Remember why the lucky stiff?
The last spat between pro-Israel anti-immigration gang vs the cancel culture gang that resulted in Matz taking over contended code is a perfect illustration.
The Ruby community respected his pseudonymity. Some of us already knew his name.
> many such people in the Ruby community.
In which case, this presumes that the values you share with the Ruby community are positive - otherwise you would be talking about this heterogeneous group in a generally negative way.
This would appear to beg the very question under contention - that the values of the Ruby community are not in fact positive, but toxic; unless you wish to argue that a community can simultaneously profess positive values and still exhibit toxic behaviour.
One position offers historical (and current) examples; the other offers an impressive feat of linguistic gymnastics.
I remember _why and I definitely don't remember him as toxic.
The pickaxe guys coined it. People repeat it without thinking about it.
If matz were to say "jump from the bridge", people would do it, because matz is nice?
Just to point out: I do think matz is nice and a great language designer. That in itself doesn't mean anything. Why would I proxy my own decisions based on any mindless slogan? That makes no sense. Why do people in the ruby ecosystem keep on repeating those pointless slogans?
I don't know about the Ruby community, but I've seen this sort of complaint made about many other online spaces (including HN) and my general finding is that it simply isn't true. The problem is that for a proper call-out, both form and content matter, and most people in a mindset to make call-outs don't seem very interested in norms surrounding either of those things. Especially the part where part of good form is accepting that not all kind, well-meaning people have the same moral values and calculus.
> Try calling out Python's inner circle politely while they are openly rude to you.
...You do know who you're responding to, right? I have first-hand experience of that (https://zahlman.github.io/posts/2024/07/31/an-open-letter-to...). (Although I don't think most of their rudeness is intentional; it seems to come from a failure to understand that not everyone has the same social norms.) I spoke in generalities for a reason.
The current situation is ultimately mostly about callouts of DHH, which are happening all over the place (including here) and the form and substance of most of those callouts is... not good.
Exactly, why would you? But ignoring a hypothetical communal bridge jumping situation, do you have a problem with Matz having stewardship over RubyGems? Use your own thinking. If you're okay with it, then... is it because Matz is nice?
I don't think I've ever seen Matz be rude to anyone on the Ruby bug tracker. I've actually witnessed him deal with controversial topics firmly yet gracefully, making decisions that avoid turmoil in the community and that leave no room for escalation into flamewars. Other projects weren't so lucky.
I wrote some Ruby in my teenage years and his conduct certainly made an impression on me. I try to remember this guy whenever I get too angry about stuff. We should all try to be more like him.
That's what the phrase is saying, by the way. It's an encouragement to follow in his footsteps.
The statement is ambiguous. I interpret it as "no child left behind THE STANDARD FOR THEIR AGE". In that interpretation, other kids being ahead of that standard doesn't mean the other kids have to be behind the standard. Every kid could be not "left behind" the standard even if some are ahead of the standard.
Of course, NCLB has a lot of other issues, but I think the name isn't the issue.
If by both statements you mean "all children must be in exactly the same position", yes ... but that's a wilfully obtuse interpretation.
As always, there's a relevant xkcd: https://xkcd.com/1170/
...but seriously, what on earth do you think you're saying here?
* DHH said some things on his blog that some people believe to be deeply racist / fascist (not going to unpack whether they were or not because answering that question is irrelevant to the fact pattern; consult other threads for that debate).
* A Ruby conference run by Ruby Central was asked to deplatform him. Since he's the creator of Rails, they declined.
* In response to their decision, a major sponsor (Sidekiq) pulled out of supporting the conference and Ruby Central in general, to the tune of $250k a year.
* This created a "blood in the water" situation where Shopify hit Ruby Central with an ultimatum: they would back-fill the lost sponsorship for oversight control of Ruby Central (and the gem repository they maintain, rubygems.org). And if Ruby Central didn't take the deal, Shopify was going to pull their funding also, leaving them in dire straits (this, BTW, is a fairly common corporate tactic when multiple partners share support of a service that doesn't independently generate revenue. Look for it in your own business, startup company, and nonprofit dealings!).
* Shopify now de-facto controls rubygems.org and people immediately started backing towards the exits because corporate takeover tends to be a harbinger of enshittification. As if to prove the point, Shopify's folks immediately ham-fisted the access controls, yanking several gem creators from the admin roles of the gems they created. They claim this was a mistake; several in the community do not want to give them a benefit of the doubt they are not believed to have earned.
* Community members are standing up gem.coop as an alternative gem repository.
At this point, it's probable that any attempt to just list the pertinent events isn't going to end up being as neutral as one might hope because even the choice of what context to include or exclude is itself editorial. This is the same lesson people might learn in a high school history class, just applied to something much more recent.
Perfect neutrality is unachievable but that doesn't mean that every possible way of presenting the facts is equally valid, or even that it's impossible to distinguish presentations that are or aren't missing important context (see, e.g., the surprising success of Twitter's Community Notes).
You’re likely aware, though it’s worth mentioning, that the new owners ousted all existing maintainers without any explanation[1]. This follows a prior incident where access was revoked and later restored, with assurances that it was a mistake. This situation can only be viewed as a malicious attack, in which only the new owners had a full understanding of what transpired. Changing the password was a reasonable and appropriate response that any competent person in a similar position would've considered.
I’m shocked that we seem to be experiencing a Freenode 2.0 situation, but with some supporting the usurpers instead of the longstanding maintainers. It’s only been four years since the Freenode debacle, yet certain types of people seem to have grown bolder since then. A "win" for freedom of expression, huh?
It’s telling that you can write multiple paragraphs claiming the moon is made of cheese while expecting others to communicate only in brief, misleading soundbites.
https://en.wikipedia.org/wiki/Loaded_question
Changing passwords was the responsible course of action to protect Ruby users in light of the attack. Maintainers should act in the interest of the Ruby community, not in favor of usurpers with a vendetta.
Here's what I think: people are starting from a sympathetic principle (independent community-minded maintainers are better that corporations) and working their way back to what they've decided must have happened. The person we're talking about here tried to (quietly!) monetize the server logs for RubyGems. Don't even try to play the "that's what RubyCentral says" card --- they published the email.
The world doesn't always line up with the most sympathetic principles.
Personally I also think the monetization proposal was silly, but that was in August and Ruby Central rejected it.
He logged into the root account because he thought he was on call and that someone was taking over Ruby Central, so he reacted in real time. With the obvious chaos and incompetence in Ruby Central and the ill defined takeover that does not seem far fetched.
What exactly would he have gained by openly changing the root account for malicious reasons? He knows he would have been found out. It is not even a hack.
Shopify stole RubyGems from the maintainers, do you deny it? They tried to do so in secret, keeping the maintainers and the larger Ruby community in the dark. Their claim that the access revocations were a mistake was a blatant lie. Moreover, they spun even more conspicuous falsehoods in response to the public backlash.
When you twist protective measures against ongoing theft or shitty proposals that went nowhere into a nefarious conspiracy to justify the theft of critical Ruby infrastructure, it’s time to take a hard look in the mirror.
And hey, since you imply that loaded questions aren't fallacious, tell me: have you stopped beating your wife? It's a "simple question," just answer yes or no.
These aren't insinuations; they're direct factual claims. They're well-founded and they're either true or they're not. No, you can't just jazz-hands your way through this.
When you twist protective measures against ongoing theft or shitty proposals that went nowhere into a nefarious conspiracy to justify the theft of critical Ruby infrastructure, it’s time to take a hard look in the mirror.
What are you trying to achieve here, bringing up debunked insinuations over and over and over again? And haha no, going over every cherry-picked fact and half-truth you explicitly stated doesn’t prove you aren’t making insinuations.
> insinuate: to impart or suggest in an artful or indirect way
https://www.merriam-webster.com/dictionary/insinuated
Note the word "indirect."
Now, are you using that to justify the hostile takeover of critical infrastructure to the entire Ruby community? I'm baffled. RC did a *hostile takeover*. How many times do I have to repeat this?
And why are you ignoring that RC did a hostile takeover of the repos? Again, RC stole the repos. What do you think of that?
I don't know what happened with "the repos", is why I haven't offered an opinion about it. I have a professional interest in stories about people gaining unauthorized access to accounts. I assure you, the law doesn't weigh one party's transgression against the other the way you suggest it should.
And you know what? I think you're right! What Andre did could constitute a crime. Any serious organization would lawyer up and go after him... right? RIGHT?
What sort of monetisation?
Asking because there's a huge potential range of options there, from pretty innocuous stuff through to downright evil. :(
To me that seems like a good idea, not like a betrayal of trust as some people have been making out.
The HN commentariat is really shocking me here, because everyone in the professional space that I talk to about this thinks this is obvious and takes the same position.
I won't follow the thought from there, but maybe you see where I'm going...
Unfortunately for him he basically admitted to a crime because it came after he was terminated. He tried appealing to community and whatnot but anyone who's ever worked for a corporation knows that once you're terminated, it doesn't matter if HR forgot to take away your credentials or not, you simply don't attempt to access anything ever again. Having keys to something doesn't make you the owner.
At the same time, why didn't RC call him to ask? Was it easier to write about a security INCIDENT throwing shade at Arko?
With that said, let's keep focused on the real issue: RC did a hostile takeover of the projects. That's not been properly disputed so far. Matz is, therefore, accepting to steward stolen projects.
> Matz is, therefore, accepting to steward stolen projects.
You know Arko didn't even start working on Rubygems until it was nearly 10 years old, right?
One of the original authors is in here and on X saying he supports it being taken over by RubyCore. Which matters much more than whatever the maintainers who were locked out think.
https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
"Please confirm that you cannot access the Ruby Central AWS root account credentials, either through the console or by access keys."
Alternatively, we could see the whole issue for what it is: a power struggle between political factions of an open source project that is unprofessionally handled by at least one side.
Arko already stated that he didn't know he had been fired. Geez.
> You know Arko didn't even start working on Rubygems until it was nearly 10 years old, right?
The project was stolen from a set of maintainers, not just Arko. Let's stick to the facts: someone with admin rights over the repos revoked the access of other admins without their consent. What do you call this?
> One of the original authors is in here and on X saying he supports it being taken over by RubyCore. Which matters much more than whatever the maintainers who were locked out think.
How in the world is that relevant? I have a lot of respect for Rich, but he wasn't a maintainer.
LMAO
No. He's one of the few people on the planet that could lay claim to it's copyright. He also gave the insight that Rubygems has literally ALWAYS been a part of RubyCentral.
But if you do care about the repo, once again, RC has always controlled Rubygems. From the day it was written. The maintainers were even paid by RC. That makes it RC's, not the maintainers'.
> When they finally did reply, they seem to have developed some sort of theory that I was interested in “access to PII”, which is entirely false. I have no interest in any PII, commercially or otherwise. As my private email published by Ruby Central demonstrates, my entire proposal was based solely on company-level information, with no information about individuals included in any way. Here’s their response, over three days later.
https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
I'm only going by the corporate narrative structure of the director's post, who clearly wants to throw someone under the bus and cover up organizational incompetence. "Open" source has become so despicable.
"As this situation occurred, I was the primary on-call. My contractual, paid responsibility to Ruby Central was to defend the RubyGems.org service against potential threats."
* DHH is not only considered racist / fascist due to some blog posts, but also for making Hyprland the default DE in Omarchy, developed by someone who goes by the name Vaxry Vaxerski, who is also considered fascist and racist, and thus banned from contributing to freedesktop projects due to supposed breach of CoC:
https://blog.vaxry.net/articles/2024-fdo-and-redhat
* Hyprland and all its contributors are now also considered fascist from taking sponsorship money from 37signals, DHH's company, due to it being an important part of Omarchy.
https://account.hypr.land/sponsors
* Due to the fact that both DHH and Vaxry are both considered fascist / racist, Framework and its CEO (yes, that Framework) are now considered to be supporters of fascism, because Framework is sponsoring and supporting both Omarchy and Hyprland.
https://account.hypr.land/sponsors
* Cloudflare (yes, that Cloudflare) is considered to support fascism because they support Omarchy and the Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
https://blog.cloudflare.com/supporting-the-future-of-the-ope...
* Last but not least, Tobi (Shopify CEO) and thus Shopify are also considered by many to be supporters of fascism when this drama started to unroll for standing by DHH no matter what when activists wanted to deplatform and ban DHH from his own creation (Ruby on Rails). Which makes the Ruby Central drama due to the involvement of Shopify even more interesting:
https://xcancel.com/tobi/status/1970944464303923687
Me? I want to hop in a time machine back to the 90s/early 00s before all this crap started and everybody was just generally nice to each other.
The internet was never nice. It, however, did at one time require technical savvy to use. With that savvy came the understanding that computers and people aren't the same thing, so when the computer emitted something not nice you'd laughed at how quant the technology was instead of getting your emotions all tied up in a knot and try to hold a person accountable like those who have no idea about what's going on around them do.
We tried "Don't feed the trolls." It's how we got where we are now.
We may just be working under different definitions. Are you claiming that when I type things into, say, Hacker News and hit reply, the words you read aren't the words I wrote?
Or are you asserting the "person" of the words in the computer is not the same person I am behind the keyboard?
I'd argue that the latter is the disproven hypothesis. It turns out people who said awful things online were actually awful people; they may not show it as often in public, but they weren't different human beings. Broadly speaking, they believed the things they said and tended to act on them in real life.
Laughing off things on the computer as not real was how at least one shooting went unchecked.
This methodology is definitely not how you discover fascism. But it is how fascists and communists defined and traced their enemies in the 20th century.
While I am all for making conscious choices on what to support I can't take anything phrased like that seriously "all is contributors".
Hyprland, while inferior (imo) in some aspects to sway on the wayland tiling manager landscape is a fine piece of software that I use on my non-work computer (I still use sway for stability).
Back on the topic: I reiterate I'd be happy to avoid using or supporting projects based on non-purely technical issues (discussion on "pure technicality" omitted for brevity).
It's just... What, do I need to know every persons imo completely irrelevant opinions on whatever du jour hot political topic? Maybe the answer could be yes,
I would be fine with dropping Hyprland support, maybe I will after digging a bit more. But this whole thing just reeks to me of terminally informed and ragebaited people looking for a platform to vomit their completely irrelevant opinions, actions speak more (e.g. fostering a dangerous environment _adjacent to the project_ based on discrimination).
I just feel I want to nope out of this industry and everything related to it, it's very overwhelming.
No. But if they're using their social capital they've built via their software contributions (like DHH) to spread racist nonsense, then maybe it's worth considering alternatives, or at the very least, stop supporting those projects.
"should keep their bullshit to themselves" <---> "should perhaps take leadership and avoid having their public channel a cesspool" <---> "actively encourages/participates in discriminatory practices" <---> "raging maniac hurting people, rallying for X"
Specifically on the topic of RubyGems:
I couldn't care less about what DHH posts or not, I certainly care that he uses his position to influence a chain of actors to interfere with something that always worked just because X.
I couldn't care less about the other side on the "cancel" mission, I care about influencing a chain of actors to interfere with something that always worked just because Y.
Please quarantine your political polarization/culture wars bullshit, non-anglo countries don't need it.
People need to step back and breathe. It’s possible to feel one thing about a (frankly shite) blog post and its author without tarring everybody within six degrees of separation with the same brush, and it’s quite unsettling that people find such nuance so difficult.
> Ladybird webbrowser (which is a project also run by someone considered to be a fascist)
Do you mean awesomekling? Why is he considered a fascist?
There are definitely actual fascists in tech (like Curtis Yarvin) which I (centrist liberal, not a tankie) fully support deplatforming where possible, but why are they considered fascists?
I hope you can see this because my posts in this thread are getting attacked and downvoted.
This pretty much summarizes how it started (copied from Google):
https://lunduke.locals.com/post/5823666/ladybird-web-browser...
(note that while the exact word never is seen in evidence added to this post but it sure is or hinted towards elsewhere.)
and evidenced by this its ongoing:
https://xcancel.com/awesomekling/status/1971287738268909576
because some people disagree with things like this:
https://xcancel.com/awesomekling/status/1966456391146606806
And there are tons more posts that show that some people are not exactly nice towards him on his X timeline.
Also there's direct proof of these accusations out there but I will not link to those out of professional courtesy for those involved (yes, some people still have that).
It should also be noted Lunduke is also not neutral and has his own political agenda.
For instance, DHH and his fancy blog, are not 100% related or relatable to RubyCentral ousting long-term developers. There may be some connection (DHH on shopify's board, tons of ruby developers being paid by shopify and still writing "my opinion is totally unbiased" like byroot did), but there is no 1:1 overlap. For instance, I could not care what DHH writes on his blog any less. rubygems.org changing policies though - that affects me. And if shopify is in part responsible, and DHH sits on shopify and makes decisions, then yes, something changed here. But there are also people who have a vendetta against DHH and they leak into other spaces too. I am not among those people and they shouldn't try to hijack other communities either.
By the way, the Shopify ultimatum also does not explain why all other ruby devs were ousted. Ruby Central lost the narrative here. And, since they accuse Arko as the ultimate bad boy - why haven't they sued him? Why do they continue to refuse to do so? (Because they know their case would be rubbish nonsense and they would have to open up ALL emails, which may make many more people suddenly ... very funky.)
As someone who has sued someone else and won, it can take months for your legal team to gather the facts, decide on strategy, and then file suit.
It's related because it led to Sidekiq dropping their funding, which increased shopify's power over ruby central.
You are alleging that Shopify was retaliating. Do you have any reliable context that Shopify was acting in a retaliatory manner?
Given the power dynamics, the burden of proof is on Shopify to proove it wasn't retaliating at the behest of, or in a misguided attempt to defend DHH's honor.
Per the concept of "innocent until proven guilty", there is no burden on Shopify to prove they didn't do what you believe. The burden is on you to provide evidence for the motivations behind their actions.
I personally doubt Tobi got Shopify to where it was by making rash decisions based on emotions and drama.
Your second para is appeal to authority. A former CEO of mine (not a billionaire though, but a mere centimillionaire) was a drama magnet, thin-skinned, and a vengeful little shit.
That's how a reasonable society works.
That’s just a way of saying “I don’t have any evidence of what I’m claiming”
I have seen the "soft-hostile takeover" executed in other contexts, however. I don't think it's necessary to presume DHH used his influence as a Shopify board member to seal the deal or that he would have ulterior motive in doing so; in my experience, it's sufficient for a company to see a valuable piece of a puzzle they care about go vulnerable to acquisition offers to make the offer (with the corresponding stick). I'm willing to be convinced otherwise in either direction if more information presents itself; all I know is that Shopify put the offer on the table "We'll back-fill your funding gap or we'll make it much worse; your call." And I've seen that offer made in a completely capitalism-red-in-tooth-and-claw "business is business" way in the past.
I prefer the Go solution where the package manager uses the git repos instead of a separate package index that might or might not correspond to the git repos.
> we gave stewardship of RubyGems
I didn't sign anything.
I also remember the original creators of rubygems. How old is Ruby Central? 10 years? 15 years? There were several years before that.
- Corporate entity doesn't have copyright over your creative output. Just because word can open and view ("run") your novel does not give them ownership.
- Locking your access completely on your resources would be akin to a ransomware attack or account compromise
Would you label those actions hostile? Or just accept it as right because "maintain security"?
If you would label the above hypothetical actions as hostile (if not outrageous overreach, something akin to theft?); what is fundamentally different to what Ruby Central did by taking over the source code of a GitHub repository?
The "maintainers" weren't volunteers. They were paid employees.
Also none of the ones complaining were the original authors of gem nor bundler.
You work for Microsoft as an independent contractor, as a night watchman/groundskeeper. So do a number of others. You were hired because you and your crew of weirdos were writing the story of advanced gardening and building maintenace; which people including those at many famous and powerful companies used and found useful. A number of years ago someone said "huh, maybe these guys should get funding", and a few others agree; and Microsoft ends up in charge of distributing that funding.
The above still happens. They have locked your computer with a ransomware message that says "we will give you back access if you get rid of one of you". To lock your computer, which is airgapped, it would require someone with admin privileges to your computer to walk in and manually do this. It turns out one of your has colleagues done this, added an account for the Director of Night Maintenance at Microsoft to your machine.
You and almost all of the "paid employees", again, a number of whom are independent contractors, resign in protest; leaving only the person who tampered with your computer.
https://bsky.app/profile/duckinator.bsky.social/post/3lz6exz...
> The behavior Ruby Central exhibited was so egregious that I sincerely thought someone's account had been compromised at one point
During this chaos; which all happened between September 9 and September 18;
- at midday LA time/2:40pm New York time; Microsoft terminates the contract with one specific individual; who was the one they demanded the group gets rid of if they wanted access back - 8 hours later, that person locks the doors; changes nothing else, etc.
Some basic analysis about the situation you need to do:
- Did the actions on September 19th, even if you believe it was a crime of the most serious nature, justify the actions on Sept 9-18 where Microsoft took access, said whoopsie, then did it again?
- Treating the Sept 19 actions as a crime; did the person who did it do so with a criminal intent? (Mens rea). Did they intend harm? Or were they indifferent to the harm caused? Should this be prosecuted, has that person provided justification or similar that could in any way be reasonable doubt?
- If the actions on September 19 are a crime in your viewpoint; would paying/influencing someone to lock the accounts of all of the maintainers also be a crime? Why or why not?
Note that you'll want to read https://www.law.cornell.edu/uscode/text/18/1030
First off, was anything involved a "protected computer"? No, probably not, not by the legal definition there; yes by what we as laypeople would assume.
But, let's roll with the assumption it's "literally a crime" and not a civil matter; but apply that standard equally.
> (4)knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
* Is the draft novel/rubygems source code a thing of value? Yes. $5000 worth? Tricky to say with the open source licencing! But RC were distributing $ to maintain it; and that cost them more than $5000/year. Cost does not equal value; but I think we can argue yes, kinda here.
> (7)with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
* Did anyone attempt to extort anyone else to remove a person? (Get rid of x if you want access back!) * Did that have value? (Gee, I hope the treasurer didn't post, it was about the funding deadlines/only to have that walked back!) Also a bit murky as the value isn't coming from the extortion directly, only indirectly.
> (b)Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
* Did anyone conspire? (Two or more people agree to criminal act, followed by an overt act)
Can you plausibly see how if you try to apply US law to argue one individual on one side is a criminal; that same law would likely make the other side just as criminal; if not more so?
---
> none of the ones complaining were the original authors of gem nor bundler.
Doesn't hold water.
From the individual: https://andre.arko.net/2025/09/25/bundler-belongs-to-the-rub...
"I joined the team at a pivotal moment, in February 2010, as the 0.9 prototype was starting to be re-written yet another time into the shape that would finally be released as 1.0. By the time Carl, Yehuda, and I released version 1.0 together in August 2010, we had fully established the structure and commands that Bundler 2.7.2 still uses today."
IE: Claims to be a significant contributor, predating any "stewardship" by RubyCentral. I would argue this can be born out by contributions and the fact he proposed the darned merger with RC in the first place; and that merger assigns no intellectual property rights or similar.
I think we have to wait and see how much momentum gem.coop can build. Right now they have promised "things for the future"; they will most likely also deliver eventually. But right now they are not there.
If and when they open beta, though, I'll begin to republish my old gems (not all, some I merged into other gems but most of the core stuff will be back) there. They have some things they should improve on though - documentation (also a problem that ruby doc was separate by the way), namespacing (this is in part also a problem that ruby had no primary way of namespacing; this is also a feature, but it should have a way to separate concerns when possible or wanted).
Anyway, I think we'll soon see what happens - I say people should evaluate again in about half a year or so, say like ... end of May 2026. I think this would be a more realistic time frame.
I do, however had, also suspect that DHH may become the biggest asset to gem.coop - every further snide remark he does on his blog, will gain new people who are upset, and some of those will eventually help contribute and benefit gem.coop. So for the end user this may be a win-win situation since they can install things how they like it, thus having more flexibility. Many can and will stay with rubygems.org, others may prefer gem.coop, many others will probably use and combine both (this may be a bit more difficult; guess gem.coop needs to think of a way to specify different gem sources on a per-gem basis too. Lots of work to be had for certain).
No serious business with real (business) customers will accept that kind of risk and gem.coop will never be a thing outside of hobbyists.
All in all, I don't see sound judgement from Andre Arko or from RubyCentral. That seems the common takeaway from neutral third parties https://archive.md/SEzoV
> Regarding Arko’s blog post about his removal, McQuaid [Homebrew Maintainer] told me it’s good that Arko is crediting other people for their contribution and that he’s following open source principles of community and transparency, but that “his ‘transparency’ here has been selective to things that benefit him/his narrative, he seems unwilling or unable to admit that he failed as a leader in being unwilling or unable to introduce a formal governance process long before this all went down or appoint a meaningful successor and step down amicably.”
He logged in and changed the password after the board emailed him and told him his services were terminated. That includes/specifically mentions his on-call services. His response claims only silence from the board and that he was just performing his on-call duties.
I've been a corporate stooge for 25 years or so now. On call duties are one of my main responsibilities. I would NEVER probe out which logins I still have access to after receiving notice of termination. He admits to doing this in multiple places.
All his justifications are that he was under contract to do work that he was already notified was terminated. Everything that follows either tells me that he has bad judgment, that he's lying (by omissions), or in the worst case totally delusional.
If he was so worried about operational takeover, why did he _change a password_ without notifying anyone else with operational capabilities that he was doing so? Nobody reasonable would _ever_ do that. There's a certain amount of upfront communication and CYA required of reasonable actors in this space and he doesn't have it (Not that Ruby Central did any better).
So no, I won't be changing my mind, and I don't know why you put "(again)" in there.
Regardless of what Ruby Central did, his own actions warrant every bit of criticism he's getting. Stop trying to redirect the narrative. There are other threads where that discussion is happening.
You can view Ruby Central as being in the wrong all you want and I won't argue with you, but that doesn't mean Arko is not-wrong as well. It's not zero-sum.
I don't understand how Matz accepted this as-is. Taking over these projects without addressing the takeover makes them toxic assets that will taint the Ruby community for a long, long time.
What you're doing is called a Whataboutism. I was responding to a comment about gem.coop.
Andre Arko is not credible and thus gem.coop is not credible. He can explain all he wants but his actions were plainly inexcusable. Whatever Ruby Central did is immaterial to the point of whether or not Andre Arko can be involved with services that we rely on.
It tripples the attack surface making it more vulernable to having security vulnerabilities.
It took less than two weeks from this statement for them to put out an incident report from them forgetting to change the password on the infrastructure they took from the previous maintainers. I can't say I'm shocked that this didn't actually result in people's confidence in their ability as steward to provide long-term stability for the ecosystem.
The (open source) source code for rubygems and bundler, the libraries that rubyists use in their apps to manage gem dependencies, are potentially another story.
But the infrastructure, to have passwords to it, for rubygems.org, has been Ruby Central since the beginning of rubygems.org without any break. I don't know why people receiving checks from Ruby Central as contractors would think they had a personal right above Ruby Central to the infrastructure that Ruby Central has been running since long before they received those checks. Them thinking they did is sketchy.
Again, the open source source code, I agree, is another matter with other considerations. It has had many maintainers and contributors over time, including periods where development was not coordinated by Ruby Central. And all the code is owned by it's authors, and licensed MIT-style. But you're talking about passwords to infrastructure...
They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager and logged in a few hours later and changed the root password to lock the legal owners out. Most of the community has turned on the maintainer who did that, it was extremely childish behaviour.
Inaccurate:
> Ruby Central also had not removed me as an “owner” of the Ruby Central GitHub Organization. They also had not rotated any of the credentials shared across the operational team using the RubyGems 1Password account.
> I believe Ruby Central confused themselves into thinking the “Ruby Central” 1Password account was used by operators, and they did revoke my access there. However, that 1Password account was not used by the open source team of RubyGems.org service operators. Instead, we used the “RubyGems” 1Password account, which was full of operational credentials. Ruby Central did not remove me from the “RubyGems” 1Password account, even as of today. https://andre.arko.net/2025/10/09/the-rubygems-security-inci...
Ruby Central didn't realize that they hadn't actually revoked any access to the previous maintainers (and that they didn't have the updated root AWS credentials) until two weeks later when André notified them.
IMO it would be better to start from a clean slate; dissolve Ruby Central and bring back the community with a new policy, rules - but that's not going to happen. Ruby Central went the corporate way and that's it. It would just be ironic if, say in 10 years, gem.coop proves to be much more successful whereas Ruby Central still writes the same AI-generated text ("we care for the community even if everyone is now elsewhere already").
> As a Japanese developer, I’ve been worried about the direction things were going, so it’s reassuring to see this.
I am actually much more worried now. I don't live in the USA; I don't live in Japan. To me it seems as if Japan and the USA are totally over-dominating in the ruby ecosystem. While this is understandable that it is Japan (local community, I get it, this is different to english-speaking ones), I am absolutely upset that the USA has so much proxy-influence here. But I guess there is nothing that can be done. I guess in Python the USA also over-dominates. I just think this sucks really.
Why? Japanese culture is more conservative, less prone to knee jerk decisions, and Ruby is their biggest home grown programming language.
I'm also not American nor Japanese and I think this is the best possible outcome.
I'm considering switching to Erlang, which was developed at a corporation from the start and appears to be drama and cancel free.
I would love to see such options become available in Europe (insofar as additional options existing, not taking away the ones that already exist). But that would require some extremely successful European companies working to change it.
Candidly its decentralized nature when it comes to "packages" is one of its strengths. It does have downsides, and yes GitHub could be at issue at some point.
After this, after NPM compromises (left pad and more recently the supply chain attacks) why we arent seeing more community driven changes around decentralization and venturing is beyond me.
> While repository ownership has moved, Ruby Central will continue to share management and governance responsibilities for RubyGems and Bundler in close collaboration with the Ruby core team.
Andre has previously maintained that he owns a trademark on Bundler and he will enforce it against Ruby Central.
=> https://andre.arko.net/2025/09/25/bundler-belongs-to-the-rub...
So Ruby Central transfers "ownership" of Bundler to Ruby Core. Ruby Central gets to continue to maintain Bundler, and Ruby Core is stuck with the liability. If Andre wants to enforce his trademark, he now has to sue Japan-based Ruby Core and risk the bad optics of that.
Well,
1. He's not fighting Ruby Central anymore, he'd be fighting the Ruby core team.
2. He's going to have a tough time asserting copyright on a name he didn't come up with on a project which shipped v1 before he joined.
3. If he believes the trademark belongs to the community, the right thing to do would be to transfer it to Ruby Core then, right?
Add also at the bottom a short comment, so the other replies don't look wrong. Somethig like:
Edit: fixed can -> cannot
I think there are a gazillion questions left. But, I also agree that the future will tell, e. g. we'll have to see how popular gem.coop will become (if they become popular). And I also, despite my disagreements, think that it may have been better to solve installations of ruby projects from the get go, e. g. Rust + cargo. But I also see this as separate from a service such as rubygems.org (or whoever provides any infrastructure). The question of who develops functionality can be separate, I have no strong preference here. And, I also agree that having both bin/gem and bin/bundle is not good. There should be a unified API (or two - a simple one maintained by ruby core, and then people can build extra functionality into their own variants).
Sadly this all also may end up like this:
What I liked about bin/gem was its simplicity. Bundler brought a few new things or easier things to the table. "gem" should make it much easier to use any source though, including gem.coop.
I'm sorry for Ruby people that are negatively impacted, tho.
Lastly, Matz is the best!
It also seems like rubygems.org could simply fork the rubygems code, perform whatever 'security and governance' changes they believed were needed in their fork, and run with that?
Isn't that the open source way of handling disagreements in direction?
Not really. Shopify threatened to pull funding for them which set the whole thing in motion
Because I once installed your project, I need to:
- Take over all of the accounts/access you AND all of your friends/co-maintainers used in connection with it
- Tell you it was a mistake, give back access temporarily
- Do it again!
- Have one of my board members who happens to be the treasurer say it was about the $
- Make a straight to camera YouTube post Addressing The Concerns
- Make a first "continuing our series of transparency" blog post a week later, where I use a dense corporate laden dialect to claim it was for the betterment of all mankind and definitely not about the $; because I need you to understand Where We Are Now; What This Is and What This Isn't.
- Open a Google forms question submission box.
- Smear your reputation, because you had an idea once about tracking which packages go to which companies; so I'll insinuate that you want to read everyone's mail and snoop through their undergarments drawer. What's that? My actions affected much more than just you? Quiet now, we're reshaping the narrative to smear you.
- Answer no questions, explaining that we chose to give you a regular series of Friday updates; but also We Want to Move On from the back and forth but also in that same publication have another go at the smear, because it partially worked.
- Donate the project to my state library, to take some of the heat off of me
Isn't that so much easier than typing "git clone" and "git remote add"?
(I am consistently flummoxed that a handful of people here are buying this narrative; instead of as you point out... Just applying a smidgeon of critical analysis about the usage of tools that the majority of us must use day to day and coming to the conclusion you do. Instead of doing this or accepting this conclusion, there's a frothy passion it seems for Appeal to Authority/Argument from Authority where any excuse, flaw, etc on the part of the maintainers is used to justify the whole chain of events.
It seems like it hits 5-7 facts and people can no longer manage them in short term memory, go and look at more than what is presented to them by a single party, etc; so they just default to the easiest mental shortcut.
For some reason I keep falling into the trap that "people are more educated, capable of critical thinking, and have easier access to data than ever before in history"; which I rationally know is not true)
I don't believe this has anything to do with DHH.
Why is there (seemingly) no public offer to former maintainers to rejoin, or acknowledgement of wrongdoing having been done as part of this? It's practically zero cost to do that; as the Ruby core team is (largely) not the party that inflicted harm.
Politeness? Conspiracy to have done this all along? Cultural differences around public vs private opinions? Something else?
What would we think if this wasn't a software project but a hijacked community bus, being passed from party to party, pretending nothing is untoward about the whole situation while the passengers are still aboard? "Oh good, the new bus drivers are politely accepting the keys from the hijackers; all is well!"?
Edit: https://www.reddit.com/r/ruby/comments/1o8zz3e/comment/njywb... No discussion with maintainers
In my 17ish-year involvement with Ruby, I can't think of one.
It's good to hear Ruby core team took the ownership. Thank you Matz.
For instance, who effectively controls the ruby ecosystem? See ad-hoc restrictions such as 100.000 downloads - past that point you are disowned from your own gem. I always felt that was a direct attack on independent developers. They could have forked those gems just fine (the licence permits this for most gems after all), but nope, they forbid you to remove your own (!!!) code.
By using signed packages. Why is this even a question.
From https://news.ycombinator.com/item?id=44991636 :
> Native Containers are bare-metal host images as OCI Images which can be stored in OCI Container Registries (or Artifact registries because packages too). GitHub, GitLab, Gitea, GCP, and AWS all host OCI Container/Artifact Registries
So, packages there too would simplify.
Re: "RPM 6.0 Released with OpenPGP Improvements and Signature Checking by Default" (2025) and Sigstore and PyPI and SLSA.dev and key revocation transparency: https://news.ycombinator.com/item?id=45354568
Nerdctl supports various snapshot, lazy start, and distributed cloud storage container stores: https://news.ycombinator.com/item?id=45270468
Ruby has:
gem cert --build your@email.com
gem install gemname -P HighSecurity
sigstore-ruby: https://github.com/sigstore/sigstore-ruby
guides.rubygems.org/trusted-publishing: https://guides.rubygems.org/trusted-publishing/ :
> Trusted publishing is a mechanism for uploading gems to RubyGems.org without using long-lived secret credentials. [..]
> Trusted Publishing is a term for using OpenID Connect (OIDC) to exchange short-lived identity tokens between a trusted third-party service and RubyGems.org. This allows obtaining short-lived API tokens in an automated environment (such as CI) without having to store long-lived API tokens or username/password credentials.
With central repo you may expect that they operate under increasingly stronger security standards and even if you missed malicious update, there’s higher chance that it was taken down by someone else. In decentralized environment your risks are higher and attention surface bigger.
The fact is that even the “canonical” CA’s can’t be automatically trusted, but here we are. CA is just one shitty implementation of WoT that has been near-universally imposed on us and most people simply accept as a necessity of life, but it isn’t necessarily the only way. It’s just how it is right now.
I'm not counting something like C++ where there's effectively no "packages" to speak of.
dselect solved this ages ago with its mirrors, but at some point it seems every major package manager decided that was unnecessary complexity ("why bother? It's not like a package repo just goes down") and left it out when they built their alternatives.
So, from time to time, when a domain in the Internet goes sour it's a huge problem (whereas were a Debian mirror to go sour I'd add like one line to a config file and never notice the issue again, assuming dpkg doesn't automatically identify the problem and route around it).
- almost every package is hosted on GitHub and that url is baked in to consumers of those packages
- the go proxy: https://flak.tedunangst.com/post/what-the-go-proxy-has-been-...
Go packages have the source baked into the package name. It would be like needing to say `require "github.com/sparklemotion/nokogiri"` rather than what we do today, `require "nokogiri"` and then if you want to change the source wrapping `gem "nokogiri"` in an alternate `source` block.
However I would say all ecosystems have issues, regardless of the approach, because 99% of the developers have no clue on what they depend on, and there are plenty of ways to mess up with ecosystem.
Btw, I’m definitely not saying anything is doing this really well yet, but I do think Linux distributions are a pretty good implementation of it. I think it would be pretty difficult to stamp out Linux and Linux packages.
Deno does also but I'm less clear on well how that is working out for them.
All go package imports are proxied via Google.
https://drewdevault.com/2022/05/25/Google-has-been-DDoSing-s...
https://drewdevault.com/2021/08/06/goproxy-breaks-go.html
Not that defaults don't matter, just offering the extra detail. And, as the post goes on to explain, this change seems to cause its own set of dependency issues.
I'm not familiar with the technical details, but at first glance it appears pretty centralised.
https://docs.deno.com/runtime/fundamentals/modules/#https-im...
See especially Mike McQuaid's summaries. He did a bunch of mediation and comms work to make the situation digestible to outsiders. Check his recent posts (at time of writing) on https://bsky.app/profile/mikemcquaid.com
Tensions within the community were heightened because its loudest voice and most recognizable figurehead has opinions that aren’t all that popular and he made them loud and clear as he’s a loud thinker.
I've been working on Homebrew for 16 years and leading it for some proportion of that and this all "smells" like a more sustainable long-term solution than anything we've seen happen in the last year. Some proposals sounded nicer but were not going to be acceptable to one or more sides.
Ruby already provides a vendored version of RubyGems and (more recently) Bundler so this seems appropriate. It also separates the "running a web service" which has guaranteed hosting costs, requires on-call, etc. from "running an open source CLI/library" which has no guaranteed costs.
It will be interesting to see what the Gem.coop folks do now (disclaimer: I helped them with their governance process). If there's some competition for rubygems.org as a server implementation that feels like a good thing for the community overall.
Good luck to all involved on all sides.
Rails is still a good web framework within its limits. If you want to build a small, modest complexity web app with like 1 or 2 developers and under maybe 6 months of active development, modest traffic needs, etc, it's a good way to get everything up and running fast with best-practices for everything.
The lack of types may start to pinch some once you get an order of magnitude more developer-months into the app than that. Lack of overall speed, threading issues, and memory usage may be an issue once you get a few orders of magnitude more traffic. But while you're within those limits, I think you'll get features out on it faster than any other language or framework.
As they say, a lot more startups have died due to not being able to iterate fast enough in the early stages than from their traffic capacity, hosting efficiency, and bug count once they get into serious growth.
Of course lets silently ignore Github, Gitlab, Shopify and others: all small, modest complexity web apps built with Ruby on Rails. Look at Shopify last year black friday numbers and come back and tell us how Ruby is fit only for modest traffic.
I think it works well for SaaS type offerings where you have a low number of high-value clients. We don't do high-traffic public sites. Perhaps my opinion would be different then.
Would they be where they are today if there weren't been built at that moment with Ruby?
Both these questions are hard to answer without connecting the dots, looking backward.
Github was started in 2007, Shopify in 2006, Gitlab in 2011, Whop in 2021
It takes a long time approximately for a company to get out of the medium zone and go really big. So the only answer for this is we don't really know.
For any programming language you can find similar stories.
I tried to answer this question 6 years ago by analysing company data from YCombinator and TechStars: https://github.com/lucianghinda/programming-languages-in-sta...
Here is some data I found back then in 2019:
- Ruby companies raised 13 Billion dollars
- Python companies raised 11 billion dollars
- Java companies raised 1.5 billion dollars
- PHP companies raised 1.4 billion dollars
- Go companies raised 1.3 billion dollars
- Node.js companies raised 800 million dollars
Of course this data is 6 years old and it was based on the initial programming language and also it is about funding amount and not revenue.
I did not had time these days to update the data there.
I think how many quality devs you can hire with that language is really the only question that matters 90% of the time (ballparking), so long as the language is designed for that use case, like don't use assembly to write a production webapp.
I don't know many devs that code with Ruby, I know of more devs that code in rust and Go which are newer by at least a decade? so the question of what actual benefits it has is important.
For Go, it makes it hard to mess up error handling and easy to deploy your apps since it's all a static blob, but memory footprint and optimization can be challenging at times. For rust, it takes a long time to do things, so fast shipping timelines might not be a good fit. For Ruby, does it have anything that makes it more secure, faster to code with,resilient to failure, easier to scale,etc...? I don't think anyone answered that here.
What can it do _better_ that the other languages you listed can't or can't as well?
There's a reason that the DevOps world abandoned Ruby wholesale in the late 2010s (mostly replacing it with Go).
In a world where container orchestration allowed servers to be more fully utilised, it became increasingly obvious that the ancillary tooling (think log shipping or metrics collection) often had a larger memory and CPU footprint than the core service itself.
Formerly popular tools in this class like Sensu or fluentd have either been rewritten or replaced with Go equivalents, and Ruby seems to be more or less dead for new projects outside of the Rails niche.
Big legacy companies who have invested heavily into Ruby cannot switch but every shop I’ve been at often started new services in non-Ruby (mostly Go but have seen plenty of Node/TS as well or Rust for that matter).
If I were to start a new app Ruby would be far from my first choice and the biggest reason are types. After being in the weeds of big Rails apps while also working with Go/Ts/typed Python, Ruby seems very fragile in big codebases. Sorbet is also not enough.
I'm unaware of one ever happening, and I'm wondering whether it's because of mere fortune or because there's something about the APT / dpkg model that precludes this kind of messiness.
Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors? This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
That said, there's been quite a bit of drama lately in prominent Linux projects — notably bcachefs, X11 (and the fork XLibre), and the Omarchy distribution (even connected to the current story!).
It is not 1:1 comparable though. Ruby, python etc... have a much more varied community. People contribute code. Only few contribute to the linux kernel directly. There are many more who write "apps", so this could be comparable. Still it feels different to me, since a language community is different to a community that uses different programming languages.
> Perhaps the Ruby community is suffering the curse of having lived with reliable Internet for so long they never had to solve the problem of building up automatic package mirrors?
No, I think it is more that people never anticipated that corporations could take over projects. This has become more of a problem in the last years. Who controls github, for instance?
> This just feels like a lot of words and energy burned on a problem that ought to be as simple as "Here's the package, here's its checksum, go to town."
This is the issue of decentralized hosting versus top-down control. Ruby didn't have that problem in the past. It became more of an issue in the last some years. See DHH having an old tweet where he pointed out that he wants more control; I think this was from 2018. I don't remember it fully but it is on the ruby reddit.
I've even seen unironic claims of certain pieces of technology containing "Hitler particles". That shook me a bit because that's an old in-joke and was always intended to be a joke...
I find “BDFLs” and open source communities so incredibly interesting. Especially in the context of geopolitics and state entities. Linux!
This stuff is PHD material for sociology and polisci post-grads and I’m so interested in following the progression of history with these types of things.
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2f...
See that question asked:
"Isn't supply chain security a corporate concern?"
He tries to bring arguments to invalidate that. And failed in an epic manner. Now people are more suspicious than before. Kind of strange to see, too.
Not up until the incident that motivated him to resign, anyway.
I feel like BDFLs are akin to the concept of village elders; they're not immune to corruption or scandal, but they often have this beloved status that can paper over a lot of cracks. That's probably dependant on their leadership style - the hard headed (Linus, DHH) vs the grandfatherly (Matz, Van Rossum).
Which, going back to your note on geopolitics, leads me to wonder: Is it just that more power corrupts more, or is it that (modern-day definitions of) democracy require a desire for power? I guess as the "FL" part of "BDFL" comes to bite more of the communities, we'll see better how different succession styles have different effects. I also wonder if the analytical nature of the individuals within the "populations", and inability to police defectors will mean uprisings will be more successful, either in causing BDFL attitude adjustments, or just overturning the community completely (for example, there's already a lot of momentum for a complete fork of Rails)
(Edit: having submitted this, I now see others have had very similar thoughts! Definitely an excellent conversation topic)
I think a lot of this is due to how so much is a scandal these days, for better and worse. (I'm obviously going to keep politics as much out of my response as possible.)
A few decades ago, people could have political views without ostracizing roughly 50% of the global population, or generally causing a ruckus at the holiday family dinner. (Obviously politics + holiday dinners has been an issue for a long time, but back then it was just something people tried to sweep under the rug. Now? Holiday dinners are getting cancelled or families are splitting up.)
It used to be that a scandal in the OSS community required you killing your wife (thinking back to ReiserFS). Now, a remark on Twitter is all it takes.
Again, I am absolutely not taking sides here. I'm just noticing a difference in the times, and agreeing that it is indeed interesting to watch.
People are far more happy to cling to the tribe they choose, and the tribe that has their back, over the tribe they were born to. Then, there are those who see that trend as dangerous to society (where, in many cases, society is really just a proxy for their own power or social status - ironically as viewed through their own chosen tribes more than the tribe they were born to)
That is to say, I don't think it's the political views that are splitting the families. Individuals have decided that care for each other should come secondary to those political views. I feel like there used to be a certain amount of care in the "sweeping under the rug" - it was the tribe against the world, it was protecting the family image as much as it was protecting the individual from society. These days, being a thing "in private" means being a thing alone, and that's no longer a compelling thought when external tribes are willing to embrace you.
Which probably applies to software tribes just as much as family ones.
This is ahistorical.
Not only was it the norm forever to ostracize entire sections of your society (protestant vs catholic and lots of other religions, black vs white, any form of non-hetero behavior, the Roma people and any form of outsider)
It often was the law
Americans shot their family members over whether we should own black people or not.
My french and white ancestors were expelled to Louisiana, intermarried with black people, and then when the US bought the french land, they introduced laws that made such families illegal.
Reagan made a hobby of publicly claiming his coworkers were communist. Thought that maybe we should be allowed to form unions? 100 years ago that was enough to get you investigated by the senate. Americans voted for him so hard the Democratic party is still floundering to have support. "We should allow unions" or "we should regulate companies" is still half-verbotten.
Do you know how many kids are still kicked out of their homes for the crime of being born gay?
This idea of "You used to be able to hold diverse opinions in public" is outright wrong. This past never existed.
Weird Christians in the US have tried to cancel things like Harry Potter and halloween for gods sake. They took a teacher to trial for teaching evolution. They made playing pen and paper RPGs a sin! When preachers molested kids, they shunned the kids
Being too chummy with another guy in public was a scandal! Being a woman who wanted an education was a scandal! Getting pregnant out of wedlock was a scandal that would tear apart families. Getting divorced was verbotten. Expressing support for social policy could get you fired, or murdered
Bush Jr literally said "You're either with us or against us" about supporting a criminal war and America pitched a globally public fit when other countries did not pledge allegiance.
The diference is that with an open source licence, the comunity can just fork the project (assuming they have enough developers), so the BDFL must master the art of herding cats.
A country has clear phisical borders and tanks, and people can't fork them and ignore the old power structure.
I think there's going to be an interesting and complicated churn as several major projects under the BDFL model have their Ds succeed at passing the torch, struggle to pass the torch, struggle to realize the torch needs to be passed, or take the torch and do their best to burn the whole project down so it can't outlive them.
At the same time, I would like more information around how the Gem supply chain will be handled, particularly how Rubygems and Bundler will be protected against supply chain attacks, which are becoming endemic.
Is Ruby ecosystem doing well?
Hoping for some context
> Shopify demanded that Ruby Central take full control of the RubyGems
One interesting thing is that Ruby Central then said "Board decisions are independent and not contingent on funding."[2].
Doesn't inspire a lot of trust when there is a statement from a board member saying "we did this because of funding".
I'm more inclined to believe Joel's account.
[0] A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
[1] https://apiguy.substack.com/p/a-board-members-perspective-of...
[2] https://rubycentral.org/news/our-stewardship-where-we-are-wh...
I can tell you that two people with direct knowledge of the situation told me that Shopify demanded that Ruby Central take full control of the RubyGems GitHub organisation and packages.
You can believe that I am lying if you want. But I can’t directly cite my sources in this case.
For the DHH thing he wrote a recent blog post where he said he wants fewer non-white people in London and praises an english far-right fascist figure (Tommy Robinson)[1].
Not really sure about the Shopify stuff. I've heard people aren't too fond of Tobi (the C.E.O. I think), and he's buddies with DHH, but it could just be general distrust of a big company trying to exert control of an open source project (through Ruby Central).
No, it turns out DHH really wrote a blog post complaining not enough people in London are white (even though they’re British) and praising a famous British fascist.
The rest is very much still confusing, some kind of opportunistic power plays and typical open source chaos.
Edit: Seems like maybe a hostile take-back actually.
gem.coop matures and people move to it
Or ruby central gets their crap together and regains some trust.
It's definitely a win that the tool entry point is now managed by competent people with a good track record that aren't involved in the current drama.
- Politics at work were becoming a huge problem at 37Signals
- They asked that politics be kept out of company chats, but encouraged people to be political active on non-work channels/social media/etc even during work hours
- People lost their minds at this incredibly reasonable request which then blew up on the internet
- They offered any employee 6 months severance if they weren't comfortable with the new policy. About 1/3 of the company took it.
- Rails Conf dis-invited the creator of Rails
- Obviously, this was not going to sit well as people were trying to create a very public political flex against DHH and at that point, he started getting much more vocal about the problem of politics sweeping into every aspect of life.
In the following years...
- DHH becomes very publicly outspoken against politics infecting everything
- 37 Signals publishes another successful book
- Ships much more quickly as all of the people constantly distracted by politics at work are no longer in the building
- Starts the Rails World conference to great success
- Rails Conf shuts down
- DHH ships Omarchy which is getting significant support
So the end result has been that a bunch of people tried to essentially "cancel" DHH and the result was him having virtually non-stop, resounding success while publicly speaking out against those who created the problem in the first place...because some people really do just want to build cool things regardless of your politics.
Then he started a blog, built on his companies software, where he constantly shares extreme political opinions. When you are the public face of a company (and framework) and you are publishing your political opinions using your companies platform, you are now bringing politics to work. He’s a hypocrite.
So Tim Cook would be "bringing politics to work" by posting politics on Twitter from an iPhone? Plenty of prominent Python community members, including core devs, have politics on their blogs and also use Python-powered technology (dedicated SSGs like Nikola, but also even Sphinx which is really meant for documentation) to generate and publish pages; is that "bringing politics to work"?
DHH advocates "no politics at work" because as a powerful guy that's organized politics potentially directed at him. He advocates blogging because he knows perfectly well that he has a large audience and his employees or critics don't. That's why the rich tech bro class loves getting politics out of the workplace and getting it onto the platforms they own.
I think the real root of peoples' disagreement over what happened there is that rank-and-file employees wanted to assert a lot more control over what their company does than they actually could and they were informed that that wouldn't be acceptable. The six month severance was generous.
but you've omitted his recent "contributions", where he went completely off the rails
have a read of this https://world.hey.com/dhh/as-i-remember-london-e7d38e64
it's completely unacceptable, and he's promoting a self proclaimed fascist white nationalist (Tommy Robinson)
> but you've omitted
I'm not that poster, but it was objectively correct to omit that, because it was as an objective matter of fact not "at work".
It does. Not. Matter. In this context what his beliefs are, or how they look to you through your lens.
In exactly the same way that, for example, the political views of GNOME and Xorg developers are not relevant to the development of those projects, and only become relevant when they get discussed in development spaces. (Or, you know, when they become the motivation for explicit interference in XLibre development.)
""" Does Tommy Robinson call himself a "fascist" or "white nationalist"?
No — Tommy Robinson (real name Stephen Yaxley-Lennon) does not call himself a fascist or white nationalist. He consistently rejects those labels, describing himself instead as a patriot, free-speech activist, or anti-Islamist campaigner. To summarize the record:
* Public statements:
Robinson has said things like “I’m not a racist, I’m not a fascist — I’m a working-class lad from Luton who’s standing up for my country.” In interviews (e.g., BBC Panorama, ITV, and various YouTube appearances), he has explicitly denied being a fascist or white nationalist.
* Affiliations:
He co-founded the English Defence League (EDL), which has been widely described by journalists and researchers as far-right and anti-Muslim.
However, he left the EDL in 2013 saying it had become associated with racism and extremist elements he could no longer control. """
Maybe TR is a fascist or white nationalist, but he isn't a self-proclaimed one.
Other than his mention of Tommy Robinson, it is not radical or unacceptable to say "Wow, my city has changed radically in the past 20 years and is losing its identity".
If the center and the left completely reject the validity of national identity and the expectation of immigrant integration to British identity, then you leave people with those sentiments running into the only open arms left: the far-right and the rest of their agenda.
As a liberal, even a progressive in my own mind, I still recognize that completely open borders are a problem and that we should expect all people coming to a country to want to learn the language and integrate with the native community and customs. This concept is compatible with respecting cultural diversity and immigrant populations and their civil rights.
And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
FINALLY - I don't see how this kind of hard-fork-over-politics maneuver helps change minds in the long run. It only generates bitterness.
He explicitly cited race, not "British identity" he quoted a Wikipedia page where he took stats excluding non-white British.
I don't think he was arguing the point you're attributing to him.
what does DHH, a Dane, who as far as I'm aware has never lived in London (and certainly doesn't now), know about London/the UK?
absolutely fuck all
he should keep his trap shut, in the same way Elon Musk should stop attempting to stoke nationalist fires in a foreign nation
I am also a (British, not American) liberal, and I agree with your comments about integration
the UK has an integration problem that successive political leaders have attempted to brush under the carpet, whilst ignoring the electorate's desire for a reduced rate of immigration
but the sort of nativist crassness displayed in that blog post is not the answer
and leads down a very nasty road that we thought we had defeated forever 60 years ago
> And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.
I'm afraid this type of authoritarianism always seems to come with a labour government
Keeping politics out of work place is like an extremely mild stance.
For some reason, people label him as facist...
When you're advocating for ethno-nationalism and praising fascists, I don't think you can get mad at people thinking maybe you're a little bit fascist, or can claim to be in the centre politically.
He praised one policy from Tommy Robinson. This doesn't mean he support every single action performed by Tommy Robinson for eternity.
He advocates for stricter immigration laws and is against mass immigration.
He then praises the stricter immigration laws in Denmark. Then, Denmark would be considered facist and ethno-nationalistic by your logic?
> I don't think you can get mad at people thinking maybe you're a little bit fascist, or can claim to be in the centre politically
I'm actually mad that the word fascist is losing its meaning.
Wanting a stricter immigration law is now fascist, and Denmark is basically considered fascist for all these years for having stricter immigration laws praised by DHH...
At worst, this view is centered.
He argues that non-White people aren't British[0], that's the bit where it gets a bit fascist for me.
There's a debate to be had about immigration, that I think is valid. I think there's nothing wrong with advocating to reduce immigration. I think saying non-White people (who were born here, just so we can get away from the immigration side of things) aren't British is a dick move and kinda fascist.
> I'm actually mad that the word fascist is losing its meaning.
When someone espouses ethno-nationalist viewpoints (a core part of fascism), and praises a fascist, I don't think it's unreasonable to say "hey that guy sounds a bit fascist", and I think pushing back against that is what is making fascism lose its meaning.
Now, saying "I don't think it's fascist because X" is perfectly valid, but that's not what I'm seeing here. It feels like a knee-jerk reaction, which I don't think is fair in this case.
There's nothing wrong with promoting or protecting the interests of native or indigenous people over those of immigrants or foreigners.
Heterodox opinion in some circles, but this is not some fringe belief, nor is it "fascist."
No he doesn't. He specifically states "native Brits." The only "Brits" native to Great Britain are White Brits.
In addition, "around 41% of [London's] population were born outside the UK" [0]. Nearly half of the city is foreign.
What about the royal family, Prince Philip was Danish/Greek, so the royal family aren't native are they?
Shall we stop pretending this about anything other than race?
Anyone not White British. Austrians are White and are similarly not native to London.
>What about the royal family, Prince Philip was Danish/Greek, so the royal family aren't native are they?
Who made the claim that Prince Philip was White British or native to London?
>Shall we stop pretending this about anything other than race?
Just because you've been duped by propaganda doesn't mean anyone is pretending.
As far as I can tell, this doesn't fairly reflect what actually happened. Ruby users were free to keep their own political views to their own blogs, just as DHH does. Reading world dot hey dot com slash dhh is not in any way required in order to use Ruby, participate in the development of Ruby or anything else along those lines.
There are a lot of prominent developers in the Python community whose politics I strongly disagree with. I got banned from the main discussion forum as a result of objecting to hidden Code of Conduct enforcement principles which (in my view) attempted to bring (many of) those politics in through the back door. (And in the process of getting into that meta argument, and doing research, I encountered several previous unpleasant incidents on the forum and on the mailing list that preceded it.)
But I would never start arguments with people in that space over things they wrote on their blogs. I would not go onto, say, the CPython issue tracker to complain about how certain people needed to be removed from the project because of things they said in their own spaces (like we saw with, for example, Opalgate). If I wanted to talk about someone else's politics — or my own — I would and could use my own blog for that.
The mere fact of people knowing DHH's politics emphatically does not politicize Ruby, Rails or any related project. To the extent that Python development has become politicized, that's a consequence of actual enacted policy, not the political beliefs of steering committee members, PSF board members etc. DHH putting this content on his blog was part of the effort to have it not in the workplace. And, in point of fact, that does keep it out of 37Signals board rooms.
For instance, I pointed out days ago that Hiroshi Shibata did not act solo. Now this is confirmed - it was a matz directive. The main question to ask here is: could he not have made this open AND public from the get go? It would have lessened the confusion for some people.
Unfortunately this also has a few added problems now, because ... say that you are an indie dev or a solo dev. Would you want to "interact" with the ruby core team if they can just oust people at will if they feel they need more top-down control? Or, worse, if they only get money if companies pay them to do so? I am not necessarily saying there was a 1:1 connection with money in mind. For instance, the bin/gem was not designed by the ruby core team, in many ways was a mistake from the get go - see how Rust avoided this by having cargo. But one can not help but wonder how deep that money situation goes. u/jrochkind on reddit pointed that out, e. g. that there is very clearly a connection to ruby losing users and developers in the last ~5 years, and a dry-up of financial assets in general. I agree with him. Even if this was not the case here (though I somewhat suspect money had to do with many things here), the situation for ruby in general is really really bad. Perhaps matz felt that this was the only way forward, who knows. Either way it is not a good situation to be had.
It also shows how ruby is WAY too dependent on rails. If rails sinks, ruby sinks. That is BAD. DHH may contribute to this problem with the "I am the richest neo-boy in the USA" and odd blog entries (that's his though, he can write whatever he wants to), but the moment there is a financial interconnection is the moment there is no longer a fair field. And this is really bad, because it means ruby as such will be pulled by those who have money. Bye bye solo devs - you no longer have a place in the corporate infrastructure. And make no mistake about this: rubygems.org is a pure corporate entity now. Look at the new rules they forced onto everyone: https://blog.rubygems.org/2025/07/08/policies-live.html
This also reminds me of Pypi, by the way:
https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2f...
Quote:
"Isn't supply chain security a corporate concern?"
And then he weakly tries to say "no, it isn't because corporations finance us now, it is all about LOVE, HAPPINESS and THE COMMUNITY". But in reality - it absolutely is. Corporations wanted more guarantees and these inrastructure-maintainers said "that's ok - we don't pay these indie devs anything but now we force them into mandatory 2FA, ad-hoc 100.000 restrictions (can not remove your gem past that limit) and any other random crap, such as not paying them anything and having them work for us for free". I am sorry but there are soooooooo many things going wrong here - I totally agree with duckinator. This was a hostile take-over, unfortunately now we also know that it was decided from within ruby-core itself.
Note that I am not saying that it is a bad idea to have something such as gem maintained by the ruby core team, I totally understand the reason for this, and I also pointed at the example of rust/cargo. However had, the infrastructure shouldn't be a money-injection team for the ruby core team - the moment this happens is the moment things no longer work here. And ruby isn't merely the part designed by the core team; it also isn't just rails - you had many more people who contributed to ruby in the form of the ecosystem. Granted, many projects are abandoned (this is also a problem for rubygems.org by the way) but at the least this used to be true in the past.
In a way this is all a bit rubbish, because we see MIT/BSD licences, so people could just fork ruby (not that this is likely; I haven't seen anyone object to matz being an excellent language designer. I also don't think it is a problem if matz and the core team profit from this financially, that's perfectly fine. But the whole ecosystem shouldn't be in such a top-down control where corporations just buy their way into things, with DHH making snide remarks on his blog ("we got rid of the boys controlling the infrastructure now") all of the time while on Shopify's payroll - that is no longer a fair playing field here. Everyone can see this.)
Also, if matz made the decision weeks ago and told Hiroshi to do so, HOW was this fair to Mike McQuaid? The latter said he tried to act as man in the middle. But if the decision was made to finalize on this already prior to that, was Mike told that? If not, how is that fair? Either way I guess Mike gets the most praise from all sides simply for trying.
We'll see what happens, whether people love the new corporate-controlled rubygems.org or prefer gem.coop (which, admittedly, still have to deliver). I favour the latter, like the rising phoenix from the ashes - in part because I hated the new corporate rules that was installed onto rubygems.org, including the crap 100.000 download limit, but in part also because I feel that if gem.coop gets enough momentum overall, they can actually begin to solve NUMEROUS issues in the ruby ecosystem, from documentation to namespaced accounts (users and the ruby code as such, see duckinator's proposal) and so forth. Considering the damage shopify caused while wanting to control more of the ruby ecosystem, I expect them to now send more workers to go and improve rubygems.org as much as possible - and not ruin things in the process. Otherwise they would have only caused damage without any real gains.
The biggest loser in this are actually the folks at RubyCentral. Because ... what have they really ever done for the ruby community? Which high profile gems have they maintained? Just throwing fancy parties isn't going to cut it - Titanic was also sinking when it hit an iceberg. RubyCentral may still celebrate while sinking ...
> Now this is confirmed - it was a matz directive.
I did not see any confirmation in this annoucement, do I miss something?
Speaking of Phoenixes this whole debacle made me start diving into Elixir/Phoenix. My first impression is that I much prefer Ruby as a language, however I'm struggling to even think of using Rails currently.
They were stolen from André Arko, Colby Swandale, David Rodríguez, Ellen, Josef Šimánek, Martin Emde and Samuel Giddins.
Joel Drapper is fibbing & playing memory games in a weird attempt to exert ownership over the community. It’s good to hear someone credible set the record straight.
When you left RubyGems and Bundler (let's call them "Projects") team, you handed over your authority to whoever was left and/or was added later. It doesn't matter in which order things happened. What matters is that Ruby Central _and the rest of the team_ were the stewards of Projects. The important part here being _and the rest of the team_. André had every right to keep being part of that team, and he was for a long time, together with many other team members, all of which were removed by "a representative from Ruby Central". What an inhuman way to remove someone from a Project. "Hire" someone to do the dirty job for you so you don't have to. The decisions in a team should be done by reaching a team consensus. Not by one actor. I believe it's for the better that André was removed from the team, but it shouldn't have been done like this. Ruby Central lost their trust in the eyes of many. They could've achieved the same goal in a much better way. How can I trust an organization with management of something if they failed to manage this whole situation? Claiming this is all in the name of security and then not even knowing how to properly remove access from someone. So much about security...
It may be best in the future direction to have Ruby Central's role on RubyGems and bundler completely eliminated and simply just hand them over to Ruby Core and Ruby Foundation in Japan. I will gladly donate just to avoid any more US politics and drama.
What was your maintainership status when this all kicked off? Were you one of the owners removed by HSBT?
As long as Matz is involved, I have a lot of faith things will get better, not worse, unless you have some strong indication of otherwise. If anything, because things will be nicer.
NPM was a company and it was acquired and it was voluntary. I don't think you can compare it to this situation - this is more of a messy situation with everything open source collaborations, rather than having clear ownership in a single entity:
https://github.blog/news-insights/company-news/npm-is-joinin...
Or are you referring to the pre-2014 situation where NPM wasn't VC Funded, but in a more nebulous state? It didn't last that long.
Where is the theft? The projects were open source, they are still open source.
The name is not for the taking. You can download the code, modify and release it, but you can't just claim ownership over a product.
- gem.coop -> the person behind have a new tool rv that want to sell it
- they want to sell the rubygems logs to corporatins
- change the root pass at aws once they where remove from the project
small details like this.
They want to sell some RubyGems logs about corporations (not individuals) using RubyGems API, to...Ruby Central?
As André explained on his site, he was on-call at the time when they were removing him. He acted to protect the service by limiting access. No harmful actions done by him were ever discovered by Ruby Central. It's two entities fighting to remove the other. You can say Ruby Central was right, I can say André was right. But we do know that Ruby Central fired the first shot when they (could've been an actual hacker) removed literally everyone from RubyGems and Bundler projects.