more vocal about the problem of politics sweeping into every aspect of life.
In the following years...
- DHH becomes very publicly outspoken against politics infecting everything
- 37 Signals publishes another successful book
- Ships much more quickly as all of the people constantly distracted by politics at work are no longer in the building
- Starts the Rails World conference to great success
- Rails Conf shuts down
- DHH ships Omarchy which is getting significant support
So the end result has been that a bunch of people tried to essentially "cancel" DHH and the result was him having virtually non-stop, resounding success while publicly speaking out against those who created the problem in the first place...because some people really do just want to build cool things regardless of your politics.
I don't know how this fits into the narrative you just posted, but DHH was a keynote speaker at RailsConf this year. I was there and heard him speak. He didn't speak about anything "political"; just his usual ranting and raving, this time about how long it takes to test and deploy things.
I don't think that's fair, I mostly thought that until I read his recent blog post[0] where he wished for fewer non-white people in London and praises a far-right fascist figure in England (Tommy Robinson, he was a member of the BNP[1] for while before he started the EDL which was more extreme).
When you're advocating for ethno-nationalism and praising fascists, I don't think you can get mad at people thinking maybe you're a little bit fascist, or can claim to be in the centre politically.
The label is meaningless now because it's been so over used. At this point a facist is anyone to the right of anarcho-communism. People still trying to use the term are labeling themselves more than anybody else.
I am shocked, SHOCKED, to know that a person who loves to program and just wants to do it would be more productive than people bikeshedding about code of conduct and other matters ;)
he's definitely disingenuous, though. I think the "cancel" situation was cringe but the guy posts nativist musings about London and then acts apolitical. look, I get it. the first large generation of professional developers that came up in the web 2.0 era are getting older now so naturally many are becoming more conservative. but a lot of this comes across as some kind of backlash because these guys aren't "cool" anymore. there'd be a lot less drama in this situation in particular if DHH didn't act like he needs the approval of 26 year olds. they're never going to see eye to eye with him because he's an old man at this point so he should have some tact and be the bigger person if he cares about the dev community he was a part of. very similar situation to Musk who used to be adored around the world and now he's seen as a basket case.
I disagree. DHH said no politics at work. I thought that was great. A sensible moderate position at a time where people were getting polarised.
Then he started a blog, built on his companies software, where he constantly shares extreme political opinions. When you are the public face of a company (and framework) and you are publishing your political opinions using your companies platform, you are now bringing politics to work. He’s a hypocrite.
> When you are the public face of a company (and framework) and you are publishing your political opinions using your companies platform, you are now bringing politics to work.
So Tim Cook would be "bringing politics to work" by posting politics on Twitter from an iPhone? Plenty of prominent Python community members, including core devs, have politics on their blogs and also use Python-powered technology (dedicated SSGs like Nikola, but also even Sphinx which is really meant for documentation) to generate and publish pages; is that "bringing politics to work"?
That's not the case at all. His blog is his personal blog, not 37Signals, and he has never said employees were not allowed to share political opinions outside of work.
this is in the same category as "the law in its majestic equality forbids both beggars and rich men to sleep under bridges".
DHH advocates "no politics at work" because as a powerful guy that's organized politics potentially directed at him. He advocates blogging because he knows perfectly well that he has a large audience and his employees or critics don't. That's why the rich tech bro class loves getting politics out of the workplace and getting it onto the platforms they own.
When you're the public face of a company you don't get to separate your personal political blogs from your work life. Your employees shouldn't know your political opinions and when you're that much in the public eye that means keeping them to yourself.
I genuinely don't understand why you believe this. Were you holding Bill Gates to the same standard when he still ran Microsoft? A charitable foundation is inherently political (it asserts the importance of the causes it financially supports, and holds them to represent matters of significant moral weight); should he not have put his and his wife's name on it?
Good summary. Also the ask for politics to be kept out of company chats is often what I find cited as the _core_ reason for why "DHH is a Nazi" in online discussions. It's _weird_.
I think the real root of peoples' disagreement over what happened there is that rank-and-file employees wanted to assert a lot more control over what their company does than they actually could and they were informed that that wouldn't be acceptable. The six month severance was generous.
> I more or less agree with the "no politics at work" stance
> but you've omitted
I'm not that poster, but it was objectively correct to omit that, because it was as an objective matter of fact not "at work".
It does. Not. Matter. In this context what his beliefs are, or how they look to you through your lens.
In exactly the same way that, for example, the political views of GNOME and Xorg developers are not relevant to the development of those projects, and only become relevant when they get discussed in development spaces. (Or, you know, when they become the motivation for explicit interference in XLibre development.)
Other than his mention of Tommy Robinson, it is not radical or unacceptable to say "Wow, my city has changed radically in the past 20 years and is losing its identity".
If the center and the left completely reject the validity of national identity and the expectation of immigrant integration to British identity, then you leave people with those sentiments running into the only open arms left: the far-right and the rest of their agenda.
As a liberal, even a progressive in my own mind, I still recognize that completely open borders are a problem and that we should expect all people coming to a country to want to learn the language and integrate with the native community and customs. This concept is compatible with respecting cultural diversity and immigrant populations and their civil rights.
And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
FINALLY - I don't see how this kind of hard-fork-over-politics maneuver helps change minds in the long run. It only generates bitterness.
> Other than his mention of Tommy Robinson, it is not radical or unacceptable to say "Wow, my city has changed radically in the past 20 years and is losing its identity".
what does DHH, a Dane, who as far as I'm aware has never lived in London (and certainly doesn't now), know about London/the UK?
absolutely fuck all
he should keep his trap shut, in the same way Elon Musk should stop attempting to stoke nationalist fires in a foreign nation
I am also a (British, not American) liberal, and I agree with your comments about integration
the UK has an integration problem that successive political leaders have attempted to brush under the carpet, whilst ignoring the electorate's desire for a reduced rate of immigration
but the sort of nativist crassness displayed in that blog post is not the answer
and leads down a very nasty road that we thought we had defeated forever 60 years ago
> And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
I'm afraid this type of authoritarianism always seems to come with a labour government
That's not quite accurate. Quoting chatGPT, since it may have more credible neutrality than my own opinion:
"""
Does Tommy Robinson call himself a "fascist" or "white nationalist"?
No — Tommy Robinson (real name Stephen Yaxley-Lennon) does not call himself a fascist or white nationalist.
He consistently rejects those labels, describing himself instead as a patriot, free-speech activist, or anti-Islamist campaigner.
To summarize the record:
* Public statements:
Robinson has said things like “I’m not a racist, I’m not a fascist — I’m a working-class lad from Luton who’s standing up for my country.”
In interviews (e.g., BBC Panorama, ITV, and various YouTube appearances), he has explicitly denied being a fascist or white nationalist.
* Affiliations:
He co-founded the English Defence League (EDL), which has been widely described by journalists and researchers as far-right and anti-Muslim.
However, he left the EDL in 2013 saying it had become associated with racism and extremist elements he could no longer control.
"""
Maybe TR is a fascist or white nationalist, but he isn't a self-proclaimed one.
I mean, even if you grant that the EDL is not a fascist organisation (I don't) he was a member of the BNP which is an explicitly fascist organisation, so at best he is a former fascist or a reformed fascist.
> making your politics known and then being like "but you're not allowed to have an opinion on it"
As far as I can tell, this doesn't fairly reflect what actually happened. Ruby users were free to keep their own political views to their own blogs, just as DHH does. Reading world dot hey dot com slash dhh is not in any way required in order to use Ruby, participate in the development of Ruby or anything else along those lines.
There are a lot of prominent developers in the Python community whose politics I strongly disagree with. I got banned from the main discussion forum as a result of objecting to hidden Code of Conduct enforcement principles which (in my view) attempted to bring (many of) those politics in through the back door. (And in the process of getting into that meta argument, and doing research, I encountered several previous unpleasant incidents on the forum and on the mailing list that preceded it.)
But I would never start arguments with people in that space over things they wrote on their blogs. I would not go onto, say, the CPython issue tracker to complain about how certain people needed to be removed from the project because of things they said in their own spaces (like we saw with, for example, Opalgate). If I wanted to talk about someone else's politics — or my own — I would and could use my own blog for that.
The mere fact of people knowing DHH's politics emphatically does not politicize Ruby, Rails or any related project. To the extent that Python development has become politicized, that's a consequence of actual enacted policy, not the political beliefs of steering committee members, PSF board members etc. DHH putting this content on his blog was part of the effort to have it not in the workplace. And, in point of fact, that does keep it out of 37Signals board rooms.
Was there ever a mirror of this dustup in the Linux distro community?
I'm unaware of one ever happening, and I'm wondering whether it's because of mere fortune or because there's something about the APT / dpkg model that precludes this kind of messiness.
Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors? This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
The fact that you speak of "the Linux distro community" but also "the APT / dpkg model" is already telling. Most distros — i.e., everything not derived from Debian — don't even use the same package format. A lot of the problem has been mitigated simply by letting people choose among competitive suites of alternatives.
That said, there's been quite a bit of drama lately in prominent Linux projects — notably bcachefs, X11 (and the fork XLibre), and the Omarchy distribution (even connected to the current story!).
There was - see old systemd discussions. For instance, how devuan was started.
It is not 1:1 comparable though. Ruby, python etc... have a much more varied community. People contribute code. Only few contribute to the linux kernel directly. There are many more who write "apps", so this could be comparable. Still it feels different to me, since a language community is different to a community that uses different programming languages.
> Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors?
No, I think it is more that people never anticipated that corporations could take over projects. This has become more of a problem in the last years. Who controls github, for instance?
> This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
This is the issue of decentralized hosting versus top-down control. Ruby didn't have that problem in the past. It became more of an issue in the last some years. See DHH having an old tweet where he pointed out that he wants more control; I think this was from 2018. I don't remember it fully but it is on the ruby reddit.
Ideologically-rooted dustups are popping off all across open source right now, it seems. Forks-included.
I've even seen unironic claims of certain pieces of technology containing "Hitler particles". That shook me a bit because that's an old in-joke and was always intended to be a joke...
There are numerous questions here, but also a few answers.
For instance, I pointed out days ago that Hiroshi Shibata did not act solo. Now this is confirmed - it was a matz directive. The main question to ask here is: could he not have made this open AND public from the get go? It would have lessened the confusion for some people.
Unfortunately this also has a few added problems now, because ... say that you are an indie dev or a solo dev. Would you want to "interact" with the ruby core team if they can just oust people at will if they feel they need more top-down control? Or, worse, if they only get money if companies pay them to do so? I am not necessarily saying there was a 1:1 connection with money in mind. For instance, the bin/gem was not designed by the ruby core team, in many ways was a mistake from the get go - see how Rust avoided this by having cargo. But one can not help but wonder how deep that money situation goes. u/jrochkind on reddit pointed that out, e. g. that there is very clearly a connection to ruby losing users and developers in the last ~5 years, and a dry-up of financial assets in general. I agree with him. Even if this was not the case here (though I somewhat suspect money had to do with many things here), the situation for ruby in general is really really bad. Perhaps matz felt that this was the only way forward, who knows. Either way it is not a good situation to be had.
It also shows how ruby is WAY too dependent on rails. If rails sinks, ruby sinks. That is BAD. DHH may contribute to this problem with the "I am the richest neo-boy in the USA" and odd blog entries (that's his though, he can write whatever he wants to), but the moment there is a financial interconnection is the moment there is no longer a fair field. And this is really bad, because it means ruby as such will be pulled by those who have money. Bye bye solo devs - you no longer have a place in the corporate infrastructure. And make no mistake about this: rubygems.org is a pure corporate entity now. Look at the new rules they forced onto everyone: https://blog.rubygems.org/2025/07/08/policies-live.html
"Isn't supply chain security a corporate concern?"
And then he weakly tries to say "no, it isn't because corporations finance us now, it is all about LOVE, HAPPINESS and THE COMMUNITY". But in reality - it absolutely is. Corporations wanted more guarantees and these inrastructure-maintainers said "that's ok - we don't pay these indie devs anything but now we force them into mandatory 2FA, ad-hoc 100.000 restrictions (can not remove your gem past that limit) and any other random crap, such as not paying them anything and having them work for us for free". I am sorry but there are soooooooo many things going wrong here - I totally agree with duckinator. This was a hostile take-over, unfortunately now we also know that it was decided from within ruby-core itself.
Note that I am not saying that it is a bad idea to have something such as gem maintained by the ruby core team, I totally understand the reason for this, and I also pointed at the example of rust/cargo. However had, the infrastructure shouldn't be a money-injection team for the ruby core team - the moment this happens is the moment things no longer work here. And ruby isn't merely the part designed by the core team; it also isn't just rails - you had many more people who contributed to ruby in the form of the ecosystem. Granted, many projects are abandoned (this is also a problem for rubygems.org by the way) but at the least this used to be true in the past.
In a way this is all a bit rubbish, because we see MIT/BSD licences, so people could just fork ruby (not that this is likely; I haven't seen anyone object to matz being an excellent language designer. I also don't think it is a problem if matz and the core team profit from this financially, that's perfectly fine. But the whole ecosystem shouldn't be in such a top-down control where corporations just buy their way into things, with DHH making snide remarks on his blog ("we got rid of the boys controlling the infrastructure now") all of the time while on Shopify's payroll - that is no longer a fair playing field here. Everyone can see this.)
Also, if matz made the decision weeks ago and told Hiroshi to do so, HOW was this fair to Mike McQuaid? The latter said he tried to act as man in the middle. But if the decision was made to finalize on this already prior to that, was Mike told that? If not, how is that fair? Either way I guess Mike gets the most praise from all sides simply for trying.
We'll see what happens, whether people love the new corporate-controlled rubygems.org or prefer gem.coop (which, admittedly, still have to deliver). I favour the latter, like the rising phoenix from the ashes - in part because I hated the new corporate rules that was installed onto rubygems.org, including the crap 100.000 download limit, but in part also because I feel that if gem.coop gets enough momentum overall, they can actually begin to solve NUMEROUS issues in the ruby ecosystem, from documentation to namespaced accounts (users and the ruby code as such, see duckinator's proposal) and so forth. Considering the damage shopify caused while wanting to control more of the ruby ecosystem, I expect them to now send more workers to go and improve rubygems.org as much as possible - and not ruin things in the process. Otherwise they would have only caused damage without any real gains.
The biggest loser in this are actually the folks at RubyCentral. Because ... what have they really ever done for the ruby community? Which high profile gems have they maintained? Just throwing fancy parties isn't going to cut it - Titanic was also sinking when it hit an iceberg. RubyCentral may still celebrate while sinking ...
Speaking of Phoenixes this whole debacle made me start diving into Elixir/Phoenix. My first impression is that I much prefer Ruby as a language, however I'm struggling to even think of using Rails currently.
They did not WRITE RubyGems, they inherited it and evolved it. Chad, David, Jim (RIP), Paul and I wrote RubyGems. I hosted RubyGems from my home in Virginia for several years before we could cover the cost of colocation and stood up RubyForge. Its nice to look at the near history and think that this is all of history but it is not. Ruby Central has always been the stewards of RubyGems and then later, Bundler.
Thank You, not only for RubyGems and hosting it, but for replying all the accusation and comments that to me are simply bending truth. Such as they wrote RubyGems and somehow Bundler belongs to them. And despite you correcting them multiple times, they still continue with the same narrative.
It may be best in the future direction to have Ruby Central's role on RubyGems and bundler completely eliminated and simply just hand them over to Ruby Core and Ruby Foundation in Japan. I will gladly donate just to avoid any more US politics and drama.
First of all, thank you! It's unbelievable that you built the first version of `gem install` in a single night. It must have been an amazing feeling. I remember the drive when I was doing some hackathon with a few friends. It's the best feeling a software engineer can have.
When you left RubyGems and Bundler (let's call them "Projects") team, you handed over your authority to whoever was left and/or was added later. It doesn't matter in which order things happened. What matters is that Ruby Central _and the rest of the team_ were the stewards of Projects. The important part here being _and the rest of the team_. André had every right to keep being part of that team, and he was for a long time, together with many other team members, all of which were removed by "a representative from Ruby Central". What an inhuman way to remove someone from a Project. "Hire" someone to do the dirty job for you so you don't have to.
The decisions in a team should be done by reaching a team consensus. Not by one actor.
I believe it's for the better that André was removed from the team, but it shouldn't have been done like this. Ruby Central lost their trust in the eyes of many. They could've achieved the same goal in a much better way.
How can I trust an organization with management of something if they failed to manage this whole situation? Claiming this is all in the name of security and then not even knowing how to properly remove access from someone. So much about security...
So what? NPM wasn't originally owned by Microsoft, nor GitHub, but reality moves forward?
As long as Matz is involved, I have a lot of faith things will get better, not worse, unless you have some strong indication of otherwise. If anything, because things will be nicer.
> So what? NPM wasn't originally owned by Microsoft, nor GitHub, but reality moves forward?
NPM was a company and it was acquired and it was voluntary. I don't think you can compare it to this situation - this is more of a messy situation with everything open source collaborations, rather than having clear ownership in a single entity:
I was one of the originating authors of RubyGems along with Jim (RIP), Chad, David and Paul. I hosted RubyGems from my home for the entire community for many years. We never asked nor received anything for that. We wrote RubyGems for the Ruby community. Matz and the Ruby Core team is the right place for RubyGems. This is great news.
jesus joel. you are really really upset person. I read your stuff on reddit/r/ruby. I understand your frustration but you are so biased. like really really biased.
Oh, I didn't know that André wants to sell gem.coop and/or rv. Can you please point me to more info about where this intention to sell gem.coop and/or rv was mentioned?
They want to sell some RubyGems logs about corporations (not individuals) using RubyGems API, to...Ruby Central?
As André explained on his site, he was on-call at the time when they were removing him. He acted to protect the service by limiting access. No harmful actions done by him were ever discovered by Ruby Central. It's two entities fighting to remove the other. You can say Ruby Central was right, I can say André was right. But we do know that Ruby Central fired the first shot when they (could've been an actual hacker) removed literally everyone from RubyGems and Bundler projects.
I think this is the right move. Thank you to Ruby Core and Matz for stepping up and providing stability to the language and community as a whole.
Matz is a pillar. Remember "Matz is nice and so we are nice"? s/nice/nice and responsible/gc.
Ruby communuty has always been quite toxic, though.
Remember why the lucky stiff?
The last spat between pro-Israel anti-immigration gang vs the cancel culture gang that resulted in Matz taking over contended code is a perfect illustration.
why’s identity reveal had nothing to do with the Ruby community. A random bad actor posted his personal details in a blog post.
The Ruby community respected his pseudonymity. Some of us already knew his name.
I don't like talking about a heterogeneous group of people in a generally negative way. I try to stick to the people I perceive as sharing the same values that are important to me. And there are many such people in the Ruby community.
> Remember why the lucky stiff?
I remember _why and I definitely don't remember him as toxic.
Wasn't his identity revealed while he wanted to remain anonymous?
My recollection is that some people in the community knew his identity. His sudden disappearance invited a lot of people to dig into it, many of which were not even Ruby people to begin with. There was even a newspaper article written about him years after. I would not attribute all that digging to the Ruby community. If anything I remember people being very respectful at the time.
Perhaps OP meant that _why was a victim of toxicity, rather than a purveyor of it?
Surprised to hear this, have been a Rubyist for many years and never felt this way about community as a whole. Come to Ruby Kaigi in Japan sometime!
[flagged]
[flagged]
[flagged]
[flagged]
I think that viewpoint says more about you than it does the Ruby community.
[flagged]
You're not doing a good job of proving them wrong.
Is that a religion now?
The pickaxe guys coined it. People repeat it without thinking about it.
If matz were to say "jump from the bridge", people would do it, because matz is nice?
Just to point out: I do think matz is nice and a great language designer. That in itself doesn't mean anything. Why would I proxy my own decisions based on any mindless slogan? That makes no sense. Why do people in the ruby ecosystem keep on repeating those pointless slogans?
I think it's pretty obvious to see the difference between being nice and jumping off a bridge? Curious why this cute phrase bothers you so much.
The phrase has been weaponized in the past many times. Some figures in the community are almost as far from "nice" as possible, but you're not allowed to call that out, because "it's not nice".
> but you're not allowed to call that out, because "it's not nice".
I don't know about the Ruby community, but I've seen this sort of complaint made about many other online spaces (including HN) and my general finding is that it simply isn't true. The problem is that for a proper call-out, both form and content matter, and most people in a mindset to make call-outs don't seem very interested in norms surrounding either of those things. Especially the part where part of good form is accepting that not all kind, well-meaning people have the same moral values and calculus.
Try calling out Python's inner circle politely while they are openly rude to you. You do know that you also have keep up the pretense of Kim Yong Un as a glorious and benevolent leader even if he imprisoned some of your relatives. This is a response to your generalization, I do not know anything about Ruby politics.
(I'm assuming this is a throwaway account from someone with some insight into the PSF, and not some random person who just happened to choose this subthread as an entry into participating in the HN community. If I'm wrong about that, I'd strongly urge you to reconsider your approach.)
> Try calling out Python's inner circle politely while they are openly rude to you.
...You do know who you're responding to, right? I have first-hand experience of that (https://zahlman.github.io/posts/2024/07/31/an-open-letter-to...). (Although I don't think most of their rudeness is intentional; it seems to come from a failure to understand that not everyone has the same social norms.) I spoke in generalities for a reason.
The current situation is ultimately mostly about callouts of DHH, which are happening all over the place (including here) and the form and substance of most of those callouts is... not good.
Is being nice equivalent to jumping off a bridge? I think it's relatively simple to comprehend and also harmless. The guy who built this thing is nice, let's try to continue that tradition so that our community doesn't turn to shit.
It's a reminder to us all.
I don't think I've ever seen Matz be rude to anyone on the Ruby bug tracker. I've actually witnessed him deal with controversial topics firmly yet gracefully, making decisions that avoid turmoil in the community and that leave no room for escalation into flamewars. Other projects weren't so lucky.
I wrote some Ruby in my teenage years and his conduct certainly made an impression on me. I try to remember this guy whenever I get too angry about stuff. We should all try to be more like him.
That's what the phrase is saying, by the way. It's an encouragement to follow in his footsteps.
> Why would I proxy my own decisions based on any mindless slogan?
Exactly, why would you? But ignoring a hypothetical communal bridge jumping situation, do you have a problem with Matz having stewardship over RubyGems? Use your own thinking. If you're okay with it, then... is it because Matz is nice?
It affirms that being nice is a role model / thing we want to do in the Ruby community
Matz wouldn’t say jump from a bridge because he is nice.
> If matz were to say "jump from the bridge", people would do it, because matz is nice?
As always, there's a relevant xkcd: https://xkcd.com/1170/
...but seriously, what on earth do you think you're saying here?
I know what you mean about mindless aspirational slogans. "No child left behind" is logically the same as "no child gets ahead". But trying to convince the Ruby community to be nice, by the example of their founder, isn't in that category. And if Matz told me to jump off of a bridge, he has enough stored up credibility that I'd at least consider it.
Not necessarily. Your logic only holds if you assume the "behind" refers to other children.
The statement is ambiguous. I interpret it as "no child left behind THE STANDARD FOR THEIR AGE". In that interpretation, other kids being ahead of that standard doesn't mean the other kids have to be behind the standard. Every kid could be not "left behind" the standard even if some are ahead of the standard.
Of course, NCLB has a lot of other issues, but I think the name isn't the issue.
> "No child left behind" is logically the same as "no child gets ahead"
If by both statements you mean "all children must be in exactly the same position", yes ... but that's a wilfully obtuse interpretation.
It seems to be to be literal rather than obtuse to observe that it is necessary for some children to fall behind in order for others to get ahead. The slogan on its face is a wish for equality of outcome. But it's catchier than ”no child failing to meet minimum standards”.
I'm not convinced that yours is the only literal way to read it. The question of who exactly is doing the "leaving behind" is implicit, but it always sounded to me like it was the adults, not the other children. I don't think it's any less literal to interpret it as making sure some adults linger behind with the children who are behind rather than all of them running ahead with the children who go faster. The phrase isn't "no children are behind", which would be the literal representation of what you're saying; "left behind" is a bit ambiguous, and while I think you can make the case that the ambiguity is a problem, I don't think it's nearly as clear-cut as you're saying that there's only one literal way to read it.
Have you ever gone hiking? Did not leaving anyone behind mean that nobody could hike ahead of the rest?
In the long run, having multiple sources like gem.coop is probably a safer and more robust solution. But for RubyGems specifically, the trust was fully lost, through several layers - maintainers, community members, sponsors, etc. There's still open questions that probably need to be resolved like the funding and data privacy stuff, but I think most folks in ruby land will be supportive of this.
Any summary of what exaclty unfolded please (if you don't mind)? Sorry haven't been following the Ruby news for sometime.
The broad-strokes story is:
* DHH said some things on his blog that some people believe to be deeply racist / fascist (not going to unpack whether they were or not because answering that question is irrelevant to the fact pattern; consult other threads for that debate).
* A Ruby conference run by Ruby Central was asked to deplatform him. Since he's the creator of Rails, they declined.
* In response to their decision, a major sponsor (Sidekiq) pulled out of supporting the conference and Ruby Central in general, to the tune of $250k a year.
* This created a "blood in the water" situation where Shopify hit Ruby Central with an ultimatum: they would back-fill the lost sponsorship for oversight control of Ruby Central (and the gem repository they maintain, rubygems.org). And if Ruby Central didn't take the deal, Shopify was going to pull their funding also, leaving them in dire straits (this, BTW, is a fairly common corporate tactic when multiple partners share support of a service that doesn't independently generate revenue. Look for it in your own business, startup company, and nonprofit dealings!).
* Shopify now de-facto controls rubygems.org and people immediately started backing towards the exits because corporate takeover tends to be a harbinger of enshittification. As if to prove the point, Shopify's folks immediately ham-fisted the access controls, yanking several gem creators from the admin roles of the gems they created. They claim this was a mistake; several in the community do not want to give them a benefit of the doubt they are not believed to have earned.
* Community members are standing up gem.coop as an alternative gem repository.
This is missing an important part of the story that makes the Ruby Central side look relatively better, which is that one of the existing maintainers offered to help fill the funding gap in exchange for being allowed to monetize the server logs. https://rubycentral.org/news/rubygems-org-aws-root-access-ev...
Your addition also misses an important part where the only reason he was able to do that was because the servers were forcibly taken from the previous owners for the ostensible purpose of security, but the new regime forgot to change the passwords as part of that.
At this point, it's probable that any attempt to just list the pertinent events isn't going to end up being as neutral as one might hope because even the choice of what context to include or exclude is itself editorial. This is the same lesson people might learn in a high school history class, just applied to something much more recent.
That's not accurate; the monetization proposal happened before the revocation of permissions. The controversy about various accesses that may or may not have been unauthorized (depending on whose story you believe) came later.
Perfect neutrality is unachievable but that doesn't mean that every possible way of presenting the facts is equally valid, or even that it's impossible to distinguish presentations that are or aren't missing important context (see, e.g., the surprising success of Twitter's Community Notes).
Wait, you think the former maintainer breaking into Ruby Central's AWS account and changing its root password makes the former maintainers look better?
that's the one thing I've heard them not address yet is the changing of the passwords.
Arko kind of did address it in his most recent blog post. He claims he was doing what was in Ruby Central's best interest.
Unfortunately for him he basically admitted to a crime because it came after he was terminated. He tried appealing to community and whatnot but anyone who's ever worked for a corporation knows that once you're terminated, it doesn't matter if HR forgot to take away your credentials or not, you simply don't attempt to access anything ever again. Having keys to something doesn't make you the owner.
He stated that he didn't know he had been terminated. RC admitted that no harm had been done. Yes, he should have communicated changing the password.
How do you monetize the server logs ?
Unclear, but I think it might have been something like, find out (via reverse IP lookups) which big companies depend on which gems, and then use that information to market consulting services to those companies.
I guess something sinister is also an option...
well,yes, already that description is sinister; I might be getting too old.
That description is not sinister. Its just marketing. An example of sinister would be to sell those logs to someone who could instigate a supply chain attack targeting some of those companies.
Try to identify companies making heavy use of $thing and use that as leads.
That puts the gem.coop repo in a new light.
The response to that: https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
This is about a different part of the controversy, and doesn't respond to the allegation of a monetization proposal.
Yes it does. He's refuting that in this part of the post:
> When they finally did reply, they seem to have developed some sort of theory that I was interested in “access to PII”, which is entirely false. I have no interest in any PII, commercially or otherwise. As my private email published by Ruby Central demonstrates, my entire proposal was based solely on company-level information, with no information about individuals included in any way. Here’s their response, over three days later.
A very specific denial. "I didn't propose this specific type of monetization". Would be better if he followed up with "Yes, I proposed monetization, but what I had in mind was this more specific, benign form of monetization:"
That "Executive Director" (whose salary is probably safe throughout all controversies!) does not sound very credible compared to:
https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
I'm only going by the corporate narrative structure of the director's post, who clearly wants to throw someone under the bus and cover up organizational incompetence. "Open" source has become so despicable.
Are you alleging that the screenshotted email isn't authentic? I'm only making a claim about that, not anything else.
I can't comment on any authenticity. Others here apparently dispute Andre's version, who clearly says he was on call:
"As this situation occurred, I was the primary on-call. My contractual, paid responsibility to Ruby Central was to defend the RubyGems.org service against potential threats."
I'm referring to the email containing the monetization offer, not the later controversy regarding disputedly-authorized access to the AWS account.
He ran the idea by a group of people, nothing more. We can disagree with it — so did RC — but that was it: bouncing an idea.
But Ruby Core is not the same thing as Ruby Central, apparently? This blog post says, "To provide the community with long-term stability and continuity, the Ruby core team, led by Matz, has decided to assume stewardship of these projects from Ruby Central. We will continue their development in close collaboration with Ruby Central and the broader community." What, if anything, is the relationshp between Ruby Core and gem.coop?
There is none. gem.coop is run by people who were previously involved with RubyGems and Bundler before they were ousted or resigned; AFAIK none of those people are part of Ruby Core.
Thank you for explaining!
This is not 100% correct though; I mean, your summary is good, don't get me wrong so I upvoted it. But it conflates a few issues that are not 100% related.
For instance, DHH and his fancy blog, are not 100% related or relatable to RubyCentral ousting long-term developers. There may be some connection (DHH on shopify's board, tons of ruby developers being paid by shopify and still writing "my opinion is totally unbiased" like byroot did), but there is no 1:1 overlap. For instance, I could not care what DHH writes on his blog any less. rubygems.org changing policies though - that affects me. And if shopify is in part responsible, and DHH sits on shopify and makes decisions, then yes, something changed here. But there are also people who have a vendetta against DHH and they leak into other spaces too. I am not among those people and they shouldn't try to hijack other communities either.
By the way, the Shopify ultimatum also does not explain why all other ruby devs were ousted. Ruby Central lost the narrative here. And, since they accuse Arko as the ultimate bad boy - why haven't they sued him? Why do they continue to refuse to do so? (Because they know their case would be rubbish nonsense and they would have to open up ALL emails, which may make many more people suddenly ... very funky.)
> And, since they accuse Arko as the ultimate bad boy - why haven't they sued him? Why do they continue to refuse to do so?
As someone who has sued someone else and won, it can take months for your legal team to gather the facts, decide on strategy, and then file suit.
> For instance, DHH and his fancy blog, are not 100% related or relatable to RubyCentral ousting long-term developers.
It's related because it led to Sidekiq dropping their funding, which increased shopify's power over ruby central.
It’s related because from the outside it looks like DHH is pulling strings to spitefully oust the folks who brought up concerns about his radical, hateful views. So you may not care what he has to say, but if he uses his influence to exclude folks who do care, and it causes you a problem, maybe it is related after all.
Thanks, that was a superb summary! Appreciate it.
It's news to me that the RubyCentral event had anything to do with DHH at least directly.
You are alleging that Shopify was retaliating. Do you have any reliable context that Shopify was acting in a retaliatory manner?
I'm sure it's a total coincidence that Shopify (on whose board DHH sits) coincidentally became an active participant on toppling the maintainers soon after they criticized DHH.
Given the power dynamics, the burden of proof is on Shopify to proove it wasn't retaliating at the behest of, or in a misguided attempt to defend DHH's honor.
What you believe and what you can document are two separate things.
Per the concept of "innocent until proven guilty", there is no burden on Shopify to prove they didn't do what you believe. The burden is on you to provide evidence for the motivations behind their actions.
I personally doubt Tobi got Shopify to where it was by making rash decisions based on emotions and drama.
Not only does one have to do the right thing, one has to be seen doing the right thing, because actual malfeasance and the appearance of malfeasance are indistinguishable on the outside. Though I wouldn't be surprised if Tobi/Shopify doesn't care for what the little people think, so this rule-of-thumb may not apply.
Your second para is appeal to authority. A former CEO of mine (not a billionaire though, but a mere centimillionaire) was a drama magnet, thin-skinned, and a vengeful little shit.
Hacker News isn’t a court. Nobody has to provide evidence for any opinion they share.
They should provide evidence when they are leveling accusations against others.
That's how a reasonable society works.
> Given the power dynamics, the burden of proof is on Shopify to prooave it wasn't retaliating at the behest of, or in a misguided attempt to defend DHH's honor.
That’s just a way of saying “I don’t have any evidence of what I’m claiming”
It's more like saying "I wasn't born yesterday"
I don't have any signal one way or the other on whether Shopify retaliated; the fact DHH is on their board I learned from this thread.
I have seen the "soft-hostile takeover" executed in other contexts, however. I don't think it's necessary to presume DHH used his influence as a Shopify board member to seal the deal or that he would have ulterior motive in doing so; in my experience, it's sufficient for a company to see a valuable piece of a puzzle they care about go vulnerable to acquisition offers to make the offer (with the corresponding stick). I'm willing to be convinced otherwise in either direction if more information presents itself; all I know is that Shopify put the offer on the table "We'll back-fill your funding gap or we'll make it much worse; your call." And I've seen that offer made in a completely capitalism-red-in-tooth-and-claw "business is business" way in the past.
If only the drama stopped there:
* DHH is not only considered racist / fascist due to some blog posts, but also for making Hyprland the default DE in Omarchy, developed by someone who goes by the name Vaxry Vaxerski, who is also considered fascist and racist, and thus banned from contributing to freedesktop projects due to supposed breach of CoC:
https://blog.vaxry.net/articles/2024-fdo-and-redhat
* Hyprland and all its contributors are now also considered fascist from taking sponsorship money from 37signals, DHH's company, due to it being an important part of Omarchy.
https://account.hypr.land/sponsors
* Due to the fact that both DHH and Vaxry are both considered fascist / racist, Framework and its CEO (yes, that Framework) are now considered to be supporters of fascism, because Framework is sponsoring and supporting both Omarchy and Hyprland.
https://account.hypr.land/sponsors
* Cloudflare (yes, that Cloudflare) is considered to support fascism because they support Omarchy and the Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
https://blog.cloudflare.com/supporting-the-future-of-the-ope...
* Last but not least, Tobi (Shopify CEO) and thus Shopify are also considered by many to be supporters of fascism when this drama started to unroll for standing by DHH no matter what when activists wanted to deplatform and ban DHH from his own creation (Ruby on Rails). Which makes the Ruby Central drama due to the involvement of Shopify even more interesting:
https://xcancel.com/tobi/status/1970944464303923687
Me? I want to hop in a time machine back to the 90s/early 00s before all this crap started and everybody was just generally nice to each other.
> I want to hop in a time machine back to the 90s/early 00s before all this crap started and everybody was just generally nice to each other.
The internet was never nice. It, however, did at one time require technical savvy to use. With that savvy came the understanding that computers and people aren't the same thing, so when the computer emitted something not nice you'd laughed at how quant the technology was instead of getting your emotions all tied up in a knot and try to hold a person accountable like those who have no idea about what's going on around them do.
Vracet se musíme. Protože 90. začátek svobody bez toxických dalmatins heckru
It turns out "the words the person are saying aren't the person" turned out to be a polite fiction as people who had been saying awful things for years online turned out to go on to act on those ideas.
We tried "Don't feed the trolls." It's how we got where we are now.
People have always acted upon their (awful) ideas. In fact, the internet (DARPANET) itself was created as a tool to help combat exactly that. However, that is completely independent from what is emitted from a computer screen. To try to somehow bind them together is logically incoherent. Which technically-minded folks understand, but now that the technology has become so accessible that anyone can use it...
> However, that is completely independent from what is emitted from a computer screen
We may just be working under different definitions. Are you claiming that when I type things into, say, Hacker News and hit reply, the words you read aren't the words I wrote?
Or are you asserting the "person" of the words in the computer is not the same person I am behind the keyboard?
I'd argue that the latter is the disproven hypothesis. It turns out people who said awful things online were actually awful people; they may not show it as often in public, but they weren't different human beings. Broadly speaking, they believed the things they said and tended to act on them in real life.
Laughing off things on the computer as not real was how at least one shooting went unchecked.
> Hyprland and all its contributors are now also considered fascist from taking sponsorship money from 37signals
This methodology is definitely not how you discover fascism. But it is how fascists and communists defined and traced their enemies in the 20th century.
This.
While I am all for making conscious choices on what to support I can't take anything phrased like that seriously "all is contributors".
Hyprland, while inferior (imo) in some aspects to sway on the wayland tiling manager landscape is a fine piece of software that I use on my non-work computer (I still use sway for stability).
Back on the topic: I reiterate I'd be happy to avoid using or supporting projects based on non-purely technical issues (discussion on "pure technicality" omitted for brevity).
It's just... What, do I need to know every persons imo completely irrelevant opinions on whatever du jour hot political topic? Maybe the answer could be yes,
I would be fine with dropping Hyprland support, maybe I will after digging a bit more. But this whole thing just reeks to me of terminally informed and ragebaited people looking for a platform to vomit their completely irrelevant opinions, actions speak more (e.g. fostering a dangerous environment _adjacent to the project_ based on discrimination).
I just feel I want to nope out of this industry and everything related to it, it's very overwhelming.
> What, do I need to know every persons imo completely irrelevant opinions on whatever du jour hot political topic?
No. But if they're using their social capital they've built via their software contributions (like DHH) to spread racist nonsense, then maybe it's worth considering alternatives, or at the very least, stop supporting those projects.
Sure, but I think there's a spectrum when making that decision:
"should keep their bullshit to themselves" <---> "should perhaps take leadership and avoid having their public channel a cesspool" <---> "actively encourages/participates in discriminatory practices" <---> "raging maniac hurting people, rallying for X"
Specifically on the topic of RubyGems:
I couldn't care less about what DHH posts or not, I certainly care that he uses his position to influence a chain of actors to interfere with something that always worked just because X.
I couldn't care less about the other side on the "cancel" mission, I care about influencing a chain of actors to interfere with something that always worked just because Y.
Please quarantine your political polarization/culture wars bullshit, non-anglo countries don't need it.
Turns out guilt by association is problematic whether it’s a Gestapo tactic or a terminally online one.
People need to step back and breathe. It’s possible to feel one thing about a (frankly shite) blog post and its author without tarring everybody within six degrees of separation with the same brush, and it’s quite unsettling that people find such nuance so difficult.
I know vaxry made/allowed childish & offensive comments about trans folks, but has this gotten worse? Why is he considered a full on fascist now?
> Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
Do you mean awesomekling? Why is he considered a fascist?
There are definitely actual fascists in tech (like Curtis Yarvin) which I (centrist liberal, not a tankie) fully support deplatforming where possible, but why are they considered fascists?
> Do you mean awesomekling? Why is he considered a fascist?
I hope you can see this because my posts in this thread are getting attacked and downvoted.
This pretty much summarizes how it started (copied from Google):
https://lunduke.locals.com/post/5823666/ladybird-web-browser...
(note that while the exact word never is seen in evidence added to this post but it sure is or hinted towards elsewhere.)
and evidenced by this its ongoing:
https://xcancel.com/awesomekling/status/1971287738268909576
because some people disagree with things like this:
https://xcancel.com/awesomekling/status/1966456391146606806
And there are tons more posts that show that some people are not exactly nice towards him on his X timeline.
Also there's direct proof of these accusations out there but I will not link to those out of professional courtesy for those involved (yes, some people still have that).
I was on his side for the first link because I dont like people who have not contributed making PRs to change inoffensive wording either, but its unfortunate and disappointing to see him defending people like Kirk or dhh.
It should also be noted Lunduke is also not neutral and has his own political agenda.
"Everyone is a fascist except me and thee, and I'm not sure about thee."
Oh people were getting cancelled in the 90s and 00s
Agreed.
I think we have to wait and see how much momentum gem.coop can build. Right now they have promised "things for the future"; they will most likely also deliver eventually. But right now they are not there.
If and when they open beta, though, I'll begin to republish my old gems (not all, some I merged into other gems but most of the core stuff will be back) there. They have some things they should improve on though - documentation (also a problem that ruby doc was separate by the way), namespacing (this is in part also a problem that ruby had no primary way of namespacing; this is also a feature, but it should have a way to separate concerns when possible or wanted).
Anyway, I think we'll soon see what happens - I say people should evaluate again in about half a year or so, say like ... end of May 2026. I think this would be a more realistic time frame.
I do, however had, also suspect that DHH may become the biggest asset to gem.coop - every further snide remark he does on his blog, will gain new people who are upset, and some of those will eventually help contribute and benefit gem.coop. So for the end user this may be a win-win situation since they can install things how they like it, thus having more flexibility. Many can and will stay with rubygems.org, others may prefer gem.coop, many others will probably use and combine both (this may be a bit more difficult; guess gem.coop needs to think of a way to specify different gem sources on a per-gem basis too. Lots of work to be had for certain).
Even if you're not an old-timer and don't remember what Ruby Together was like, the AWS root password changing shenanigans, presumably done by Arko, is enough of a red flag that nothing he's associated with has any credibility.
No serious business with real (business) customers will accept that kind of risk and gem.coop will never be a thing outside of hobbyists.
Read his account of it (https://andre.arko.net/2025/10/09/the-rubygems-security-inci...) and you might change your mind (again).
I agree with busterarm's take. Andre Arko's story omits specific concerns like ssh'ing into Rubygems in Japan 9 days after the debacle. Further, his narrative excludes his termination email and instead focuses on generic platitudes his boss sent the group, to somehow prove Andre didn't know he was fired.
All in all, I don't see sound judgement from Andre Arko or from RubyCentral. That seems the common takeaway from neutral third parties https://archive.md/SEzoV
> Regarding Arko’s blog post about his removal, McQuaid [Homebrew Maintainer] told me it’s good that Arko is crediting other people for their contribution and that he’s following open source principles of community and transparency, but that “his ‘transparency’ here has been selective to things that benefit him/his narrative, he seems unwilling or unable to admit that he failed as a leader in being unwilling or unable to introduce a formal governance process long before this all went down or appoint a meaningful successor and step down amicably.”
No, it won't because I can read the timelines and see what he's omitting.
He logged in and changed the password after the board emailed him and told him his services were terminated. That includes/specifically mentions his on-call services. His response claims only silence from the board and that he was just performing his on-call duties.
I've been a corporate stooge for 25 years or so now. On call duties are one of my main responsibilities. I would NEVER probe out which logins I still have access to after receiving notice of termination. He admits to doing this in multiple places.
All his justifications are that he was under contract to do work that he was already notified was terminated. Everything that follows either tells me that he has bad judgment, that he's lying (by omissions), or in the worst case totally delusional.
If he was so worried about operational takeover, why did he _change a password_ without notifying anyone else with operational capabilities that he was doing so? Nobody reasonable would _ever_ do that. There's a certain amount of upfront communication and CYA required of reasonable actors in this space and he doesn't have it (Not that Ruby Central did any better).
So no, I won't be changing my mind, and I don't know why you put "(again)" in there.
Notice how this was taking over a GitHub repository from an entire team of maintainers, through deceit; and now we are all a few weeks in and you have seemingly accepted the narrative that this is now one bad apple justifies every action taken before and since, with no questions answered, with a wave of inconsistencies (it's about the money/no, the treasurer is wrong it's not about the money!), etc.
No, it's not. I haven't weighed in on that at all in this thread. This thread is very specifically about Andre Arko's credibility and the credibility of projects that associate with him.
Regardless of what Ruby Central did, his own actions warrant every bit of criticism he's getting. Stop trying to redirect the narrative. There are other threads where that discussion is happening.
You can view Ruby Central as being in the wrong all you want and I won't argue with you, but that doesn't mean Arko is not-wrong as well. It's not zero-sum.
Arko explained why he changed the password; I agree that he should have communicated the change. Now, does that justify the hostile takeover of the projects? C'mon... folks, there was a hostile takeover of two projects. Will we, as a community, ignore that?
I don't understand how Matz accepted this as-is. Taking over these projects without addressing the takeover makes them toxic assets that will taint the Ruby community for a long, long time.
Oh I can assure you, it will be a thing.
I can't believe that long gone maintainers still had root access, or any access at all to the core platform. Its has been wild to see ruby community members getting upset with modern and established security norms, for a platform that runs a lot of the web. Its not 2006 anymore, and we aren't just running random curl commands off the net to get rails installed. Scary to think how naive the backlash has been. Having an unmaintained security posture that is inherently insecure, just blows my mind. That supply chain was wide open to attacks, may still be, but at least someone tried to bring security up to this decade.
>multiple sources is safer
It tripples the attack surface making it more vulernable to having security vulnerabilities.
This is just the tooling though, not "rubygems.org" which is still owned by a hostile entity (depending on where you sit on this), so not sure how this would restore any trust?
As a co-author of RubyGems and one of the original Board members of Ruby Central, they are not a hostile entity. They are the entity that we gave stewardship of RubyGems and we/they have hosted it for its entire existence.
I disagree. The actions are orthogonal to your claim - they eliminated everyone else from there. How is that not hostile? Duckinator has been 100% right here.
> we gave stewardship of RubyGems
I didn't sign anything.
I also remember the original creators of rubygems. How old is Ruby Central? 10 years? 15 years? There were several years before that.
Ruby Central started in 2001. I was one of the early Board members, along with Chad Fowler and David Alan Black. We put on every Ruby conference until Ruby became more popular to support multiple conferences. We started coding RubyGems (although the name originated in 2001 at the first RubyConf in Florida) in 2003 at the RubyConf in Austin TX. We sat around a table the first night with a CVS repo on a USB drive and passed it around and committed code until we had a functioning gem command. I demoed it in my talk the next day with the first "gem install". Gem versioning, gemspec, gem command, gem server were all built that first night. Obviously tons of changes since then!
It goes without saying that Ruby Central doesn't think Ruby Central has ever lost any trust to begin with.
I don't have a dog in this fight, but the discussion is about the phrase "hostile entity", not about a loss of trust.
That really doesn't matter. I think what happened could be described as "hostility" towards the community, that's what my impression was, it was appearing like a hostile takeover of the github repositories/organization with no discussion, no community involvement, no transparency. Obviously not everybody will agree especially not people working at Ruby Central.
Hostile entity? The entity that has literally hosted them for their entire existence?
Apparently so. That shouldn't be a surprise; Amazon Web Services turned out to be hostile to WikiLeaks, CDDB's hosting turned out to be hostile to the community that built CDDB, coal mining company towns were hostile to miners' unions, and, in the final analysis, turkey farmers are hostile to the turkeys.
Imagine if you opened up your laptop to discover Microsoft windows has locked you out of a your entire machine, because you were writing a novel in RTF and it could be opened in Microsoft Word. Microsoft's executives started posting they "took control of the your machine/the novel to maintain security".
- Corporate entity doesn't have copyright over your creative output. Just because word can open and view ("run") your novel does not give them ownership.
- Locking your access completely on your resources would be akin to a ransomware attack or account compromise
Would you label those actions hostile? Or just accept it as right because "maintain security"?
If you would label the above hypothetical actions as hostile (if not outrageous overreach, something akin to theft?); what is fundamentally different to what Ruby Central did by taking over the source code of a GitHub repository?
This is a bad analogy. André Arko was a contractor employed by Ruby Central. His employer terminated his contract. He continued to access their server which is literally a crime.
The "maintainers" weren't volunteers. They were paid employees.
Also none of the ones complaining were the original authors of gem nor bundler.
The entity that just fired all the people who maintained it
Ruby Central side: https://rubycentral.org/news/ruby-central-statement-on-rubyg...
For context, also check out their previous statement from September 19, which also "reflects our shared commitment to the long-term stability and growth of the Ruby ecosystem" [sic]: https://rubycentral.org/news/strengthening-the-stewardship-o...
> As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem. In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems.
It took less than two weeks from this statement for them to put out an incident report from them forgetting to change the password on the infrastructure they took from the previous maintainers. I can't say I'm shocked that this didn't actually result in people's confidence in their ability as steward to provide long-term stability for the ecosystem.
Ruby Central has been the entity responsible for the infrastructure hosting rubygems.org the entire time. Literally since the beginning of rubygems.org. Any hosting bills, contracts, or agreements are in the name of the Ruby Central corporation and always have been, as far as I know. Any "previous maintainers" were working as contractors or employees of Ruby Central, if they were working on infrastructure.
The (open source) source code for rubygems and bundler, the libraries that rubyists use in their apps to manage gem dependencies, are potentially another story.
But the infrastructure, to have passwords to it, for rubygems.org, has been Ruby Central since the beginning of rubygems.org without any break. I don't know why people receiving checks from Ruby Central as contractors would think they had a personal right above Ruby Central to the infrastructure that Ruby Central has been running since long before they received those checks. Them thinking they did is sketchy.
Again, the open source source code, I agree, is another matter with other considerations. It has had many maintainers and contributors over time, including periods where development was not coordinated by Ruby Central. And all the code is owned by it's authors, and licensed MIT-style. But you're talking about passwords to infrastructure...
Genuine question: how do you take something which you have already been paying for?
They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager and logged in a few hours later and changed the root password to lock the legal owners out. Most of the community has turned on the maintainer who did that, it was extremely childish behaviour.
> They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager
Inaccurate:
> Ruby Central also had not removed me as an “owner” of the Ruby Central GitHub Organization. They also had not rotated any of the credentials shared across the operational team using the RubyGems 1Password account.
> I believe Ruby Central confused themselves into thinking the “Ruby Central” 1Password account was used by operators, and they did revoke my access there. However, that 1Password account was not used by the open source team of RubyGems.org service operators. Instead, we used the “RubyGems” 1Password account, which was full of operational credentials. Ruby Central did not remove me from the “RubyGems” 1Password account, even as of today. https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
Ruby Central didn't realize that they hadn't actually revoked any access to the previous maintainers (and that they didn't have the updated root AWS credentials) until two weeks later when André notified them.
They keep on using buzzwords. These Ruby central guys never maintained a single gem used by many people in their life. I have no idea what they are writing, but it feels as if AI is writing their statements. Even then it is of such a poor, repetitive quality that even AI may just accidentally write better "summaries". People lost all trust in Ruby Central - there is no way for them to win back trust here.
IMO it would be better to start from a clean slate; dissolve Ruby Central and bring back the community with a new policy, rules - but that's not going to happen. Ruby Central went the corporate way and that's it. It would just be ironic if, say in 10 years, gem.coop proves to be much more successful whereas Ruby Central still writes the same AI-generated text ("we care for the community even if everyone is now elsewhere already").
Afaik many of the people who were on board to help start gem.coop have stepped back after the recent controversies with Andre Arko, at this point I don’t think it will ever be anything more than a ruby gems mirror
I sincerely doubt this without a source
Really appreciate Matz stepping up to take on this difficult situation. As a Japanese developer, I’ve been worried about the direction things were going, so it’s reassuring to see this.
Stepping up how? It was always clear that Hiroshi Shibata didn't act solo without approval. I am not saying he knew the outcome before that, but WHEN was the decision made to take over gems + bundler? I have a slight suspicion that this may have been decided upon months ago already.
> As a Japanese developer, I’ve been worried about the direction things were going, so it’s reassuring to see this.
I am actually much more worried now. I don't live in the USA; I don't live in Japan. To me it seems as if Japan and the USA are totally over-dominating in the ruby ecosystem. While this is understandable that it is Japan (local community, I get it, this is different to english-speaking ones), I am absolutely upset that the USA has so much proxy-influence here. But I guess there is nothing that can be done. I guess in Python the USA also over-dominates. I just think this sucks really.
Yes. At least Ruby was always strongly Japanese though. In Python European and Asian developers are overtly exploited, with U.S. corporations and their employed stooges holding the reins of power.
I'm considering switching to Erlang, which was developed at a corporation from the start and appears to be drama and cancel free.
Ericsson is drama free?
Or Europeans choose to work for US corporations. What am I missing? I know Europeans who only want to work for American companies.
American salaries are typically wildly higher, both on the low end and on the high end. It's often remote work. There are more jobs and more variety of jobs, on an absolute scale, than any particular locality. There may be more of a job ladder, and less stigma to wanting to climb it. There are some other cultural aspects as well.
I would love to see such options become available in Europe (insofar as additional options existing, not taking away the ones that already exist). But that would require some extremely successful European companies working to change it.
My comment was unclear. I am American. I think I am familiar with these differences. You seem to agree with me that in light of these aspects, referring then to American company employees as stooges is exaggerated. Regarding Asia of course it's a different topic, and I am unfamiliar with it. Obviously some American companies are bad but I just question the comment I responded to, that's all. And I don't understand "stigma to climbing it." Depending on the country, of course, but I didn't think there was stigma. Europeans compete for prestige like the rest of us. Don't they? Some do, some don't, of course.
Different money and different attitudes. Trying to get paid more than your peers if you're appropriately skilled isn't social kryptonite here in the states.
Shopify is pretty much dominating the Ruby ecosystem. It’s Canadian tho :)
> I am actually much more worried now
Why? Japanese culture is more conservative, less prone to knee jerk decisions, and Ruby is their biggest home grown programming language.
I'm also not American nor Japanese and I think this is the best possible outcome.
More people live in the US. What is overdominating Python?
This is the only outcome that anyone who touches ruby cannot be upset with.
This is only a win for Ruby Central. They haven't conceded anything and they've convinced Ruby Core to endorse them as the correct and true maintainers of RubyGems.
> While repository ownership has moved, Ruby Central will continue to share management and governance responsibilities for RubyGems and Bundler in close collaboration with the Ruby core team.
Andre has previously maintained that he owns a trademark on Bundler and he will enforce it against Ruby Central.
=> https://andre.arko.net/2025/09/25/bundler-belongs-to-the-rub...
So Ruby Central transfers "ownership" of Bundler to Ruby Core. Ruby Central gets to continue to maintain Bundler, and Ruby Core is stuck with the liability. If Andre wants to enforce his trademark, he now has to sue Japan-based Ruby Core and risk the bad optics of that.
>Andre has previously maintained that he owns a trademark on Bundler and he will enforce it against Ruby Central.
Well,
1. He's not fighting Ruby Central anymore, he'd be fighting the Ruby core team.
2. He's going to have a tough time asserting copyright on a name he didn't come up with on a project which shipped v1 before he joined.
3. If he believes the trademark belongs to the community, the right thing to do would be to transfer it to Ruby Core then, right?
People aren't upset because Matz hasn't chimed in on immigration laws yet.
cannot?
as a rubyist, I'd second "cannot"
my coffee hadn't hit—that was my intention, the "cannot"
If you go to https://news.ycombinator.com/item?id=45616729 you can fix it during a short window [2 hours?].
Add also at the bottom a short comment, so the other replies don't look wrong. Somethig like:
Edit: fixed can -> cannot
How so?
I think there are a gazillion questions left. But, I also agree that the future will tell, e. g. we'll have to see how popular gem.coop will become (if they become popular). And I also, despite my disagreements, think that it may have been better to solve installations of ruby projects from the get go, e. g. Rust + cargo. But I also see this as separate from a service such as rubygems.org (or whoever provides any infrastructure). The question of who develops functionality can be separate, I have no strong preference here. And, I also agree that having both bin/gem and bin/bundle is not good. There should be a unified API (or two - a simple one maintained by ruby core, and then people can build extra functionality into their own variants).
Sadly this all also may end up like this:
https://xkcd.com/927/
What I liked about bin/gem was its simplicity. Bundler brought a few new things or easier things to the table. "gem" should make it much easier to use any source though, including gem.coop.
It's pretty easy to change the sources for ruby gems using "gem sources" or ~/.gemrc. I'm not sure how that could be improved.
Better Ruby core than Ruby Central but still leaves me wondering what the hell happened and slightly sours me on the whole ecosystem.
I spend most of my time writing go (among other languages).
Candidly its decentralized nature when it comes to "packages" is one of its strengths. It does have downsides, and yes GitHub could be at issue at some point.
After this, after NPM compromises (left pad and more recently the supply chain attacks) why we arent seeing more community driven changes around decentralization and venturing is beyond me.
I waited for this as the more or less easiest option to regain back some trust. Benevolent leaders still keep many communities together.
NGL, the drama is entertaining.
I'm sorry for Ruby people that are negatively impacted, tho.
Lastly, Matz is the best!
So this whole thing stems from a dislike of DHH?
It also seems like rubygems.org could simply fork the rubygems code, perform whatever 'security and governance' changes they believed were needed in their fork, and run with that?
Isn't that the open source way of handling disagreements in direction?
Isn't rubygems distributed as part of Ruby
> So this whole thing stems from a dislike of DHH?
Not really. Shopify threatened to pull funding for them which set the whole thing in motion
No, no, no, this isn't the open source way at all! I can't believe you aren't getting it still!
Because I once installed your project, I need to:
- Take over all of the accounts/access you AND all of your friends/co-maintainers used in connection with it
- Tell you it was a mistake, give back access temporarily
- Do it again!
- Have one of my board members who happens to be the treasurer say it was about the $
- Make a straight to camera YouTube post Addressing The Concerns
- Make a first "continuing our series of transparency" blog post a week later, where I use a dense corporate laden dialect to claim it was for the betterment of all mankind and definitely not about the $; because I need you to understand Where We Are Now; What This Is and What This Isn't.
- Open a Google forms question submission box.
- Smear your reputation, because you had an idea once about tracking which packages go to which companies; so I'll insinuate that you want to read everyone's mail and snoop through their undergarments drawer. What's that? My actions affected much more than just you? Quiet now, we're reshaping the narrative to smear you.
- Answer no questions, explaining that we chose to give you a regular series of Friday updates; but also We Want to Move On from the back and forth but also in that same publication have another go at the smear, because it partially worked.
- Donate the project to my state library, to take some of the heat off of me
Isn't that so much easier than typing "git clone" and "git remote add"?
(I am consistently flummoxed that a handful of people here are buying this narrative; instead of as you point out... Just applying a smidgeon of critical analysis about the usage of tools that the majority of us must use day to day and coming to the conclusion you do. Instead of doing this or accepting this conclusion, there's a frothy passion it seems for Appeal to Authority/Argument from Authority where any excuse, flaw, etc on the part of the maintainers is used to justify the whole chain of events.
It seems like it hits 5-7 facts and people can no longer manage them in short term memory, go and look at more than what is presented to them by a single party, etc; so they just default to the easiest mental shortcut.
For some reason I keep falling into the trap that "people are more educated, capable of critical thinking, and have easier access to data than ever before in history"; which I rationally know is not true)
It seems like it stems from dislike of André
As best I've been able to understand it, a dislike of DHH led to the opportunity for those with a dislike of André to do all the stuff under discussion. I doubt we'll ever know the whole story, but in the absence of any of the additional context that some people claim exists (but haven't made public), this seems to be the most coherent explanation for what happened.
> So this whole thing stems from a dislike of DHH?
I don't believe this has anything to do with DHH.
Matz' action and tone in the announcement is impeccable. Humbling reminder of what greatness looks like.
by thanking Ruby Central who is the aggressor but not thanking the maintainers for their decade plus of work?
By not addressing HOW the project ended up in RC's hands, Matz is effectively whitewashing the move.
When I see opinions like this, I run, not walk, away from the community in question.
Loved the... argument?
Right?
Why is there (seemingly) no public offer to former maintainers to rejoin, or acknowledgement of wrongdoing having been done as part of this? It's practically zero cost to do that; as the Ruby core team is (largely) not the party that inflicted harm.
Politeness? Conspiracy to have done this all along? Cultural differences around public vs private opinions? Something else?
What would we think if this wasn't a software project but a hijacked community bus, being passed from party to party, pretending nothing is untoward about the whole situation while the passengers are still aboard? "Oh good, the new bus drivers are politely accepting the keys from the hijackers; all is well!"?
Edit: https://www.reddit.com/r/ruby/comments/1o8zz3e/comment/njywb... No discussion with maintainers
Unless there is some yet-unnamed party with enough credibility and enough money to do a proper takeover from Ruby Central, this was always the inevitable way forward.
In my 17ish-year involvement with Ruby, I can't think of one.
I don't understand why the move wasn't undone. This is essentially kicking the can down the road.
Can anyone please explain this in simple terms for a relative outsider?
See this thread for context: https://news.ycombinator.com/item?id=45299170#45300774
See especially Mike McQuaid's summaries. He did a bunch of mediation and comms work to make the situation digestible to outsiders. Check his recent posts (at time of writing) on https://bsky.app/profile/mikemcquaid.com
Yeah. I think everyone on all sides praises Mike for his effort. Cool guy.
Changed hands a couple times with “unclear” transition details at best. How it came about wasn’t all that transparent.
Tensions within the community were heightened because its loudest voice and most recognizable figurehead has opinions that aren’t all that popular and he made them loud and clear as he’s a loud thinker.
probably nobody can, no. Other than: a shitshow.
Does that mean RubyCentral or anyone associated with them no longer have admin access to RubyGems GitHub organization? Watching the debacle unfold made me much less trusting of their "stewardship".
It's good to hear Ruby core team took the ownership. Thank you Matz.
Since Ruby Central is still very much involved, does (or would) this have any impact on the people who left recently (like Ellen Dash/duckinator)?
seems to me they can happily go back to contributing to the tools, and at the same time ignore the fact that rubygems.org exists, by running gem.coop or whatever else.
Do the former maintainers have full commit access? Remember, this is what was taken in the middle of a discussion about governance.
https://github.com/rubygems/rfcs/pull/61
Other than personal preference, are there any features that make Ruby worth considering for new apps? As a user, my experience with gems hasn't been great. I don't know any Ruby, I'm just asking out of curiosity.
Ruby by itself is still a pretty decent scripting language. I still think Rake is highly underrated as a command runner.
Rails is still a good web framework within its limits. If you want to build a small, modest complexity web app with like 1 or 2 developers and under maybe 6 months of active development, modest traffic needs, etc, it's a good way to get everything up and running fast with best-practices for everything.
The lack of types may start to pinch some once you get an order of magnitude more developer-months into the app than that. Lack of overall speed, threading issues, and memory usage may be an issue once you get a few orders of magnitude more traffic. But while you're within those limits, I think you'll get features out on it faster than any other language or framework.
As they say, a lot more startups have died due to not being able to iterate fast enough in the early stages than from their traffic capacity, hosting efficiency, and bug count once they get into serious growth.
I’ve been writing Ruby profesionally for over a decade and while the writing has been on the wall for almost the entire time, it’s more certain than ever that Ruby is on its last legs.
Big legacy companies who have invested heavily into Ruby cannot switch but every shop I’ve been at often started new services in non-Ruby (mostly Go but have seen plenty of Node/TS as well or Rust for that matter).
If I were to start a new app Ruby would be far from my first choice and the biggest reason are types. After being in the weeds of big Rails apps while also working with Go/Ts/typed Python, Ruby seems very fragile in big codebases. Sorbet is also not enough.
I've used Ruby off and on since the hype train started with DHH's early videos showing how easily you can make a blog in Rails. Oof, that was published 20 years ago! I wouldn't use it for anything beyond simple shell scripts these days. You're better off with Go for back-end work.
Decentralized package hosting is the only way.
The key question here is how exactly the supply chain attacks will be prevented. If you consider release of new version of a library some sort of transaction, it's easy to see then the difference with cryptocurrencies: in crypto transaction can be automatically verified, but with software releases it is impossible. It is hard to imagine hundreds of hostings on the same very high trust level, so either risks become significant or there are several, but not many hostings which everyone can trust. If Number of hostings << Number of users, then it's not truly decentralized and there still exists a different risk, when there's some sort of political split between some of them. Summarizing all of that, I don't know if decentralization is a solution at all. Transparent community ownership over a centralized solution is much better.
The supply chain attack is not the only argument here, though.
For instance, who effectively controls the ruby ecosystem? See ad-hoc restrictions such as 100.000 downloads - past that point you are disowned from your own gem. I always felt that was a direct attack on independent developers. They could have forked those gems just fine (the licence permits this for most gems after all), but nope, they forbid you to remove your own (!!!) code.
Decentralization is not the answer to that though.
> The key question here is how exactly the supply chain attacks will be prevented
By using signed packages. Why is this even a question.
If it’s PKI and there’s verification on each stage, maybe. Just different sort of centralization. If keys are self-issued, it’s still a problem. Say, you add a new dependency from a repository XXX. A new version is released signed by another key, which appears to be legitimate. What are you going to do? Run full KYC on new credentials? Distrust the new dependency version and fork the library? Just ignore assuming that repo has verified it?
With central repo you may expect that they operate under increasingly stronger security standards and even if you missed malicious update, there’s higher chance that it was taken down by someone else. In decentralized environment your risks are higher and attention surface bigger.
Can Gems be served from OCI Container/Artifact registries, which (also) already support signatures?
From https://news.ycombinator.com/item?id=44991636 :
> Native Containers are bare-metal host images as OCI Images which can be stored in OCI Container Registries (or Artifact registries because packages too). GitHub, GitLab, Gitea, GCP, and AWS all host OCI Container/Artifact Registries
So, packages there too would simplify.
Re: "RPM 6.0 Released with OpenPGP Improvements and Signature Checking by Default" (2025) and Sigstore and PyPI and SLSA.dev and key revocation transparency: https://news.ycombinator.com/item?id=45354568
Nerdctl supports various snapshot, lazy start, and distributed cloud storage container stores: https://news.ycombinator.com/item?id=45270468
Ruby has:
And also for signatures now there's sigstore-ruby and Trusted Publishing.sigstore-ruby: https://github.com/sigstore/sigstore-ruby
guides.rubygems.org/trusted-publishing: https://guides.rubygems.org/trusted-publishing/ :
> Trusted publishing is a mechanism for uploading gems to RubyGems.org without using long-lived secret credentials. [..]
> Trusted Publishing is a term for using OpenID Connect (OIDC) to exchange short-lived identity tokens between a trusted third-party service and RubyGems.org. This allows obtaining short-lived API tokens in an automated environment (such as CI) without having to store long-lived API tokens or username/password credentials.
What languages do you use that have adopted this well?
I'm not counting something like C++ where there's effectively no "packages" to speak of.
Go, for some values of "distributed". The vast majority of go packages are hosted on GitHub, but nothing stops anyone from hosting elsewhere and Go has explicit support for indirection such that anyone can use a vanity domain that happens to point at GitHub or wherever.
Isn't this the same as ruby gems, then? You can use alternative sources in your Gemfile pretty easily.
Sort of.
Go packages have the source baked into the package name. It would be like needing to say `require "github.com/sparklemotion/nokogiri"` rather than what we do today, `require "nokogiri"` and then if you want to change the source wrapping `gem "nokogiri"` in an alternate `source` block.
go is comically un-distributed in practice:
- almost every package is hosted on GitHub and that url is baked in to consumers of those packages
- the go proxy: https://flak.tedunangst.com/post/what-the-go-proxy-has-been-...
Go's one weakness is that the package source is baked into the package data in a not-automatically-fungible way. And if pkg.go.dev ever becomes a threat vector, we're gonna have a bad time.
dselect solved this ages ago with its mirrors, but at some point it seems every major package manager decided that was unnecessary complexity ("why bother? It's not like a package repo just goes down") and left it out when they built their alternatives.
So, from time to time, when a domain in the Internet goes sour it's a huge problem (whereas were a Debian mirror to go sour I'd add like one line to a config file and never notice the issue again, assuming dpkg doesn't automatically identify the problem and route around it).
Nowadays there are, as vcpkg and conan step by step win the earths of the C and C++ communities, and then there are the distro specific ones, if someone is happy enough with rpm/deb + pkg-config.
However I would say all ecosystems have issues, regardless of the approach, because 99% of the developers have no clue on what they depend on, and there are plenty of ways to mess up with ecosystem.
Go has decentralized package hosting and it works reasonably well.
Deno does also but I'm less clear on well how that is working out for them.
The Deno people recently released jsr.io, "a modern package registry for JavaScript and TypeScript."
I'm not familiar with the technical details, but at first glance it appears pretty centralised.
Technically, deno supports https imports as well
https://docs.deno.com/runtime/fundamentals/modules/#https-im...
>Go has decentralized package hosting and it works reasonably well.
All go package imports are proxied via Google.
https://drewdevault.com/2022/05/25/Google-has-been-DDoSing-s...
> (you can set GOPROXY=direct to fix this)
https://drewdevault.com/2021/08/06/goproxy-breaks-go.html
Not that defaults don't matter, just offering the extra detail. And, as the post goes on to explain, this change seems to cause its own set of dependency issues.
Is this written by a spy from a hostile country?
So Ruby Central will still be running rubygems.org?
Sadly yes. They probably have no other choice, because what else would they do with their time? Do the unthinkable and create gems other people would use? That would be too much work.
Seems so yes https://rubycentral.org/news/ruby-central-statement-on-rubyg...
As someone who spent a bunch of time talking before and after this all went down with current and past RubyGems maintainers, RubyCentral employees, Gem.coop maintainers and Ruby Core folks: this seems like the best outcome that was actually attainable.
I've been working on Homebrew for 16 years and leading it for some proportion of that and this all "smells" like a more sustainable long-term solution than anything we've seen happen in the last year. Some proposals sounded nicer but were not going to be acceptable to one or more sides.
Ruby already provides a vendored version of RubyGems and (more recently) Bundler so this seems appropriate. It also separates the "running a web service" which has guaranteed hosting costs, requires on-call, etc. from "running an open source CLI/library" which has no guaranteed costs.
It will be interesting to see what the Gem.coop folks do now (disclaimer: I helped them with their governance process). If there's some competition for rubygems.org as a server implementation that feels like a good thing for the community overall.
Good luck to all involved on all sides.
Thank you for your work in this arena and trying to add clarity. As a business owner and longtime rubyist, I'm very happy Ruby Core is taking stewardship here and that maybe we can put this tempest in a teapot behind us.
This is a fascinating and seemingly unusual development that will look obvious in history.
I find “BDFLs” and open source communities so incredibly interesting. Especially in the context of geopolitics and state entities. Linux!
This stuff is PHD material for sociology and polisci post-grads and I’m so interested in following the progression of history with these types of things.
I don't think BDFLs are a problem. Nobody questioned, say, guido design of python or matz' design of ruby as such. The issue here is primarily about who controls the ruby ecosystem. Interestingly python also had a somewhat similar discussion in the past; you can see this indirectly if you look at pypi:
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2f...
See that question asked:
"Isn't supply chain security a corporate concern?"
He tries to bring arguments to invalidate that. And failed in an epic manner. Now people are more suspicious than before. Kind of strange to see, too.
> Nobody questioned, say, guido design of python
Not up until the incident that motivated him to resign, anyway.
Yeah, certainly tickles a few neurons.
I feel like BDFLs are akin to the concept of village elders; they're not immune to corruption or scandal, but they often have this beloved status that can paper over a lot of cracks. That's probably dependant on their leadership style - the hard headed (Linus, DHH) vs the grandfatherly (Matz, Van Rossum).
Which, going back to your note on geopolitics, leads me to wonder: Is it just that more power corrupts more, or is it that (modern-day definitions of) democracy require a desire for power? I guess as the "FL" part of "BDFL" comes to bite more of the communities, we'll see better how different succession styles have different effects. I also wonder if the analytical nature of the individuals within the "populations", and inability to police defectors will mean uprisings will be more successful, either in causing BDFL attitude adjustments, or just overturning the community completely (for example, there's already a lot of momentum for a complete fork of Rails)
(Edit: having submitted this, I now see others have had very similar thoughts! Definitely an excellent conversation topic)
> I feel like BDFLs are akin to the concept of village elders; they're not immune to corruption or scandal, but they often have this beloved status that can paper over a lot of cracks.
I think a lot of this is due to how so much is a scandal these days, for better and worse. (I'm obviously going to keep politics as much out of my response as possible.)
A few decades ago, people could have political views without ostracizing roughly 50% of the global population, or generally causing a ruckus at the holiday family dinner. (Obviously politics + holiday dinners has been an issue for a long time, but back then it was just something people tried to sweep under the rug. Now? Holiday dinners are getting cancelled or families are splitting up.)
It used to be that a scandal in the OSS community required you killing your wife (thinking back to ReiserFS). Now, a remark on Twitter is all it takes.
Again, I am absolutely not taking sides here. I'm just noticing a difference in the times, and agreeing that it is indeed interesting to watch.
No, I agree. That said, I think a lot of that particular shift is down to a) increased individualism b) an emphasis on the healing power of personal boundaries and c) the rejection of unity as an overriding good.
People are far more happy to cling to the tribe they choose, and the tribe that has their back, over the tribe they were born to. Then, there are those who see that trend as dangerous to society (where, in many cases, society is really just a proxy for their own power or social status - ironically as viewed through their own chosen tribes more than the tribe they were born to)
That is to say, I don't think it's the political views that are splitting the families. Individuals have decided that care for each other should come secondary to those political views. I feel like there used to be a certain amount of care in the "sweeping under the rug" - it was the tribe against the world, it was protecting the family image as much as it was protecting the individual from society. These days, being a thing "in private" means being a thing alone, and that's no longer a compelling thought when external tribes are willing to embrace you.
Which probably applies to software tribes just as much as family ones.
Clinging to tribes is the opposite of individualism, though, and represents pretty weak rejection of unity.
>A few decades ago, people could have political views without ostracizing roughly 50% of the global population
This is ahistorical.
Not only was it the norm forever to ostracize entire sections of your society (protestant vs catholic and lots of other religions, black vs white, any form of non-hetero behavior, the Roma people and any form of outsider)
It often was the law
Americans shot their family members over whether we should own black people or not.
My french and white ancestors were expelled to Louisiana, intermarried with black people, and then when the US bought the french land, they introduced laws that made such families illegal.
Reagan made a hobby of publicly claiming his coworkers were communist. Thought that maybe we should be allowed to form unions? 100 years ago that was enough to get you investigated by the senate. Americans voted for him so hard the Democratic party is still floundering to have support. "We should allow unions" or "we should regulate companies" is still half-verbotten.
Do you know how many kids are still kicked out of their homes for the crime of being born gay?
This idea of "You used to be able to hold diverse opinions in public" is outright wrong. This past never existed.
Weird Christians in the US have tried to cancel things like Harry Potter and halloween for gods sake. They took a teacher to trial for teaching evolution. They made playing pen and paper RPGs a sin! When preachers molested kids, they shunned the kids
Being too chummy with another guy in public was a scandal! Being a woman who wanted an education was a scandal! Getting pregnant out of wedlock was a scandal that would tear apart families. Getting divorced was verbotten. Expressing support for social policy could get you fired, or murdered
Bush Jr literally said "You're either with us or against us" about supporting a criminal war and America pitched a globally public fit when other countries did not pledge allegiance.
> I find “BDFLs” and open source communities so incredibly interesting. Especially in the context of geopolitics and state entities. Linux!
The diference is that with an open source licence, the comunity can just fork the project (assuming they have enough developers), so the BDFL must master the art of herding cats.
A country has clear phisical borders and tanks, and people can't fork them and ignore the old power structure.
I think you're absolutely right. We are starting to reach the age where a combination of large cooperative non-corporate tech projects and the Internet (that, partially at least, enabled them) are putting us in a place where the actual mortality of project owners matters. The "L" in BDFL is a finite constraint.
I think there's going to be an interesting and complicated churn as several major projects under the BDFL model have their Ds succeed at passing the torch, struggle to pass the torch, struggle to realize the torch needs to be passed, or take the torch and do their best to burn the whole project down so it can't outlive them.
This makes sense, considering Gem and Bundler are shipped with Ruby.
Well - I'd actually argue that it would be better and simpler if there would be just one binary. How it is called is IMO secondary. It would be better if the whole API would be unified. Bundler came later though.
i believe that has been the goal of maintainers for a couple years now. Yeah, they had different histories where bundler was developed as an add-on.
I think this is great news and the right move!
At the same time, I would like more information around how the Gem supply chain will be handled, particularly how Rubygems and Bundler will be protected against supply chain attacks, which are becoming endemic.
rubygems.org will still be operated by Ruby Central, though, so you still have to trust them. Given the state of affairs, this is less than ideal, but it’s probably a better outcome than nothing changing.
Ruby Central has literally ALWAYS hosted rubygems.org.
How’s th adoption and usage situation for Ruby these days?
Is Ruby ecosystem doing well?
Alive and well. I write Ruby every day and enjoy doing so. It's the only thing that consistently got better for me in the last 10+ years without losing it's simplicity and joy. Ruby is truly a programmer's best friend.
Thank you Matz.
As an outsider, I have two questions: - why is Shopify kind of hated in the comments? - what is it DHH said?
Hoping for some context
Oh no, looks like you're one of today's (unlucky) 10000[0]. (For context I only heard about all this recently).
For the DHH thing he wrote a recent blog post where he said he wants fewer non-white people in London and praises an english far-right fascist figure (Tommy Robinson)[1].
Not really sure about the Shopify stuff. I've heard people aren't too fond of Tobi (the C.E.O. I think), and he's buddies with DHH, but it could just be general distrust of a big company trying to exert control of an open source project (through Ruby Central).
[0] https://xkcd.com/1053/
[1] https://world.hey.com/dhh/as-i-remember-london-e7d38e64
I think because of this, which started this whole thing
> Shopify demanded that Ruby Central take full control of the RubyGems
https://joel.drapper.me/p/rubygems-takeover
This isn't true according to this article: https://www.404media.co/how-ruby-went-off-the-rails/. Joel has a terrible habit of not citing his sources so I'm not sure if the post in question is the same but this seems to nullify that argument. TBF I do think there was pressure from Shopify to get compliance and security in order but saying "Shopify demanded that Ruby Central take full control of the RubyGems" is just plain not true.
The rubygems treasurer who is on the board said funding was conditional on doing this[0][1].
One interesting thing is that Ruby Central then said "Board decisions are independent and not contingent on funding."[2].
Doesn't inspire a lot of trust when there is a statement from a board member saying "we did this because of funding".
I'm more inclined to believe Joel's account.
[0] A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
[1] https://apiguy.substack.com/p/a-board-members-perspective-of...
[2] https://rubycentral.org/news/our-stewardship-where-we-are-wh...
Ruby Central is making legal threats to its critics, so I hope you can see why people don’t feel safe to come forward on the record.
I can tell you that two people with direct knowledge of the situation told me that Shopify demanded that Ruby Central take full control of the RubyGems GitHub organisation and packages.
You can believe that I am lying if you want. But I can’t directly cite my sources in this case.
I never said you were lying. I said the quote that person pulled from your article isn't true. IIRC your article came out before the one I linked came out.
They deviated from progressive orthodoxy which to some intolerant members of the community is an unforgivable sin.
this is good and I hope this puts a lot of the drama in the rearview mirror. younger developers coming across Ruby must be like "wtf" about this situation. very peculiar to have these projects so politicised and I say that to the people that "try and keep politics out" (DHH) more than anyone. making your politics known and then being like "but you're not allowed to have an opinion on it" is't cute or clever. it's childish and everyone everywhere deserves to be treated with more respect than that.
But how does this solve anything? People will still not trust Ruby Central. And rubygems.org is under control by Ruby Central, even IF ruby core tries to jump in to the rescue.
Well, now there's gem.coop, and we don't have to worry about bundler/gem becoming hostile to other services so either:
gem.coop matures and people move to it
Or ruby central gets their crap together and regains some trust.
It's definitely a win that the tool entry point is now managed by competent people with a good track record that aren't involved in the current drama.
He's also in a bit of a unique situation because of his public political profile was essentially forced.
- Politics at work were becoming a huge problem at 37Signals
- They asked that politics be kept out of company chats, but encouraged people to be political active on non-work channels/social media/etc even during work hours
- People lost their minds at this incredibly reasonable request which then blew up on the internet
- They offered any employee 6 months severance if they weren't comfortable with the new policy. About 1/3 of the company took it.
- Rails Conf dis-invited the creator of Rails
- Obviously, this was not going to sit well as people were trying to create a very public political flex against DHH and at that point, he started getting much more vocal about the problem of politics sweeping into every aspect of life.
In the following years...
- DHH becomes very publicly outspoken against politics infecting everything
- 37 Signals publishes another successful book
- Ships much more quickly as all of the people constantly distracted by politics at work are no longer in the building
- Starts the Rails World conference to great success
- Rails Conf shuts down
- DHH ships Omarchy which is getting significant support
So the end result has been that a bunch of people tried to essentially "cancel" DHH and the result was him having virtually non-stop, resounding success while publicly speaking out against those who created the problem in the first place...because some people really do just want to build cool things regardless of your politics.
I don't know how this fits into the narrative you just posted, but DHH was a keynote speaker at RailsConf this year. I was there and heard him speak. He didn't speak about anything "political"; just his usual ranting and raving, this time about how long it takes to test and deploy things.
He was brought back for the last RailsConf since DHH started RailsWorld after he was removed as a speaker for previous conferences.
DHH is at worst in the middle between left and right in the political spectrum.
Keeping politics out of work place is like an extremely mild stance.
For some reason, people label him as facist...
I don't think that's fair, I mostly thought that until I read his recent blog post[0] where he wished for fewer non-white people in London and praises a far-right fascist figure in England (Tommy Robinson, he was a member of the BNP[1] for while before he started the EDL which was more extreme).
When you're advocating for ethno-nationalism and praising fascists, I don't think you can get mad at people thinking maybe you're a little bit fascist, or can claim to be in the centre politically.
[0] https://world.hey.com/dhh/as-i-remember-london-e7d38e64
[1] https://en.wikipedia.org/wiki/British_National_Party
The label is meaningless now because it's been so over used. At this point a facist is anyone to the right of anarcho-communism. People still trying to use the term are labeling themselves more than anybody else.
https://news.ycombinator.com/item?id=45622861
I am shocked, SHOCKED, to know that a person who loves to program and just wants to do it would be more productive than people bikeshedding about code of conduct and other matters ;)
he's definitely disingenuous, though. I think the "cancel" situation was cringe but the guy posts nativist musings about London and then acts apolitical. look, I get it. the first large generation of professional developers that came up in the web 2.0 era are getting older now so naturally many are becoming more conservative. but a lot of this comes across as some kind of backlash because these guys aren't "cool" anymore. there'd be a lot less drama in this situation in particular if DHH didn't act like he needs the approval of 26 year olds. they're never going to see eye to eye with him because he's an old man at this point so he should have some tact and be the bigger person if he cares about the dev community he was a part of. very similar situation to Musk who used to be adored around the world and now he's seen as a basket case.
I disagree. DHH said no politics at work. I thought that was great. A sensible moderate position at a time where people were getting polarised.
Then he started a blog, built on his companies software, where he constantly shares extreme political opinions. When you are the public face of a company (and framework) and you are publishing your political opinions using your companies platform, you are now bringing politics to work. He’s a hypocrite.
That is the point though, his hand was forced. He was very politically attacked in a very public manner and has spoken out nonstop ever since.
> When you are the public face of a company (and framework) and you are publishing your political opinions using your companies platform, you are now bringing politics to work.
So Tim Cook would be "bringing politics to work" by posting politics on Twitter from an iPhone? Plenty of prominent Python community members, including core devs, have politics on their blogs and also use Python-powered technology (dedicated SSGs like Nikola, but also even Sphinx which is really meant for documentation) to generate and publish pages; is that "bringing politics to work"?
right, that's exactly what he did. "politics for me but not for thee"
That's not the case at all. His blog is his personal blog, not 37Signals, and he has never said employees were not allowed to share political opinions outside of work.
this is in the same category as "the law in its majestic equality forbids both beggars and rich men to sleep under bridges".
DHH advocates "no politics at work" because as a powerful guy that's organized politics potentially directed at him. He advocates blogging because he knows perfectly well that he has a large audience and his employees or critics don't. That's why the rich tech bro class loves getting politics out of the workplace and getting it onto the platforms they own.
When you're the public face of a company you don't get to separate your personal political blogs from your work life. Your employees shouldn't know your political opinions and when you're that much in the public eye that means keeping them to yourself.
I genuinely don't understand why you believe this. Were you holding Bill Gates to the same standard when he still ran Microsoft? A charitable foundation is inherently political (it asserts the importance of the causes it financially supports, and holds them to represent matters of significant moral weight); should he not have put his and his wife's name on it?
Good summary. Also the ask for politics to be kept out of company chats is often what I find cited as the _core_ reason for why "DHH is a Nazi" in online discussions. It's _weird_.
I think the real root of peoples' disagreement over what happened there is that rank-and-file employees wanted to assert a lot more control over what their company does than they actually could and they were informed that that wouldn't be acceptable. The six month severance was generous.
https://news.ycombinator.com/item?id=45622861
I more or less agree with the "no politics at work" stance
but you've omitted his recent "contributions", where he went completely off the rails
have a read of this https://world.hey.com/dhh/as-i-remember-london-e7d38e64
it's completely unacceptable, and he's promoting a self proclaimed fascist white nationalist (Tommy Robinson)
> I more or less agree with the "no politics at work" stance
> but you've omitted
I'm not that poster, but it was objectively correct to omit that, because it was as an objective matter of fact not "at work".
It does. Not. Matter. In this context what his beliefs are, or how they look to you through your lens.
In exactly the same way that, for example, the political views of GNOME and Xorg developers are not relevant to the development of those projects, and only become relevant when they get discussed in development spaces. (Or, you know, when they become the motivation for explicit interference in XLibre development.)
(political opinion incoming)
Other than his mention of Tommy Robinson, it is not radical or unacceptable to say "Wow, my city has changed radically in the past 20 years and is losing its identity".
If the center and the left completely reject the validity of national identity and the expectation of immigrant integration to British identity, then you leave people with those sentiments running into the only open arms left: the far-right and the rest of their agenda.
As a liberal, even a progressive in my own mind, I still recognize that completely open borders are a problem and that we should expect all people coming to a country to want to learn the language and integrate with the native community and customs. This concept is compatible with respecting cultural diversity and immigrant populations and their civil rights.
And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
FINALLY - I don't see how this kind of hard-fork-over-politics maneuver helps change minds in the long run. It only generates bitterness.
> If the center and the left completely reject the validity of national identity and the expectation of immigrant integration to British identity
He explicitly cited race, not "British identity" he quoted a Wikipedia page where he took stats excluding non-white British.
I don't think he was arguing the point you're attributing to him.
> Other than his mention of Tommy Robinson, it is not radical or unacceptable to say "Wow, my city has changed radically in the past 20 years and is losing its identity".
what does DHH, a Dane, who as far as I'm aware has never lived in London (and certainly doesn't now), know about London/the UK?
absolutely fuck all
he should keep his trap shut, in the same way Elon Musk should stop attempting to stoke nationalist fires in a foreign nation
I am also a (British, not American) liberal, and I agree with your comments about integration
the UK has an integration problem that successive political leaders have attempted to brush under the carpet, whilst ignoring the electorate's desire for a reduced rate of immigration
but the sort of nativist crassness displayed in that blog post is not the answer
and leads down a very nasty road that we thought we had defeated forever 60 years ago
> And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
I'm afraid this type of authoritarianism always seems to come with a labour government
That's not quite accurate. Quoting chatGPT, since it may have more credible neutrality than my own opinion:
""" Does Tommy Robinson call himself a "fascist" or "white nationalist"?
No — Tommy Robinson (real name Stephen Yaxley-Lennon) does not call himself a fascist or white nationalist. He consistently rejects those labels, describing himself instead as a patriot, free-speech activist, or anti-Islamist campaigner. To summarize the record:
* Public statements:
Robinson has said things like “I’m not a racist, I’m not a fascist — I’m a working-class lad from Luton who’s standing up for my country.” In interviews (e.g., BBC Panorama, ITV, and various YouTube appearances), he has explicitly denied being a fascist or white nationalist.
* Affiliations:
He co-founded the English Defence League (EDL), which has been widely described by journalists and researchers as far-right and anti-Muslim.
However, he left the EDL in 2013 saying it had become associated with racism and extremist elements he could no longer control. """
Maybe TR is a fascist or white nationalist, but he isn't a self-proclaimed one.
I don't know why you were downvoted for this. The term "self-proclaimed" does actually mean something in English and is not just an intensifier.
I mean, even if you grant that the EDL is not a fascist organisation (I don't) he was a member of the BNP which is an explicitly fascist organisation, so at best he is a former fascist or a reformed fascist.
> making your politics known and then being like "but you're not allowed to have an opinion on it"
As far as I can tell, this doesn't fairly reflect what actually happened. Ruby users were free to keep their own political views to their own blogs, just as DHH does. Reading world dot hey dot com slash dhh is not in any way required in order to use Ruby, participate in the development of Ruby or anything else along those lines.
There are a lot of prominent developers in the Python community whose politics I strongly disagree with. I got banned from the main discussion forum as a result of objecting to hidden Code of Conduct enforcement principles which (in my view) attempted to bring (many of) those politics in through the back door. (And in the process of getting into that meta argument, and doing research, I encountered several previous unpleasant incidents on the forum and on the mailing list that preceded it.)
But I would never start arguments with people in that space over things they wrote on their blogs. I would not go onto, say, the CPython issue tracker to complain about how certain people needed to be removed from the project because of things they said in their own spaces (like we saw with, for example, Opalgate). If I wanted to talk about someone else's politics — or my own — I would and could use my own blog for that.
The mere fact of people knowing DHH's politics emphatically does not politicize Ruby, Rails or any related project. To the extent that Python development has become politicized, that's a consequence of actual enacted policy, not the political beliefs of steering committee members, PSF board members etc. DHH putting this content on his blog was part of the effort to have it not in the workplace. And, in point of fact, that does keep it out of 37Signals board rooms.
Was there ever a mirror of this dustup in the Linux distro community?
I'm unaware of one ever happening, and I'm wondering whether it's because of mere fortune or because there's something about the APT / dpkg model that precludes this kind of messiness.
Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors? This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
The fact that you speak of "the Linux distro community" but also "the APT / dpkg model" is already telling. Most distros — i.e., everything not derived from Debian — don't even use the same package format. A lot of the problem has been mitigated simply by letting people choose among competitive suites of alternatives.
That said, there's been quite a bit of drama lately in prominent Linux projects — notably bcachefs, X11 (and the fork XLibre), and the Omarchy distribution (even connected to the current story!).
There was - see old systemd discussions. For instance, how devuan was started.
It is not 1:1 comparable though. Ruby, python etc... have a much more varied community. People contribute code. Only few contribute to the linux kernel directly. There are many more who write "apps", so this could be comparable. Still it feels different to me, since a language community is different to a community that uses different programming languages.
> Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors?
No, I think it is more that people never anticipated that corporations could take over projects. This has become more of a problem in the last years. Who controls github, for instance?
> This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
This is the issue of decentralized hosting versus top-down control. Ruby didn't have that problem in the past. It became more of an issue in the last some years. See DHH having an old tweet where he pointed out that he wants more control; I think this was from 2018. I don't remember it fully but it is on the ruby reddit.
Ideologically-rooted dustups are popping off all across open source right now, it seems. Forks-included.
I've even seen unironic claims of certain pieces of technology containing "Hitler particles". That shook me a bit because that's an old in-joke and was always intended to be a joke...
Who is the in-group for that in-joke?
Leftists. It's a Trotsky quote.
Thank you! I was hoping for this development! Now how about taking away rubygems.org from Shopify?
Is this without the consent of Ruby Central? Sounds like some kind of hostile takeover!
Edit: Seems like maybe a hostile take-back actually.
Ruby Central also announced it on their site.
There are numerous questions here, but also a few answers.
For instance, I pointed out days ago that Hiroshi Shibata did not act solo. Now this is confirmed - it was a matz directive. The main question to ask here is: could he not have made this open AND public from the get go? It would have lessened the confusion for some people.
Unfortunately this also has a few added problems now, because ... say that you are an indie dev or a solo dev. Would you want to "interact" with the ruby core team if they can just oust people at will if they feel they need more top-down control? Or, worse, if they only get money if companies pay them to do so? I am not necessarily saying there was a 1:1 connection with money in mind. For instance, the bin/gem was not designed by the ruby core team, in many ways was a mistake from the get go - see how Rust avoided this by having cargo. But one can not help but wonder how deep that money situation goes. u/jrochkind on reddit pointed that out, e. g. that there is very clearly a connection to ruby losing users and developers in the last ~5 years, and a dry-up of financial assets in general. I agree with him. Even if this was not the case here (though I somewhat suspect money had to do with many things here), the situation for ruby in general is really really bad. Perhaps matz felt that this was the only way forward, who knows. Either way it is not a good situation to be had.
It also shows how ruby is WAY too dependent on rails. If rails sinks, ruby sinks. That is BAD. DHH may contribute to this problem with the "I am the richest neo-boy in the USA" and odd blog entries (that's his though, he can write whatever he wants to), but the moment there is a financial interconnection is the moment there is no longer a fair field. And this is really bad, because it means ruby as such will be pulled by those who have money. Bye bye solo devs - you no longer have a place in the corporate infrastructure. And make no mistake about this: rubygems.org is a pure corporate entity now. Look at the new rules they forced onto everyone: https://blog.rubygems.org/2025/07/08/policies-live.html
This also reminds me of Pypi, by the way:
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2f...
Quote:
"Isn't supply chain security a corporate concern?"
And then he weakly tries to say "no, it isn't because corporations finance us now, it is all about LOVE, HAPPINESS and THE COMMUNITY". But in reality - it absolutely is. Corporations wanted more guarantees and these inrastructure-maintainers said "that's ok - we don't pay these indie devs anything but now we force them into mandatory 2FA, ad-hoc 100.000 restrictions (can not remove your gem past that limit) and any other random crap, such as not paying them anything and having them work for us for free". I am sorry but there are soooooooo many things going wrong here - I totally agree with duckinator. This was a hostile take-over, unfortunately now we also know that it was decided from within ruby-core itself.
Note that I am not saying that it is a bad idea to have something such as gem maintained by the ruby core team, I totally understand the reason for this, and I also pointed at the example of rust/cargo. However had, the infrastructure shouldn't be a money-injection team for the ruby core team - the moment this happens is the moment things no longer work here. And ruby isn't merely the part designed by the core team; it also isn't just rails - you had many more people who contributed to ruby in the form of the ecosystem. Granted, many projects are abandoned (this is also a problem for rubygems.org by the way) but at the least this used to be true in the past.
In a way this is all a bit rubbish, because we see MIT/BSD licences, so people could just fork ruby (not that this is likely; I haven't seen anyone object to matz being an excellent language designer. I also don't think it is a problem if matz and the core team profit from this financially, that's perfectly fine. But the whole ecosystem shouldn't be in such a top-down control where corporations just buy their way into things, with DHH making snide remarks on his blog ("we got rid of the boys controlling the infrastructure now") all of the time while on Shopify's payroll - that is no longer a fair playing field here. Everyone can see this.)
Also, if matz made the decision weeks ago and told Hiroshi to do so, HOW was this fair to Mike McQuaid? The latter said he tried to act as man in the middle. But if the decision was made to finalize on this already prior to that, was Mike told that? If not, how is that fair? Either way I guess Mike gets the most praise from all sides simply for trying.
We'll see what happens, whether people love the new corporate-controlled rubygems.org or prefer gem.coop (which, admittedly, still have to deliver). I favour the latter, like the rising phoenix from the ashes - in part because I hated the new corporate rules that was installed onto rubygems.org, including the crap 100.000 download limit, but in part also because I feel that if gem.coop gets enough momentum overall, they can actually begin to solve NUMEROUS issues in the ruby ecosystem, from documentation to namespaced accounts (users and the ruby code as such, see duckinator's proposal) and so forth. Considering the damage shopify caused while wanting to control more of the ruby ecosystem, I expect them to now send more workers to go and improve rubygems.org as much as possible - and not ruin things in the process. Otherwise they would have only caused damage without any real gains.
The biggest loser in this are actually the folks at RubyCentral. Because ... what have they really ever done for the ruby community? Which high profile gems have they maintained? Just throwing fancy parties isn't going to cut it - Titanic was also sinking when it hit an iceberg. RubyCentral may still celebrate while sinking ...
Can you elaborate on sources about this:
> Now this is confirmed - it was a matz directive.
I did not see any confirmation in this annoucement, do I miss something?
Most of his comments on this thread are about Matz taking over RubyGems and not happy with it one way or another.
> like the rising phoenix
Speaking of Phoenixes this whole debacle made me start diving into Elixir/Phoenix. My first impression is that I much prefer Ruby as a language, however I'm struggling to even think of using Rails currently.
so we get namespaces for gems?
These projects were not Ruby Central’s in the first place. They were stolen for Ruby Central by a Ruby Core insider, HSBT. This is horrible news.
They were stolen from André Arko, Colby Swandale, David Rodríguez, Ellen, Josef Šimánek, Martin Emde and Samuel Giddins.
They did not WRITE RubyGems, they inherited it and evolved it. Chad, David, Jim (RIP), Paul and I wrote RubyGems. I hosted RubyGems from my home in Virginia for several years before we could cover the cost of colocation and stood up RubyForge. Its nice to look at the near history and think that this is all of history but it is not. Ruby Central has always been the stewards of RubyGems and then later, Bundler.
Thank You, not only for RubyGems and hosting it, but for replying all the accusation and comments that to me are simply bending truth. Such as they wrote RubyGems and somehow Bundler belongs to them. And despite you correcting them multiple times, they still continue with the same narrative.
It may be best in the future direction to have Ruby Central's role on RubyGems and bundler completely eliminated and simply just hand them over to Ruby Core and Ruby Foundation in Japan. I will gladly donate just to avoid any more US politics and drama.
Get this: I've used what you guys built back then almost every day for the past 20 years. (also, long time no see - we should catch up).
You guys did an amazing job!
First of all, thank you! It's unbelievable that you built the first version of `gem install` in a single night. It must have been an amazing feeling. I remember the drive when I was doing some hackathon with a few friends. It's the best feeling a software engineer can have.
When you left RubyGems and Bundler (let's call them "Projects") team, you handed over your authority to whoever was left and/or was added later. It doesn't matter in which order things happened. What matters is that Ruby Central _and the rest of the team_ were the stewards of Projects. The important part here being _and the rest of the team_. André had every right to keep being part of that team, and he was for a long time, together with many other team members, all of which were removed by "a representative from Ruby Central". What an inhuman way to remove someone from a Project. "Hire" someone to do the dirty job for you so you don't have to. The decisions in a team should be done by reaching a team consensus. Not by one actor. I believe it's for the better that André was removed from the team, but it shouldn't have been done like this. Ruby Central lost their trust in the eyes of many. They could've achieved the same goal in a much better way. How can I trust an organization with management of something if they failed to manage this whole situation? Claiming this is all in the name of security and then not even knowing how to properly remove access from someone. So much about security...
I totally understand and agree that it was handled very poorly.
i can confirm the above. sadly felt a confirmation might actually be helpful because there's some wild stuff around the threads today.
This is a question that I have, HSBT was the one who flipped switches, and it's been unclear to me how those decisions were made.
So what? NPM wasn't originally owned by Microsoft, nor GitHub, but reality moves forward?
As long as Matz is involved, I have a lot of faith things will get better, not worse, unless you have some strong indication of otherwise. If anything, because things will be nicer.
> So what? NPM wasn't originally owned by Microsoft, nor GitHub, but reality moves forward?
NPM was a company and it was acquired and it was voluntary. I don't think you can compare it to this situation - this is more of a messy situation with everything open source collaborations, rather than having clear ownership in a single entity:
https://github.blog/news-insights/company-news/npm-is-joinin...
Or are you referring to the pre-2014 situation where NPM wasn't VC Funded, but in a more nebulous state? It didn't last that long.
So it’s okay for Matz to get HSBT to steal people’s open source projects? What if Matz sponsors stole Ruby from him? WTF?
I was one of the originating authors of RubyGems along with Jim (RIP), Chad, David and Paul. I hosted RubyGems from my home for the entire community for many years. We never asked nor received anything for that. We wrote RubyGems for the Ruby community. Matz and the Ruby Core team is the right place for RubyGems. This is great news.
Thanks for sharing. RIP Jim, I miss him being part of the community.
Have we got any sources for Matz getting HSBT to steal it? I mean, I get that they're both members of ruby core, but that's a bit of a claim.
> So it’s okay for Matz to get HSBT to steal people’s open source projects?
Where is the theft? The projects were open source, they are still open source.
The software is open source, not the project.
The name is not for the taking. You can download the code, modify and release it, but you can't just claim ownership over a product.
That is a question of trademark law and a much more complex topic. Many people contributed over the years.
Andre Arko was not the original author, so how did he get the name? Did he take it from someone?
I don't know, and I don't care. I wonder if you try to imply something ridiculously strong, general, and obviously false here?
jesus joel. you are really really upset person. I read your stuff on reddit/r/ruby. I understand your frustration but you are so biased. like really really biased.
What wasn't factual in Joel's comment?
it paints all the stuff like is one person fault. omits to tell like stuff like
- gem.coop -> the person behind have a new tool rv that want to sell it
- they want to sell the rubygems logs to corporatins
- change the root pass at aws once they where remove from the project
small details like this.
Let's say all of that is true. Did or didn't RC perform a hostile takeover of the repos?
you're leaving out copious amounts of context here so sounds like you are obfuscating on purpose.
Oh, I didn't know that André wants to sell gem.coop and/or rv. Can you please point me to more info about where this intention to sell gem.coop and/or rv was mentioned?
They want to sell some RubyGems logs about corporations (not individuals) using RubyGems API, to...Ruby Central?
As André explained on his site, he was on-call at the time when they were removing him. He acted to protect the service by limiting access. No harmful actions done by him were ever discovered by Ruby Central. It's two entities fighting to remove the other. You can say Ruby Central was right, I can say André was right. But we do know that Ruby Central fired the first shot when they (could've been an actual hacker) removed literally everyone from RubyGems and Bundler projects.
I'm sure you're not biased. I'm sure all the people applauding Ruby Central and Ruby Core right now aren't biased. /smh