A Board Member's Perspective of the Rubygems Controversy
Posted3 months agoActive3 months ago
apiguy.substack.comTechstoryHigh profile
heatedmixed
Debate
85/100
RubygemsSupply Chain SecurityOpen Source Governance
Key topics
Rubygems
Supply Chain Security
Open Source Governance
A Ruby Central board member shares their perspective on the recent controversy surrounding RubyGems, sparking a heated discussion about the trade-offs between security, community trust, and funding.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1h
Peak period
62
24-30h
Avg / period
12.1
Comment distribution157 data points
Loading chart...
Based on 157 loaded comments
Key moments
- 01Story posted
Sep 21, 2025 at 3:20 PM EDT
3 months ago
Step 01 - 02First comment
Sep 21, 2025 at 4:34 PM EDT
1h after posting
Step 02 - 03Peak activity
62 comments in 24-30h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 25, 2025 at 4:05 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45325792Type: storyLast synced: 11/20/2025, 5:27:03 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
People went WAY too far WAY too fast on this. There HAS to be urgency to this, the software supply chain is presently, undeniably, under attack.
Frankly, everyone blasting RubyCentral the last few days should feel shame and embarrassment. These aren’t evil suits at Microsoft, they’re normal people invested in maintaining a critical piece of infrastructure for the good of all who love and profit from Ruby.
expectations around "strategic planning" and "marketing/PR" are not realistic. You should just be glad these randos don't have admin access to the Github org anymore. Any one of them were huge targets for adversaries who want to ship malware in Rubygems, supply chain attacks are very real and having commit access directly to rubygems/bundler is too powerful for a rando.
my main takeaway from reading all this is why were so many assorted people given such high levels of access..
also, if you step back, Ruby's problem is it consists of a fading community of millenials and Gen Xers who first came to Rails when it was the best/coolest option. however with the majority of builders now turning to JS for web, Rust (and Go) for systems, and Python for ML, it doesn't have a use case anymore that can drive a community or any hope for growth in the future. so a "niche DSL" for legacy webapps and plugin systems is what's left IMO, but i'm sorry for being super frank about it
languages like this with a shrinking community and loose security policies pose around the centralized package management system pose high security risks to its users.
Also, commit access to Github doesn't even say anything about access to deploying the actual package on rubygems. If security really was the goal, there were a million less invasive ways to make this change then revoking commit access from the active maintainers. Set up branch protections, require approvals, etc. There are a lot more tools in the toolbox other than "remove all of the maintainers".
Ruby has been a HUGE part of building my career, I don’t want to see it slide away one questionable move at a time into full corporate control. It’s not TOO hard to see how this whole thing could just be step one of that :/
I had a similar “yuck” when WPEngine started taking Mullenweg to task over all of the WordPress shenanigans - that hit a lot closer to home for me, as I’ve spent about half of my career building great sites and applications on top of Wordpress. Although I’ve moved on, I was still an active contributor on the WP StackExchange and had my ear to the ground in several plugin repos I authored for employers who contributed to Five for the Future, and replied to comments on blog posts from people who found my previous insights helpful.
I have zero interest to ever go back to that project because of how poorly it’s been managed - if you want to see one man completely wreck an open-source ecosystem, it’s quite a fascinating if not depressing story.
is somewhat at odds with
> Some [...] companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain,
but not so much. Then the sentence goes on with
> but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
So something has been wrongly managed or wrongly sold.
Then the final part about the emotional conversations and the dilemma sounds honest or at least very plausible, but as they write, the critical mistake already happened.
I don't know how to reconcile 'they love Ruby and our community' with moves that are actively hostile to the community.
Seems pretty clear-cut to me.
Something like:
"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."
Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...
My general take on this:
1) Nerds are often not the best at communicating.
2) People on the Internet can be very cruel towards people they don't know.
We could all do better, especially with #2. The Internet used to be cool as hell. Now, by and large, it sucks.
Given that access was cut, then restored, then cut again, then days, then someone finally says "hey were were going to lose critical funding" makes it seem like a post-facto excuse for a hostile takeover.
And the whole "oh, well, we're bad at comms" makes it sound even worse!
Which is the whole crux of the issue. At no point in any of this did Ruby Central do anything reasonable. The they tried to explain that their unreasonable actions were reasonable, if you only knew the things they knew, which they were for some reason unable to tell people until just now.
Could it be true? Sure, absolutely.
Does it seem reasonable at the moment? Hell no.
> Let's get some kind of committer agreement in place with those folks who need access (the same way many other high profile open source projects have), and remove access from those who don't, while still being fully open to accepting PRs and being open to re-welcoming them as committers if they decide that is how they want to spend their time in the future.
> Here's the challenge. How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
deivid-rodriguez's last commits were Sept 18: https://github.com/rubygems/rubygems/commits/master/?since=2...
With 7873 commits since 2018 he's 2x over the second one and crushingly the most active contributor since then: https://github.com/rubygems/rubygems/graphs/contributors
However you slice it, none of that fits into TFA's above narrative.
His access being revoked can only be described as complete bonkers.
Ruby Central as an organization touts that it is responsible for RubyGems. Assuming this narrative is accurate, they needed to get agreements in place with contributors to appease some funding partners.
This shit happens. Especially as an open-source project started by one dude in 2009 turns into critical infrastructure managed by a 501(c)(3) non-profit.
That they failed so fucking spectacularly speaks incredibly poorly of their board.
I've seen some contention around that. RC owns the rubygems infrastructure. But it's not clear that they should own the repos of the open source rubygems or bundler projects that they use. They just seem to have fallen to that organization by way of some admin owner passing through, rather than an official hand off.
From the guy who has supplied most of the chain.
If you can't work out an agreement after a good faith period... then that can become a good reason.
Who cares that you have funding for things like build servers and meetups when your core developers walk away and the project is left to rot?
[0] https://rubygems.org/gems/bundler
[1] https://web.archive.org/web/20250824033341/https://rubygems....
'My work in Bundler & RubyGems is completely halted, including the Bundler 4 project which I expected to complete in the next ~2 months. The immediate reason for this is simple: my commit access to the repository has been revoked, so I can no longer do the job anymore. The more fundamental reason is that I completely lost motivation after all the recent events, regardless of whether work is paid or not.
I'll be happy to resume my work in Bundler & RubyGems if maintainer ownership prior to September, the 9th is restored, and thus the previous maintainer's team is allowed to continue building a transparent and democratic governance model for the project.'
"I WANT to apologize ... that I feel awful."
"How can you possibly talk to someone about changing access, when multiple people tell you no, you are wrong?! A coup is the only way!"
"Because funding deadline, we executed a coup, which will keep everyone safe from hostile actors... Taking over accounts and access"
That's the opposite claim from a coup. It's not fair for you to put those words in his mouth.
https://pup-e.com/goodbye-rubygems.pdf
> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
> added non-maintainer Marty Haught of Ruby Central, and
> removed every other maintainer of the RubyGems project.
> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams
Which is important context that was left out of this board member's statement.
You responded with an ad-hominem attack. If you can offer a rebuttal of the facts then please do, otherwise try to refrain from personal attacks.
Having access revoked with no heads up is a slight. You’re goddamned right they feel slighted. They were slighted.
“Feel slighted” is like “I’m sorry you’re upset”. You put everything on the aggrieved party when you say it like that.
^ This was a personal attack.
A maintainer of RubyGems was forcibly removed from the RubyGems GitHub org — which was renamed to Ruby Central — along with every other maintainer. Then access was restored, then revoked again. There was no explanation, no communication, and no understandable reasoning for this.
And still! If there is an "official" statement, I can't find one on https://rubycentral.org/.
This wildly transcends "issues with both internal and external communication" or "we're just a bunch of makers who can't be expected to be good at organization or communication" (to highly paraphrase TFA). This is an absolutely disastrous breach of the community's trust.
2. Click News.
3. It’s the top item.
Direct link: https://rubycentral.org/news/strengthening-the-stewardship-o...
Between the initial removal of access, then giving it back after explaining it was a mistake; the people involved started a conversation about governance to clarify/fix things.
https://github.com/rubygems/rfcs/pull/61
The conversation terminated because the majority of those people then had their access revoked again.
When weighing the facts here; which group or claimant has the most evidence for their claims? The technical folks with lots of commits over many years, or the treasurer of an organisation who says the impetus for this was a "funding deadline" so all access had to be seized?
> less emotional,
Expressing emotions is good, actually.
I think this person has good cause for being very upset at the lack of communication and the sudden removal of them from the organization. They were a maintainer of RubyGems for a decade.
Sounds like they made some really big changes and put zero effort into communicating to people who've spent 10+ years working on the project.
I should not have skimmed it. From your link:
> In the same post he praises Tommy Robinson (actual name Stephen Christopher Yaxley-Lennon), a right-wing agitator with several convictions for violent offences and a long history of association with far-right groups such as the English Defence League and the British Nationalist Party. He then goes on to describe those that attended last weekend’s far-right rally in London as “perfectly normal, peaceful Brits” protesting against the “demographic nightmare” that has enveloped London, despite the violence and disorder they caused.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report from the Quilliam Foundation, an organisation with ties to both the the US Tea Party, and Tommy Robinson himself.
This is ... disqualifying. That's the best word I can summon here to express my dismay. This is a crossed line. Absolutely nutso.
edit2: Uh wow I really should not have skimmed it. Here's one paragraph from DHH's blog itself:
> Which brings us back to Robinson's powerful march yesterday. The banner said "March for Freedom", and focused as much on that now distant-to-the-Brits concept of free speech, as it did on restoring national pride. And for good reason! The totalitarian descent into censorious darkness in Britain has been as swift as its demographic shift.
Well, if that doesn't speak volumes as to DHH's values, I don't know what does.
Welp, looking forward to the holy wars between people running different influencers' configs five years from now. Who knows, maybe we'll see premium versions of those too.
[0] DistroTube which maintains DTOS, https://distro.tube/dtos/
[1] LunarVim
[2] AstroVim
[3] Doom Emacs
Is that it?
https://harvardharrispoll.com/wp-content/uploads/2023/12/HHP...
Do you think that the long-term answer to the Israel-Palestinian dispute is for Arab states to absorb the Palestinians, for there to be two states, Israel and Palestine, or for Israel to be ended and given to Hamas and the Palestinians?
51% in the 18-24 group chose the third option.
When someone lives this far into an alternate relatity it leaves basically no room for discussion. The amount of work that has to be done just to get everyone back to some relative place of sanity is damn near insurmountable. It leaves no time or energy left to have an actual discussion.
The state of Palestine is an answer to the question of "what nationality do the residents of Gaza and the West Bank have?"
Until now I thought his craziest idea was that dynamic typing is better than static typing. (Just a joke, not trying to start a war over dynamic vs static lol)
But yeah I agree. Given the opportunity I'm almost always going to go for a statically typed language.
Nah it's the worst part about Ruby.
Also, naturally I ended up at zero points on that post lol. That wrecked someone's day.
But my point was that I am absolutely sure the majority of Norwegians _want Norway to remain a country that retains its cultural history_ while not being exclusive to one ethnic group. It's about retaining a majority.
I don't understand why that sentiment is so problematic here on HN, because simultaneously people are clamoring for a Palestinian state for the Palestinian people.
Why can't Norway have a Norwegian state for the Norwegian people? Or Denmark? Or the UK?
I can't speak for Norway, but in Sweden the only party worth keeping an eye on that adheres to the usual combination of pro-Russia, anti-abortion, anti-immigrant, anti-EU rhetoric etc is Sverigedemokraterna (formerly Bevara Sverige Svenskt, a party based solely on the idea of an ethnostate). They're hovering around 20%.
> But my point was that I am absolutely sure the majority of Norwegians _want Norway to remain a country that retains its cultural history_ while not being exclusive to one ethnic group. It's about retaining a majority.
Is the existence of history dependent on the ethnicity of the person reading it? I'm sure you've met non-native people who are in all other respects very much Norwegian.
Unless you mean to imply that culture is constrained to genetics. I deeply hope that that is not what you meant.
> I don't understand why that sentiment is so problematic here on HN, because simultaneously people are clamoring for a Palestinian state for the Palestinian people.
How many Norwegian cities were leveled by bombs this year? How many were murdered by foreign military?
> Why can't Norway have a Norwegian state for the Norwegian people? Or Denmark? Or the UK?
They do. Here:
https://en.wikipedia.org/wiki/Norway https://en.wikipedia.org/wiki/Denmark https://en.wikipedia.org/wiki/UK
All fully functioning sovereign states, all internationally recognized by their peers and enemies alike.
> There are really a lot of us Danes who believed that when people came to this ‘world’s best country’ and were given such good opportunities, they would integrate. They would become Danish, and they would never, ever harm our society. All of us who thought that way have been wrong.
That's objectively observed reality in Denmark. And in Scandinavia in general. It's not about race, it's not about skin color, it's about cultural heritage and values.
All we're saying is that to retain a country's cultural heritage and carry it -- and obviously shape it -- into the future, you have to retain a majority of that heritage, and integrate newcomers. Otherwise it's no longer Denmark.
"We want immigrants to integrate" is not the same as "we don't want immigrants", which is the point you're trying to make.
https://world.hey.com/dhh/as-i-remember-london-e7d38e64
London is no longer the city I was infatuated with in the late '90s and early 2000s. Chiefly because it's no longer full of native Brits. In 2000, more than sixty percent of the city were native Brits. By 2024, that had dropped to about a third. A statistic as evident as day when you walk the streets of London now.
Copenhagen, by comparison, was about eighty-five percent native Danes in 2000, and is still three-quarters today. Enough of a foreign presence to feel cosmopolitan, but still distinctly Danish in all of its ways. Equally statistically evident on streets and bike lanes.
But I think, what would Copenhagen feel like, if only a third of it was Danish, like London? It would feel completely foreign, of course. Alien, even. So I get the frustration that many Brits have with the way mass immigration has changed the culture and makeup of not just London, but their whole country.
you have to retain a majority of that heritage, and integrate newcomers. Otherwise it's no longer Denmark.
what you are asking is not possible without rejecting immigration.
that is the delusion. it is the same all over europe. people expect 100% integration. yet at the same time, prejudices will reject them if they are not completely invisible. that is not possible, and it is not the integration i would want. i have written about this before: https://news.ycombinator.com/item?id=44746099
The reason might seem odd. But it ocurred to me that if you want to use immigration to reduce crime, including rape, the obvious solution is to ban all male immigration.
That shocked me because it seems so wildly discriminatory. Yes, most violent crimes are committed by men. But very few men commit violent crimes. Banning male immigration would punish a large group for the appalling actions of a few. Making it about "$some_country's men" doesn't seem a whole lot better. It's still unjust to punish someone for someone else's crime.
If anyone is curious about the exercise, I recommend trying it. It was disconcerting to sit with the idea of banning male immigration, really seriously consider it and realise how viscerally shocked I was by the idea.
Edit: for context, in the UK right now, phrases like "rape gangs" are part of the debate/argument about immigration.
Disallowing someone from immigrating is not a punishment because there is no right to immigration anyway. In fact I believe we should go even further and see immigrants as investments. If the immigrant is unlikely to have a net positive tax contribution (or at least not being a rapist, for a more realistic target), I don't see any reason to allow him or her to be here. If you accept this idea, there is nothing wrong with training a neural network on characteristics of existing immigrants to predict the future value of a particular potential immigrant.
There's nothing racist about the facts. How one responds to it can indeed be racist -- ie. "all people of one of said nationalities are like these ones" would be racist. But observing that a nationality of immigrants are vastly overrepresented is just using your eyes to observe reality.
Were independent inquiries also repeating weaponised tropes from long since discredited reports?
“By far the majority of perpetrators were described as 'Asian' by victims, yet throughout the entire period, councillors did not engage directly with the Pakistani-heritage community to discuss how best they could jointly address the issue. Some councillors seemed to think it was a one-off problem, which they hoped would go away. Several staff described their nervousness about identifying the ethnic origins of perpetrators for fear of being thought racist; others remembered clear direction from their managers not to do so.”
https://www.rotherham.gov.uk/downloads/file/279/independent-...
The ultimate problems lie in the police: they are generally terrible at handling rape cases, and in this case there are claims that they were actively complicit in some of the rapes.
Using the actions of some members of an ethnic minority to justify .. well, any action against people who were not actually personally involved, is textbook discrimination.
This post is full of outright nonsense. I was in Central London last Saturday and watched a lot of it go down, before heading to Islington and then catching the last dregs of the crowd nearer Euston and chatting in the pub with some of them.
As a "native Brit" and "native Londoner" that DHH wouldn't recognise as such, he can absolutely do one.
He is going to be ultra surprised to learn what the majority thinks and how it's not what he thinks it is.
Using your personal brand to espouse the values of ethnonationalism fundamentally serves the capital class wishing to divide and exploit social order among those who labor. This is so rich, coming from the guy who literally created a tool that increases the value of labor.
So, if I had to guess, the smart, critical thinkers in the _global_ Ruby community might find this whole situation reeks.
If I were an immigrant to the UK and a Rails developer, and DHH is getting re-platformed while saying crazy stuff like this, I would think twice about my career choices going forward — Or, push the Ruby community not to stand with a garbage attitude like this, even if from a BDFL-type personality. I _invested_ my life into promoting the use of your tool, while you disparage me based on skin color and country of origin for the sake of some 'ye olde country' vibefest?
Does DHH even know where his principles lie?
If it's cultural (religion, music/sports related subcultures and codes) then it's chosen. Nobody can force you into a subculture in the West. As soon as you turn 18 you can essentially do what you want, most likely even way before that.
You can chose your subculture, how you dress, style your hair, talk and are read by the mainstream society. Actual racists go by skin color and ignore your cultural choices, fuck them.
While in certain cultural contexts Turks may be read as white, within Europe there is a history of excluding them from whiteness and presenting them as a threat to European culture, mostly due to Islamophobia
I was talking about the culture you chose and the stereotypes that go along with it. Stereotypes override ethnic features unless you actually deal with real racists.
DHH might not be street smart enough (like most people in tech) to see through those stereotypes on the streets of London.
You start your original comment by asking what makes Turks non white which I answered, and from what I understand you believe that choosing to participate in a culture from the diaspora you are a part of means that you have to bear the burden of the stereotypes about that culture, even if they are racist in nature? And furthermore, you believe that people that believe these stereotypes are not real racists because real racists only care about skin color?
Again, I could be misunderstanding, but I don't think that you need to only care about skin color to be racist. I think that DHH's anxieties about replacement of naitives being mostly focused on MENA people feels like a pretty clear sign he believes that non European (aka non white) immigrants are a problem, which to me, is racist.
This is how your point reads like: Just cosplay as a white european christian, and if you still experience racism... well fuck those racists.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
The first thing is they didn't tell them. The second bit is simple:
"Hi [x], I'm sure you've seen the news about npm. Given supply chain attacks directed at them and the one recently foiled against the python folks, we're [doing fill in here], including reducing permissions. [More info here.] Further updates as soon as we have them."
That email takes 10 minutes to write and send.
Reasonable people would've accepted that fine. And you don't have to worry about unreasonable people, because most people will find them unreasonable and dismiss anything they say.
No, reasonable people would not have accepted "we're unilaterally deciding to lock you out with no advance notice, over something we could and should have been discussing for many months or years, but instead screwed up so badly that we're doing it ten minutes from now".
And communicating [situation], [action(s)], [how this affects you] is one of the most basic professional communication skills you could imagine.
In the linked post the author claims to be just some grateful Ruby developer volunteering their time to mundane bookkeeping tasks for an organisation they feel lead to support, describing themselves with:
-----------------------------------------------------------------
When I first discovered Ruby, watching some crazy video where a blog was built in just a few minutes, I was just a young man working at a bank who would sometimes get paid to build software for other people on the side. Ruby opened my eyes to the idea that code could be a craft, a skill I could hone and develop. It also introduced me to the idea that code could be poetry... code could be art.
20 years later, and here I am, a reasonably successful person who's built a career out of building software.
-----------------------------------------------------------------
Yet the Ruby Central website describe them like this:
-----------------------------------------------------------------
Freedom Dumlao is a seasoned technology executive with experience at leading companies like Vestmark, Flexcar, Zipcar, Wayfair, and Amazon. Currently the CTO of Vestmark, Freedom brings strategic insights that will help drive Ruby Central’s efforts to expand the Ruby ecosystem and build stronger connections with top companies and startups.
-----------------------------------------------------------------
The post appears to be signed as "MINASWAN", a well know pseudonym for Yukihiro Matsumoto, the chief designer of the Ruby programming language. Hard to imagine a scenario where that was accidental and not an attempt to manipulate readers into assuming Yukihiro has something to do with writing the post.
It's posted to a Substack launched 1 day ago. With the username/subdomain "apiguy" - suspiciously not 'ctoguy' or 'seasonedtechnologyguy'.
I place pretty close to zero respect for the OPs position, compared to well known names in the decade long Ruby Gems committer community.
From https://en.m.wiktionary.org/wiki/MINASWAN
> Initialism of Matz is nice and so we are nice: a motto of the Ruby programming language community, in reference to the demeanor of Yukihiro Matsumoto (nicknamed Matz) [...].
I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.
Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.
There was a funding agreement which imposed obligations upon the operators. Those obligations were to be sure that supply chain attacks were reasonably secured against. The volunteers didn’t have to sign that agreement - they chose to and received consideration for their decision to sign.
Licensing terms don’t change the underlying mechanism of a contract and the message is even easier. If your organization cannot abide by the terms of a contract, don’t sign it.
This is basically like fixing technical debt. It's painful and it's political but sometimes you have to do the right thing for the community as opposed to trying to assuage individuals' egos.
It sounds like they sold something to their donors they couldn't really guarantee – supply chain safety – and they decided to alienate their contributors to try to appease them.
Only time will tell if this was really damaging to the ruby community or just a temporary hurdle
Which isn’t a bad thing that people get to contribute on company time.
Eventually they brought rails in many commercial companies and these companies succeeded to the point they could pay people to maintain rails.
> 37signals built Rails for Basecamp and has since used it to create all their web products.
From: https://rubyonrails.org/foundation/37signals
gems and bundler is for everyone though, even hobbyists writing scripts. Alienating contributors who support common infrastructure for no good reason is just plain stupid especially when those projects wasn't theirs to begin with
just because they host it doesn't mean it's theirs
my webhost doesn't own the community around my projects simply because it's on their server
Breaking down the posted article, there’s a lot missing (which the author admits), and it’s not clear really what the goal of the post was other than to say “someone, not me, made an oops. But it’s fine, right, because the community needed this to happen.”
Parts that were particularly odd, that others have said with better words:
- Who imposed this ultimatum on RC? - How long was the timeline to “tighten things up”? It sounds like there was both a decent amount of time and an immediate urgency - it can’t be both. - “We’re nerds who can’t communicate well” (paraphrased) is such a poor argument - I get it, I’ve had to do a lot of work to figure out how to navigate social spaces and how to communicate effectively in professional settings. That said, the author is writing as if they’ve never had a single conversation with a technical person that they didn’t know well; that any conversation about removing or reducing access would be a catastrophe. That’s ridiculous.
It seems that either there was poor planning around this, or someone forgot about the deadline and YOLO’d it, or there was a malicious push to oust some of the biggest contributors under the guise of security.
One thing is clear, regardless of what the root cause of this all was: RC showed a deep lack of respect for the people that make their community what it is, and that stinks.
This makes a lot of sense, and it puts the 'drastic' action in understandable light.
It also contrasts with the 'On September 9th, with no warning or communication, a RubyGems maintainer unilaterally...' from the Goodbye RubyGems letter. Perhaps that person did not have communications or insight?
Going forward I think we could judge the good faith, if it's uncertain, by if we do see people reinstated. Cutting off access (for urgency with a deadline) followed by reinstatement (because they contribute) would match this post. No doubt there will be hurt feelings on all sides, which is understandable, but I hope as humans everyone can get through it.
But I don't see any excuse for not putting out a statement when you do it. You have to know there will be a fight, and you will look like the bad guy. Perhaps I could see directly communicating to the maintainers that you expect that they'll be reinstated. But to say nothing? To let the post by duckinator float around for days without having a "we did this because of security concerns, we want to work together and find a resolution..." It's incomprehensible that they thought this would go well.
Bingo
How much information and what information did Board members have when making their votes?
One thing that hasn’t been addressed is who was responsible for communications and implementation of this. It says here that the Director of Open Source did what the Board asked of him. Outside of the Board, which as stated here were heads down and trying to problem solve, Ruby Central’s website also shows a staff of several non-technical employees. Prominently, there is an Executive Director with a background in communications and non profit work per their LinkedIn. Where was this Executive Director and the other staff members during this? Were they involved with decision making and communication around this? How involved was the Board of Directors in implementation after the decision was made? It is a hollow statement to say they are just technical people trying to problem solve when there appears to be a whole team of non-technical staff members and an executive specializing in communications. Something clearly went wrong here and there are a lot of missing pieces around what happened after the vote took place. Most of this could have been mitigated with standard processes and simply communicating to maintainers and the community.
This is not to say that they didn’t act in the best interests of the community by tightening security, but an organization of this nature should be able to act more independently.
Do you contribute? I can send you a link if you don’t.
The actions taken by people in service of Ruby Central have had unintended consequences, including damaging the community's trust in Ruby Central's stewardship.
A new governance model will solve only the problem of there not being a governance model. There also has to be an acknowledgment that the lack of an existing appropriate governance model wasn't just a "fiduciary failure," but a failure which cased harm to the community and contributors. Contributors who—like the board—are volunteers, and would have probably liked to have their significant dedication shown more respect.
You show respect to someone by giving them important information from which they can use to make their own decisions. As opposed to withholding information because you are uncomfortable with the possibility that they may make a decision you don't want them to.
In particular, after a long winded introduction and setting of the scene, suddenly there’s a mention out of the blue of a 24 hour deadline to cut off access or face losing funding (forever)? But who was holding this deadline over the board’s head is not explained (in fact the author doesn’t seem to know???).
Overall this just reinforces the impression that the RC board handled this sloppily and in a rushed manner, and failed to communicate with long term community members, and thought of themselves as the only parties who mattered, while not taking responsibility for holding such an important position (see the opening paragraphs about how “we don’t have time to communicate to the public because we’re busy programmers without a PR team”).
Wildly unprofessional or just willful lying.
> Some of those companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain, but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
This is the most candid bit of the article.
RubyCentral seems to have screwed up. The sense I get after reading this paragraph is that RC's non-apologies about poor communication are smoke. Why did they have to move this quickly/silently? Well...
If you are taking money from businesses in exchange for certain assurances about the security/soundness of RubyGems, you have a responsibility the minute pen leaves paper to KYC(ontributors). Not when there's suddenly a fire, or when your clients notice.
By all appearances, RC was negligent, if not necessarily in the legal sense. They were highly reactive in response to a problem they should have been across already, and they have paid for it with a chunk of the Ruby community's trust.
To now retcon this action as poorly-communicated but ultimately noble and security-minded does not sit very well.
Seems pretty clear after reading this. If 1-2 companies pulling funding is enough for them to force you to to what they want, its hard to stay independent.
https://bsky.app/profile/mikemcquaid.com/post/3lz7klsyue22f
https://bsky.app/profile/mikemcquaid.com/post/3lzfxctubbk2y
TL;DR: Regardless of what you think of RubyCentral’s actions, it’s very clear they absolutely screwed up the execution and communication here. In general the transparency is far below what you’d expect from an open source organisation.
> I want to apologize, genuinely, to people who have felt (...) outrage (...) after reading some of what others have shared.
He's apologizing for what others have shared, not for what they (Ruby Central) did.
> I often go out of my way to avoid making people feel bad
"I'm the good guy."
> and so to be part of what's caused so much chaos lately has really been awful.
"_I_ feel awful."
"I'm sorry for what others have said about what we _did_. I feel awful for people being outraged" Amazing.
> this is a small group of volunteers spread out all over the globe. (...) It's just us.
You didn't, for a single moment, think about notifying the people involved that you are removing them? It's the very first thing to do - notify someone who's involved of the change in their status. If your communication skills didn't reach a level in which you thought that would be the thing to do, I don't know what to tell you.
> It is really boring stuff. So why do I do it?
So what? Should we feel sorry for you?
> I love the community. I love the people who use Ruby, (...) I love the people who give their time to Ruby and I love the people and companies who generously provide financial support for Ruby.
Cool.
> I can't speak for the board or the Ruby Central staff. But (...)
proceeds to speak for the board and the Ruby Central staff.
> Ruby Central has been responsible for RubyGems and Bundler for a long time.
This is a lie. RubyGems and Bundler have been maintained by a group of core maintainers. Some members of this group were also Ruby Central staff, but not all.
> It's not a new story that Ruby Central has been working on (or trying to at least) improve the governance model for Bundler and RubyGems.
It's a new story to me. If it's not a new story, do you mind sharing some links to past discussions?
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
You learn some basic English. And then let them know. It's called communication.
> And what if other people who do still need that access claim things like "If you remove their access, I'll just add it back" or "If you remove their access, I'll quit".
It's called consensus. And communication. You talk. You speak with people. And then you agree on a decision.
> These are emotional conversations.
Yes, they are. Is that why we shouldn't have them? When you want to leave your wife, do you just leave? What a strong person with strong values.
> I wasn't a part of them and can't actually speak to the content of the conversations or how they were handled.
Bad. They were handled bad. Why did you write this post? You don't have information, you don't know what happened...you just love people and community and companies. Happy happy joy joy.
> we don't have a "communications team"
You don't need a communications team. You just need to have a communication channel public or private, where you can reach all of the core members. It could be an email with everyone in CC.
> A deadline (which as far as I understand, we agreed to) loomed.
If you're not sure whether it was agreed on, again, communication. Learn how to communicate. Which deadline? Who set this deadline?
> With less than 24 hours to go
Did someone give you 24 hours deadline? Why wasn't this discussed long before the deadline?
> Marty, Ruby Central's Director of Open Source
How the f is Marty? If he wasn't one of RubyGems maintainers, why is he suddenly being put as the main maintainer? Aside from communication issues, you also have decision making issues. All of the core members should come to an agreement, without Marty.
> I love this community and I love Ruby.
Cool.
Please find some time to read a book or two on communication skills. As well as decision making.
Read the comments in this thread. Ignore mine, don't think too much about it. Just read other comments. Then think again about your decision and to which percentage people in this thread agree with it. And perhaps reevaluate it.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
Start by letting go of the goal of not upsetting them. Make sure you do communicate clearly. Just say what you said a paragraph earlier: open source ecosystems, including ours, are increasingly suffering supply chain attacks. To guard against this, we need to tighten access that has traditionally been fairly loose. Starting <date>, we're going to remove general access and ask that contributors sign <link to agreement> before re-enabling access.
I mean, maybe that is what happened -- as the OP says, he wasn't part of the conversations so can't say. From the earlier public posts, it doesn't _sound_ like that's what happened. But I'd say as a general rule, it's important to communicate disruptive changes ahead of time to those affected and give a clear path to how they can mitigate the disruption.
Just drop all the facts. Acknowledge you fucked up. Or dont say anything at all?
A board position means responsibility not just "head down coding". And that means communicating with people.
For clarity I wasnt super keen on the original submission this is responding to, for similar reasons.
If the request for additional access controls/access cleanup came from one of the Ruby Central funders, could we not know who that was and what exactly their ask consisted of? I am interested in knowing their side of the story, and what the motivation was. (But in general, cutting off long-time maintainers' access seems like a bad choice - as presumably they have long since proven their good will toward the ruby community as shepherds of these projects.)
14 more comments available on Hacker News