There is some more context on a post[1] in /r/ruby, including the fact that the maintainers and others had been working on a proposal[2] for a formalized organizational governance structure as recently as yesterday. The latter also adds some context into Mike McQuaid's involvement: the proposal was influenced by the structure put in place by the Homebrew project.
I'm trying to help, where I can, to mediate. On a call right now about this. Had 4 in the last 24 hours with affected parties past and present on both sides.
I'm not involved beyond just caring a lot about Ruby.
TL;DR: I've been given a lot of private nuance from both sides here but, even just based how the two sides have treated me personally, it's very hard not to put the blame primarily on RubyCentral. I've been a maintainer on Homebrew for 16 years: it's a hard job. If in doubt: I'll side with maintainers.
> We want to express our deep gratitude to the many cohorts of maintainers who have contributed to Bundler and RubyGems over the past two decades. Ruby tooling would not be what it is today without their dedication and leadership. Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of *openness and collaboration*
- The bolded part doesn’t track with locking out the entire team without notice or explanation.
- “Thanks for the hard work, the adults will take it from here” rarely works out.
> We thank the maintainers and respect their legacy.
After removing them without explanation, cutting them off projects they have maintained over a decade and ignoring them when they asked for restoration or dialogue. I feel sad for the maintainers. This is not how they deserve to be treated.
So essentially they randomly cut off a bunch of long time maintainers for some vague legal and/or security reasons. If there was real reason to do that in a hurry, that's what we need to see, not a corporate PR message.
100%. I assumed this was inspired by the supply chain attack, but what a horrible way to address this. Reverting it back before revoking it a second time is even more bizarre. Severely mixed messages from leadership, perhaps?
It’s not clear to me - did they entirely cut them off, or did they reduce their role as admin of the GitHub org?
If so, I'm not defending it, and I could understand why someone would feel insulted by that - but also get why an org doesn't want too many with elevated privileges.
If they're trying to strengthen security, this feels like an odd way to go about it.
Making unplanned unexpected changes to GitHub ownership and removing people with lots of experience and institutional knowledge with little notice (based on the original story) and presumably no great hand-over, feels risky and not a great way to improve people's trust in their governance.
> Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service.
Several of the people removed are employees or contractors of Ruby Central. This doesn't pass the smell test. Not to mention it's post-facto in that they did all of this before notifying anyone.
The other people I know who had their accesses removed have resigned from RC a while ago, and the one I still see with access on https://rubygems.org/gems/bundler are people I know are currently employed or contractors.
As far as I can tell, this part of the Ruby Central statement seems to check out. Now you can of course debate whether commit rights should be limited to employees, but have have no indication that they lied here.
It’s entirely possible to distinguish between legit internal communication and a phishing email. (It gets harder and harder every day but ultimately still possible)
* Get appointed as paid managers of a non-profit
* Get advice from legal
* Legal suggests removing long-term maintainers without liability contract the same way people get fired: immediately and instantly, and screw the consequences. "Open-source? Never heard of it. Protect your entity legally"
* Instantly follow the advice of the lawyers to the letter.
Aren’t supply chain attacks caused by package maintainer accounts being compromised? I suppose too many people with keys to the package repository itself is also liability, but those accounts being compromised just hasn’t been what is happening.
It's been a while but if memory serves me correctly the controversy at that time was actually about him unilaterally deciding that people at basecamp shouldn't be talking about politics in off-topic slack channels after people started trying to organize support for something he didn't agree with. IIRC something like 1/3 of the company quit at that time
Am I the only one who feels like discussing politics at work is inappropriate? While I'm not apolitical, I appreciate having a space where the constant bombardment of politics is momentarily absent. It's refreshing to focus on work without the need for political discourse.
Specifically, it was in a meeting called by Jason Fried to address people who were concerned about the ongoing existence of an internal list of "funny customer names" (which by all accounts was extremely racist), in which Ryan Singer (who had reportedly previously posted a fair bit of politically right-wing content on internal forums -- those were all deleted when the "no politics at work" policy was rolled out) repeatedly asserted that white supremacy/privilege did not exist (he then resigned).
In the aftermath, DHH dug through old chat logs to find a time in the past when one of the people complaining about the list participated in a discussion about same without complaint, and posted it in a way that was visible to everyone saying that their prior participation meant that their current complaint was invalid.
Then they rolled out the no-politics-at-work policy in this post dated April 26 2021 -- I would encourage anyone interested in the specifics to read through the various versions and edits of this post made in the week following, all without noting that it was being actively changed: https://world.hey.com/jason/changes-at-basecamp-7f32afc5
I’m not seeing how this is related to the subject of the thread. But also, I think DHH’s politics are manifestly controversial: downplaying that doesn’t make for a good argument.
Yes, the argument was: You shouldn't freeze the bank accounts of people (trucker or not) just because you disagree with them. I don't see how this can be seen as controversial. The relation to the subject of the thread is Ruby Central. Here's the relation: https://www.mermaidchart.com/play#pako:eNqrVkrOT0lVslJKL0osy...
I think the fear from Ruby Central might have been that, had they communicated openly, a maintainer/community member with admin access could do their own hostile take-over, and that that would expose Ruby Central to some legal liability, if not a complete loss of control.
I'm not in a position where I'd have to make a decision like this, and I don't have all the information, but I like to think that if I had made a decision like this, I'd show some more respect in the aftermath.
Something more akin to: "That was really awful, I'm sorry. We were suddenly faced with the severity of our legal exposure and had to immediately lock everything down. It's not a reflection of trust or anything, it was legally what had to be done. Now that we've taken stock and are now squared away, we have to make a more explicit controls framework, and we hope we can make it up to you, make this right, and have you lead as a maintainer again."
...Then again, maybe this wasn't about legal exposure. Or maybe it was and former contributors/maintainers are getting apologetic emails right now...
1. You lock everyone out of the org for whichever valid but idiotic reason.
2. The instant you do, you send them all an email explaining the situation.
That’s how you do it in those cases. You don’t blindside them and then wait for them to react, restore their access back (which totally negated and nullified the “I wanted to preempt a takeover attempt” argument) and continue to skulk around instead of being open about it.
Ruby Central is not a large organization by headcount, but in terms of impact, it is massive. Any person up to the task of leading an organization like this must know that drastic, public action involving long-term contributors will necessarily require an explanation. Inevitably. They must also know that in an information vacuum, people will assume the worst.
This is not difficult to foresee.
I truly hope this is settled without too much collateral damage, and I hope that the people in leadership learn a lesson about communication.
You're completely right. In a generous interpretation, having so little communication over such a long period is where this went wrong. In any case, having your highly-tenured team dissolve and feeling like things were "hostile," is an indicator that you'll need to do better. Then again, who knows what the goal actually was? Maybe this went perfectly to plan. Given there was nothing approaching an acknowledgement of regret or apology in the press release, maybe this went exactly to plan.
Feel bad for the RubyGems community, sending my gratitude and empathy. Ruby was a leap in my career, and i have a soft spot for the language and community
I'll wait for RubyCentral's side on this, but on the face of what's written, these actions do not seem to be transparent or in good faith. Is there something posted from RubyCentral's side?
I wish the Ruby community strength, and a transition over to a community-owned org, one way or another.
(With NPM, WordPress, now this - seems like package repositories are becoming a flashpoint of corporate takeovers..)
> The unstated reason for this change was that many of the existing Rubygems maintainers have recently quit (including their only full-time engineer) due to their continued relationship with DHH.
Can someone expand on what this means? Is it a continued relationship between Ruby Central and DHH, or the maintainers and DHH? Why does the other party have a problem with that?
EDIT:
It seems the post was clarified since I copy/pasted this, and it's RC and DHH. Why do the maintainers have a problem with this? I though the stated reason was about RC removing everyone's access with no warning.
Claiming otherwise is just a roundabout way of saying "you must actively support my agenda at all times, otherwise I will consider you my enemy, even if you take a neutral stance" that political activists love to use to pressure normal people into supporting them.
Inaction is a manifestation of one of two things: ignorance, or conscious decision to not act. I agree that strictly only the latter can be considered an act, while the former .. well. Not an act, but a then the question arises if an unconscious person can even be considered a person _in_relation_to_having_a_conversation_with_them_. That last point I must even more press.
I think this is what we are discussing. Please share your viewpoint on this.
> Inaction is a manifestation of one of two things: ignorance, or conscious decision to not act.
Under which of these categories would you classify the following assertion:
> As much as I've learned about subject X, I still feel that neither I — nor most people who are already acting, for that matter — truly have enough information to take an informed stance here, as the waters are being actively clouded by propaganda campaigns, censorship, and false-flag operations by one or both sides; and I believe that acting without true knowledge can only play into someone's hand in a way that may damage what turns out to be an innocent party I would highly regret damaging, when this all shakes out a decade down the line. I find myself too knowingly ignorant to conscientiously act... yet I also do not highly prioritize gaining any more information about the situation, as I have seemingly passed the threshold where acquiring additional verifiable and objective information on the conflict is cheap enough to be worth it; gaining any further knowledge to inform my stance is too costly for someone like me, who is neither an investigative journalist, nor a historiographer, nor enmeshed in the conflict myself. So I fear I must opt out of the conflict altogether.
I find myself increasingly arriving at exactly this stance on so many subjects that other people seem to readily take stances (and allow themselves to be spurred to action) on.
I suppose I may differ from the average person in at least one way — that being that, if I were tricked into harming innocent parties, I would hold myself to account for allowing myself to be tricked, rather than externalizing blame to the party responsible for tricking me. After all, only by my learning a lesson in avoiding being manipulated, do I actually lessen the likelihood of the next innocent party coming to harm. Which is a lot more important to me, in a rule-utilitarian sense, than is avoiding social approbation for not taking a stance.
> maintainers have recently quit (including their only full-time engineer) due to their continued relationship with DHH.
Ehh, what?! Basically 0 developers in the US have quit as a protest against literal totalitarianism, major and obvious corruption, the end of vaccines (will kill countless) and the end of USAID (already killed.. how many kids?).
But, sure, DHH.. that's where we draw the line!
FFS
Edit: maybe I misunderstood why they quit, quite confused. Still..
Edit 2: Unclear if this has anything to do with DHH? And it turns out I also disagree with some of his views. But, it still stands, he's writing a blog, not literally killing kids. Where's the mass quittings for those people?
Ok... wow. I was willing to give the benefit of the doubt, but hearing him decry the lack of "native Brits"[0] and support the Tommy Robinson march is... something.
> In 2000, more than sixty percent of the city were native Brits. By 2024, that had dropped to about a third.
In the linked article, DHH links out to a wikipedia article titled "Ethnic groups in London"[0].
He then uses a statistic that "only a third" are native brits in 2021, which roughly lines up with the "White British" line in the chart.
You can argue that "white supremecist" is a charged and problematic term, but I'd say that "Here he complains about too many brown people in London." is a fairly accurate representation of the article. I'd say "disgraceful slander" is a bit too strong as a rebuttal.
No dog in this race but, as an outsider, it's always seemed really odd that some countries (Japan sticks out) are allowed to prioritize cultural preservation but European countries are not.
That's an interesting observation and I think it comes down to immigration policy. I haven't actually looked into it but I've heard that Japan basically doesn't allow for long-term immigration, except probably in exceptional cases like PhDs.
Where EU countries (I know this excludes the UK but it didn't for a long time) allow easy long-term immigration by EU policy. Even with Brexit, I don't think that culture of easy immigration is going to just up and disappear. So having a culture and/or policy of easy immigration alongside "well, actually, not those guys" where "those guys" includes anybody who's not already culturally/ethnically part of the nation is, minimally, counter-productive and perhaps a bit hypocritical.
There aren't a whole lot of people celebrating Japan's immigration policies. Further, their policies have been around for quite some time. It's one thing to continue enforcing decades old policies and quite another to create those same policies today.
A very ironic example is that Americans moving to Mexico is seen as bad, whereas Mexicans moving to the US is seen as necessary by the left...
In Canada here, we have land acknowledgements and it's politically correct to say we stole the land and should give it back to the natives. Then when native Europeans want to keep their land, it's white supremacy...
just double checked, there is a separate section of the article that has the "foreign born" population of london, which is 36%, so he's definitely excluding any non-white english people there.
In my opinion, initially I thought "Oh David's been sucked into some kind of social media bubble (on X) or disinformation space", but then as I read the post, down to the bit where he started talking about "demographic replacement", I came to the view that this is who he is a person.
This is only one of many examples over years of DHH’s ideology. Analyzing this one instance (the most recent) does not change anything, this is a drop in a bucket
Don't write long blog posts about how your country doesn't have enough white people (and should start deporting brown people) and you won't be called a white supremist. Pretty simple.
The recent actions taken by Ruby Central - removing long-time RubyGems and Bundler maintainers without warning, seizing administrative access, and consolidating control under a small, centralized group - represent a serious breach of trust within the Ruby ecosystem.
This was not a misunderstanding. It was a hostile takeover of key infrastructure, undermining both the long-standing maintainers and the broader community that relies on RubyGems and Bundler every day.
The Ruby ecosystem thrives on collaboration, openness, and mutual respect. What we've witnessed over the past week violates those principles. Ruby Central's actions - unilateral access revocations, exclusion of experienced volunteers, and refusal to engage in transparent dialogue - are not just organizational missteps. They're a threat to the decentralized and community-driven spirit that has sustained Ruby for decades.
I oppose this power grab.
Even more concerning is the idea that contributor access could become contingent on employment status or ideological alignment. Whether someone is employed by Ruby Central - or holds left-leaning, right-leaning, or apolitical views - should have no bearing on their ability to contribute to open source. Merit, dedication, and community trust must remain the foundation.
If Ruby Central is serious about supporting the Ruby community, they must:
- Immediately restore access to all maintainers removed during this incident.
- Publicly commit to a transparent, community-driven governance model, similar to what the RubyGems team had begun drafting.
- Respect the autonomy of open source maintainers, regardless of whether they are employed by Ruby Central.
- Acknowledge the harm caused by these actions and engage in meaningful dialogue to rebuild trust.
The Ruby community has always been about people - diverse, passionate, and united by a love for a beautiful language. It's time we demand that the institutions claiming to represent us act accordingly.
And if Ruby Central does not do this we must pressure sponsors to stop funding Ruby Central and ultimately; if all else fails, we must build and maintain our own infrastructure unencumbered by these shenanigans. Also, in order to re-establish trust in the community; the people responsible for causing this ruckus should be fired.
> "Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of openness and collaboration."
what do they mean by openness, it doesn't even say who wrote this
> Why did you include that list of sponsors at the bottom of your post?
Clearly, that was because this information directly supports readers following through on the call to action: “And if Ruby Central does not do this we must pressure sponsors to stop funding Ruby Central”. That’s obvious.
> What's with the "contingent on employment status or ideological alignment" bit about? That's not been mentioned anywhere else so far.
Yes, both the original pdf and the RubyCentral statement edplicitly refer to admin status being made contingent on being full-time employee of RubyCentral. If you just mean no one has explicitly brought upthe ideological angle, well, that’s a fairly easy concer to reach wrih something being contingent on employment at a particular nonprofit, so it would be weird to interogate like this even if you had clearly focussed on kn just that point.
The cancellation of DHH's keynote was purely political. At that time, RubyCentral's response was similarly uncommunicative and their explanation was BS.
> Why did you include that list of sponsors at the bottom of your post?
The paragraph immediately preceding the list begins with a sentence mentioning the sponsors. How did you not see this?
> What's with the "contingent on employment status or ideological alignment" bit about? That's not been mentioned anywhere else so far.
“not been mentioned anywhere else” is false. If you click on the PDF linked to in this very post it mentions that only full time employees of RubyCentral maintained access to their GitHub account.
I find it ironic that you’re so quick to question whether something is LLM-authored given that you write so much about using LLMs.
The post is quite clear? They call on the sponsors to stop funding ruby central, and the employment status bit is a clear concern extending from ruby central’s supposed takeover.
Read the post more clearly before accusing someone of LLM usage. And even if it is, they are still valid points to be discussed, as opposed to trying to bury it with an LLM accusation.
I brought up LLM usage precisely because the two things I called out here are weird - the kind of details an LLM might add.
If that's what happened then it's bad because it leaves people who read the comment confused - hence my questions asking about those.
If the author confirms that those pieces I asked about serve an intentional purpose then I don't care if they used an LLM or not.
My problem isn't with using LLMs to help write comments - there are plenty of reasonable reasons for doing that (like English as a second language). My problem is letting an LLM invent content that doesn't accurately represent the situation or reflect the LLM user's own position.
(The author could also say "I didn't use an LLM", which notably they haven't done elsewhere on this thread yet.)
It is indeed surprising such change wouldn't be immediately followed by a public announcement, but they've been founding and managing RubyGems for a very long time now, so it's not even clear to me how this can be a "takeover".
I'll happily join with my pitchfork if it turns out this is indeed a malevolent move, but until I've read their side of the story, I'd rather wait and see.
Well, we have all of Ruby Centrals actions including their action to not be more public during these actions. Their actions are their story. If their actions don't communicate their intent, that is on them to handle that in a professional way to not be in this situation.
Organizations are necessarily slower to communicate than individuals, give them a couple days. People need to chill out before jumping to conclusions like that.
Organizations should not do things like this without having their communication done in advance. They new what they were going to do, so they should have the blog post explaining exactly what and why they were doing to release (at the latest) at the same time.
What why? An organization is made up of individuals who had a heads up because they had a bunch of meetings and made the decision to do this, if anything they had a head start on communication. Their silence is their choice.
They couldn't email longtime contributors with a heads up, here's whats happening before revoking commit rights and making changes like this? That's nonsense.
is this becoming the latest way to attack an idea? instead of engaging with the actual content you just claim it is AI and therefore it can be ignored? seems disingenuous to say the least.
Overuse of rule of three, cliches like "This was not X. It was Y." and similar, obligatory bulleted list, overall overly grandiose. None of these are a smoking gun, but the smell is definitely here. AI detection tools also confirm my suspicions. I don't have a horse in the race in regards to the content, since I'm not a Ruby developer, I would just prefer to not see AI-written comments on HN. If this is so important, you can take the time to type it out yourself.
It's pointing out that the person who posted something couldn't be bothered to actually write it themselves. The "content" is the prompt, which is of course never shared because it's probably so trite that it's not going to get anyone's interest unless it's stochastically decompressed into a large amount of text.
Like the sibling commenter, I do not write Ruby and do not care about this conflict apart from a general interest in supply chain stuff. I'm merely tired of the constant encroachment of obvious LLM prose in HN submissions and (albeit less commonly) in comments.
I don't think posts like this: an off-topic reply to a post where the same off-topic topic has already been killed, will have the effect you want it to have.
Unless that effect is to make yourself more angry and to have your comments downvoted in order to feel more righteous and to justify your behavior... but otherwise this won't change anything.
Please do write a blog post about, and feel free to share it on HN.
> Even more concerning is the idea that contributor access could become contingent on employment status or ideological alignment. Whether someone is employed by Ruby Central - or holds left-leaning, right-leaning, or apolitical views - should have no bearing on their ability to contribute to open source. Merit, dedication, and community trust must remain the foundation.
Is there any evidence of this? It's not in the PDF.
Also, this comment is clearly AI and more importantly, it affects the quality. Ex: "It's time we demand that the institutions claiming to represent us act accordingly." It seems "the institutions" have been representing them fine until now, why "it's time"? "This was not a misunderstanding. It was a hostile takeover"..."This was a hostile takeover" (or "is", it's still ongoing). "The recent actions taken by Ruby Central - [list]...Ruby Central's actions - [different list]"...the comment tries to explain what Ruby Central has done and what the maintainers demand, but it's vague and disorganized; the linked PDF is better.
Could someone with more insight as to the decision-making at Ruby Central weigh in on what's going on here? Between this and drama with the conferences over the years I'm just confused. They've been busy launching podcasts and doing fundraising, email campaigns and all that. Has there been a change in leadership?
Oh wow. I'm absolutely alarmed after reading that. To be honest, I had been wondering if some of the PR disasters this year could be laid on Rhiannon's shoulders, but it sounds like the rot is coming from the top.
Yikes! At least they'll have someone "results-driven, client-focused," and "driving stakeholder engagement", because that's really what a software repository needs.
I took comfort in the fact that the ruby community seemed miraculously immune from these petty disputes and takeovers from the benevolent entity running the service. Seems like that’s not the case anymore :(
I've been a ruby user for almost 15 years. I've been to several RubyConfs in that time. I have never found that to be true. It's a thin veneer over rampant toxicity and political extremism. Many of the evangelists in the Ruby community garnered a horrible reputation outside of Ruby, then migrated to insular social media applications which no one uses, causing the slow and persistent decline in the popularity of the language.
Although I haven't been in the ruby community as long as you, I have been to two RubyConfs. I didn't notice any overt toxicity or political extremism when I went but I'd be interested to hear more about your experience if you don't mind sharing?
Ruby Central's whole thing is they maintain, develop, and secure bundler and ruby gems. Marty was previously a lead at Ruby Central and recently came back to RC as their Open Source Lead. It sounds like there was a clusterfuck getting the repo switched over but I'm not seeing how this is an attack on Ruby gems. Am I missing something?
I think the missing piece here is that almost every person publicly involved with RubyGems’ development has left the project in recent weeks. I don’t have any special insight here, but from an outsider’s perspective it seems as through Ruby Central is trying to turn a former “host” relationship into a “control” relationship.
I think you're right, but I suspect the root here is one of legal liability - if rubycentral is operating as a nonprofit that hosts _a recurring attack vector on other companies_, they'll have legal obligations to secure that service against those attacks. I assume they are continuously deploying out of that repository, and took the simplest route to controlling the attack vectors?
I'm not sure how anyone familiar with open-source communities would fail to predict the backlash though. They really should have forked the repository and switched the deployments over to their downstream fork (if I'm right about the root cause here).
That would be a pretty broad assumption of liability: I'm not very involved in Ruby but I am involved in Python packaging, and to my knowledge there's been no similar discussion around the PSF's keys-to-the-code control over PyPI (which is in a similar position in terms of supply chain attack vectors).
In other words: that argument is interesting, but it feels strained to me :-) -- I don't think RubyGems or Ruby Central is actually legally liable in this way (or if they are, it suggests a failure of clarity in their EULA/TOS).
Well.. "legal liability" is kind of complex topic. Usually what really matters isn't "what the courts will actually determine if such a case is brought" it's "how much will it cost to prove that lack of liability, and what is the risk that we are wrong?". I also don't believe that such an organization is liable for anything beyond negligence, but whether the lack of an action constitutes negligence is .. well, one can rarely be totally confident in the outcome of that kind of proceeding.
and I doubt you could ever get negligence to stick, given you are downloading code from some website and running it, on your own accord, entirely unprompted
For those like me who are not Ruby users/devs, it might be good to explain who exactly Ruby Central is? I assumed they were analogous to Python Soft Foundation or Linux Foundation etc. as the entity of maintainers/owners/whatever of Ruby.
But it seems that they have nothing to do with the ruby-lang.org site where the Ruby binaries itself are distributed. Instead, their own site appears to primarily list them as responsible for organizing an annual conference?
And who owned the RubyGems infrastructure before this takeover? The website (and domain that the client actually calls to get the gems, presumably) seem to have already been part of Ruby Central, so what exactly changed here ownership wise, beyond just kicking the maintainers?
(unrelated -- seeing a mention of DHH here reminded me that I haven't seen anything of the Matt/WP drama in a long time on HN -- time to go Google whatever the resolution of that was)
Until a few years ago, RubyCentral was very similar to the Python Software Foundation in that it managed all the infrastructure and the main conferences - everything except language development.
A few years ago, RubyCentral lost power when the Rails Foundation was created (most of the Ruby world revolves around Rails). The Rails Foundation organizes its own yearly conference, and RubyCentral stopped hosting theirs.
However, RubyCentral still controls the package management tools and the package registry.
Welp, so there goes another ecosystem I considered exploring.
What almost surprises me the most, is that such a mature ecosystem still doesn't have a formalized governance structure after all this time. How common is this among large and widely-used open source projects?
Problem with package managers are they are quite expensive to run, so hard to manage in an otherwise open source ecosystem. There was some controversy around NPM before the GitHub acquisition https://www.businessinsider.com/npm-cofounder-laurie-voss-re..., which I guess is the exact problem a non-profit such as RubyCentral tried to solve.
I would GitHub would be quite well-positioned to set up infrastructure around a fork of RubyGems if things fall apart.
I don't understand yet how that relates to formalizing your decision structures as a group.
I'm sure NPM as a company has some form of decision hierarchy and RubyCentral does as well, but it seems like Ruby Gems doesn't (or didn't). I learned the hard way that writing this down is one of the first thing you should do in any kind of group formation process.
I get that organically grown tech projects don't have that from the start (and that they might not immediately recognize that they're a group at all), but I'd reckoned that an organization of the size of Ruby Gems, with such an importance, would have taken care of that a while ago and I think it's quite irresponsible that they didn't.
Hasn't Ruby Central always 'owned' RubyGems.org, Bundler, and all related infra?
Removing existing maintainers from the project isn't good - and hopefully it's a temporary oversight as Ruby Central gets things set up in the new org. Either bad communication from Ruby Central - or they really did made a bad mistake here (maybe even with the best intentions, given recent NPM issues).
Edit: It seems like there's a lot more to the story here. Many volunteer RubyGems/Bundler maintainers have left because they disagree with decisions that Ruby Central (the nonprofit organization) has made and it seems like all of this is fallout related to that.
Copy-pasted below for posterity in case it goes down because I think this is a huge deal:
## Ruby Central’s Attack on RubyGems
Hi! I’m Ellen, but you probably know me as duckinator or puppy.
I really wish I didn’t have to write this, but I feel the Ruby community needs to know it.
I have been part of the Ruby community since I was 13, and one of the RubyGems maintainers for the last decade.
This community has helped me through very hard times, and you mean the world to me.
One of the most important lessons I learned from y’all is this:
> A person’s character is determined not only by their actions,
> but also the actions they stay silent while witnessing.
## This Month Has Been A Fuck Of A Year
This is what unfolded between September 9 2025 and September 19 2025, as I understand it.
On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
renamed the “RubyGems” GitHub enterprise to “Ruby Central”, added non-maintainer Marty Haught of Ruby Central, and removed every other maintainer of the RubyGems project.
He refused to revert these changes, saying he would need permission from Marty to do so.
On September 15th, this maintainer said he restored the previous permissions after talking with Marty. Marty stated the deletion was a “mistake” and “should never have happened”.
The “restoration” kept a notable change: Marty was now an owner of the GitHub enterprise.
The RubyGems team responded by immediately began putting in place an overdue official governance policy, inspired by Homebrew’s.
On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams.
By doing this, he took control for himself and other full-time employees of Ruby Central.
Later that day, after refusing to restore GitHub permissions, Ruby Central further revoked access to the bundler and rubygems-update gems on RubyGems.org
I will not mince words here: This was a hostile takeover.
## My Stance On This
I consider Ruby Central’s behavior a threat to the Ruby community as a whole.
The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action. Ruby Central crossed a line by doing this.
When called out, these changes were mostly reverted. Then, it was done again.
By crossing that line a second time after being called out for it, Ruby Central has made it extremely clear to me that they are not engaging in good faith.
Ruby Central’s behavior has forced my hand. I refuse to watch this without speaking up.
I am resigning from my position at Ruby Central, effective immediately.
To remove any doubt: Ruby Central unilaterally, with no explanation, revoked all access to RubyGems against both my wishes and the wishes of the entire RubyGems team.
They tried to cancel Matz for not supporting weird DEI corporate speak in the TOS, they've been trying to cancel DHH for years for his mild conservative lean.
There's also a weird contingent who keep trying to push stuff like TypeScript for Rails and typing for Ruby, at one point they wanted to fork Rails when DHH made Hotwire default (they wanted React), etc..
Outside the weird US corporate bubble, Ruby is doing just fine. Japan, Europe, Canada, etc... Rails World gets bigger and bigger, Ruby Kaigi is growing, etc...
Also, do you watch his podcast? His host (who's literally also one of his employees) is a black woman. Not proof he's not racist, but suggests probably not.
Unless you just assume anyone to the right of you equals racist, which lots of leftists do. Which is one of many reasons why the global right is rising...
I love seeing where Ruby Kaigi is going. Do you happen to have a link regarding a cancel against Matz? I'm often heads down and am genuinely curious to know more.
A very biased take to be sure. Who is the "they" you are referring to? Who is "the American Ruby community"? Sounds like a thinly-veiled attack on "leftists".
I know plenty of Rubyists in Europe who these days find DHH as a person to be completely odious, not to mention a maintainer in violation of CoC.
IMHO he violated the CoC of the Turbo project. FWIW, I'm by no means a TypeScript guy so I was even sympathetic to his general ideas on that topic. But his handling of it was terrible.
Look I don't even know what sides the various actors in this spat would see themselves on so don't consider what I'm about to say as an endorsement of their beliefs because I don't know what they are.
That being said the freedom of (non-)association is one of the few non-violent means to signal your disapproval of someone else in a way that actually matters. The fact that folks are insulated from the consequences of their actions I think is a big part of how we got here. People spew hateful nonsense and sling accusations at each other that in person would get their teeth knocked out. Refusing to work with or collaborate with someone you consider to be distasteful is pretty mild and not terribly unreasonable even if it makes things awkward.
I can't exactly blame someone for acting on their conscience even if I don't like it. Working with someone who are at odds with despite your differences I consider praiseworthy but obligatory.
I know its against the content policy on HN but I really wish I could reply with that gif from Veep where she's nervously laughing while mouthing "what the fuck".
There is some more context on a post[1] in /r/ruby, including the fact that the maintainers and others had been working on a proposal[2] for a formalized organizational governance structure as recently as yesterday. The latter also adds some context into Mike McQuaid's involvement: the proposal was influenced by the structure put in place by the Homebrew project.
[1]: https://old.reddit.com/r/ruby/comments/1nkzszc/ruby_centrals...
[2]: https://github.com/rubygems/rfcs/pull/61
I'm trying to help, where I can, to mediate. On a call right now about this. Had 4 in the last 24 hours with affected parties past and present on both sides.
I'm not involved beyond just caring a lot about Ruby.
I know nothing about the Ruby ecosystem, but I really do appreciate that someone cares that much to mediate this mess. Thank you.
Posted an update in a thread (or whatever you're meant to call it) on Bluesky: https://bsky.app/profile/mikemcquaid.com/post/3lz7klsyue22f
TL;DR: I've been given a lot of private nuance from both sides here but, even just based how the two sides have treated me personally, it's very hard not to put the blame primarily on RubyCentral. I've been a maintainer on Homebrew for 16 years: it's a hard job. If in doubt: I'll side with maintainers.
An update from Ruby Central: Strengthening the Stewardship of RubyGems and Bundler
https://rubycentral.org/news/strengthening-the-stewardship-o...
> We want to express our deep gratitude to the many cohorts of maintainers who have contributed to Bundler and RubyGems over the past two decades. Ruby tooling would not be what it is today without their dedication and leadership. Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of *openness and collaboration*
- The bolded part doesn’t track with locking out the entire team without notice or explanation.
- “Thanks for the hard work, the adults will take it from here” rarely works out.
> We thank the maintainers and respect their legacy.
After removing them without explanation, cutting them off projects they have maintained over a decade and ignoring them when they asked for restoration or dialogue. I feel sad for the maintainers. This is not how they deserve to be treated.
So essentially they randomly cut off a bunch of long time maintainers for some vague legal and/or security reasons. If there was real reason to do that in a hurry, that's what we need to see, not a corporate PR message.
100%. I assumed this was inspired by the supply chain attack, but what a horrible way to address this. Reverting it back before revoking it a second time is even more bizarre. Severely mixed messages from leadership, perhaps?
It’s not clear to me - did they entirely cut them off, or did they reduce their role as admin of the GitHub org?
If so, I'm not defending it, and I could understand why someone would feel insulted by that - but also get why an org doesn't want too many with elevated privileges.
According to the author's PR where she removed herself as a maintainer, she lost commit access.
https://github.com/rubygems/rubygems/pull/8987
If they're trying to strengthen security, this feels like an odd way to go about it.
Making unplanned unexpected changes to GitHub ownership and removing people with lots of experience and institutional knowledge with little notice (based on the original story) and presumably no great hand-over, feels risky and not a great way to improve people's trust in their governance.
> Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service.
Several of the people removed are employees or contractors of Ruby Central. This doesn't pass the smell test. Not to mention it's post-facto in that they did all of this before notifying anyone.
> Several of the people removed are employees or contractors of Ruby Central.
Who?
> Not to mention it's post-facto in that they did all of this before notifying anyone.
Isn't that pretty much the number one rule when restricting accesses? First remove accesses, then communicate?
At least Ellen Dash. The author of the pdf the post links to.
They haven't been contracted by Ruby Central since May by their own account: https://bsky.app/profile/duckinator.bsky.social/post/3lz7lec...
The other people I know who had their accesses removed have resigned from RC a while ago, and the one I still see with access on https://rubygems.org/gems/bundler are people I know are currently employed or contractors.
As far as I can tell, this part of the Ruby Central statement seems to check out. Now you can of course debate whether commit rights should be limited to employees, but have have no indication that they lied here.
Totally reads like post-facto CYA. they could have communicated this to the maintainers internally beforehand instead of blindsiding them.
The NPM breach was an email that stated the dev needed to update their MFA by the next day in order to keep their access.
If you're arguing that is what ruby central should have done, that's a social engineering attack.
It’s entirely possible to distinguish between legit internal communication and a phishing email. (It gets harder and harder every day but ultimately still possible)
It reads like lawyers and auditors took over RubyCentral.
* Get appointed as paid managers of a non-profit * Get advice from legal * Legal suggests removing long-term maintainers without liability contract the same way people get fired: immediately and instantly, and screw the consequences. "Open-source? Never heard of it. Protect your entity legally" * Instantly follow the advice of the lawyers to the letter.
Well done, well done.
it's the professional management class at it again
see: mozilla, nominet (recovered, thankfully)
Aren’t supply chain attacks caused by package maintainer accounts being compromised? I suppose too many people with keys to the package repository itself is also liability, but those accounts being compromised just hasn’t been what is happening.
[flagged]
Your last sentence reads like a weird swipe: as best I can tell, there's no cultural war dimension to this whatsoever?
[flagged]
It's been a while but if memory serves me correctly the controversy at that time was actually about him unilaterally deciding that people at basecamp shouldn't be talking about politics in off-topic slack channels after people started trying to organize support for something he didn't agree with. IIRC something like 1/3 of the company quit at that time
Am I the only one who feels like discussing politics at work is inappropriate? While I'm not apolitical, I appreciate having a space where the constant bombardment of politics is momentarily absent. It's refreshing to focus on work without the need for political discourse.
Specifically, it was in a meeting called by Jason Fried to address people who were concerned about the ongoing existence of an internal list of "funny customer names" (which by all accounts was extremely racist), in which Ryan Singer (who had reportedly previously posted a fair bit of politically right-wing content on internal forums -- those were all deleted when the "no politics at work" policy was rolled out) repeatedly asserted that white supremacy/privilege did not exist (he then resigned).
In the aftermath, DHH dug through old chat logs to find a time in the past when one of the people complaining about the list participated in a discussion about same without complaint, and posted it in a way that was visible to everyone saying that their prior participation meant that their current complaint was invalid.
Then they rolled out the no-politics-at-work policy in this post dated April 26 2021 -- I would encourage anyone interested in the specifics to read through the various versions and edits of this post made in the week following, all without noting that it was being actively changed: https://world.hey.com/jason/changes-at-basecamp-7f32afc5
“No politics at work” except for Dave who spends company time posting political blog entries on his company built platform.
FWIW I captured a timeline of events in this post but a lot of the Twitter links are dead now. https://schneems.com/2021/05/12/the-room-where-it-happens-ho...
I’m not seeing how this is related to the subject of the thread. But also, I think DHH’s politics are manifestly controversial: downplaying that doesn’t make for a good argument.
Yes, the argument was: You shouldn't freeze the bank accounts of people (trucker or not) just because you disagree with them. I don't see how this can be seen as controversial. The relation to the subject of the thread is Ruby Central. Here's the relation: https://www.mermaidchart.com/play#pako:eNqrVkrOT0lVslJKL0osy...
that’s a lot of words to write “we did a hostile takeover”
It might have been a good idea to do that communication BEFORE creating all that drama.
So uh… “compliance reasons”? That sounds rather concerning.
I think the fear from Ruby Central might have been that, had they communicated openly, a maintainer/community member with admin access could do their own hostile take-over, and that that would expose Ruby Central to some legal liability, if not a complete loss of control.
I'm not in a position where I'd have to make a decision like this, and I don't have all the information, but I like to think that if I had made a decision like this, I'd show some more respect in the aftermath.
Something more akin to: "That was really awful, I'm sorry. We were suddenly faced with the severity of our legal exposure and had to immediately lock everything down. It's not a reflection of trust or anything, it was legally what had to be done. Now that we've taken stock and are now squared away, we have to make a more explicit controls framework, and we hope we can make it up to you, make this right, and have you lead as a maintainer again."
...Then again, maybe this wasn't about legal exposure. Or maybe it was and former contributors/maintainers are getting apologetic emails right now...
1. You lock everyone out of the org for whichever valid but idiotic reason. 2. The instant you do, you send them all an email explaining the situation.
That’s how you do it in those cases. You don’t blindside them and then wait for them to react, restore their access back (which totally negated and nullified the “I wanted to preempt a takeover attempt” argument) and continue to skulk around instead of being open about it.
Seconding this.
Ruby Central is not a large organization by headcount, but in terms of impact, it is massive. Any person up to the task of leading an organization like this must know that drastic, public action involving long-term contributors will necessarily require an explanation. Inevitably. They must also know that in an information vacuum, people will assume the worst.
This is not difficult to foresee.
I truly hope this is settled without too much collateral damage, and I hope that the people in leadership learn a lesson about communication.
You're completely right. In a generous interpretation, having so little communication over such a long period is where this went wrong. In any case, having your highly-tenured team dissolve and feeling like things were "hostile," is an indicator that you'll need to do better. Then again, who knows what the goal actually was? Maybe this went perfectly to plan. Given there was nothing approaching an acknowledgement of regret or apology in the press release, maybe this went exactly to plan.
It reads like the confrontation-avoiding Office Space solution: "We fixed the glitch [...] so it will just work itself out naturally."
Feel bad for the RubyGems community, sending my gratitude and empathy. Ruby was a leap in my career, and i have a soft spot for the language and community
I'll wait for RubyCentral's side on this, but on the face of what's written, these actions do not seem to be transparent or in good faith. Is there something posted from RubyCentral's side?
I wish the Ruby community strength, and a transition over to a community-owned org, one way or another.
(With NPM, WordPress, now this - seems like package repositories are becoming a flashpoint of corporate takeovers..)
Seems relevant: https://ruby.social/@getajobmike/115231677684734669
I'm just reposting it though. I haven't followed any of this myself.
> The unstated reason for this change was that many of the existing Rubygems maintainers have recently quit (including their only full-time engineer) due to their continued relationship with DHH.
Can someone expand on what this means? Is it a continued relationship between Ruby Central and DHH, or the maintainers and DHH? Why does the other party have a problem with that?
EDIT: It seems the post was clarified since I copy/pasted this, and it's RC and DHH. Why do the maintainers have a problem with this? I though the stated reason was about RC removing everyone's access with no warning.
I clarified the toot.
Thanks Mike, I editted, and asked this:
> Why do the maintainers have a problem with this? I thought the stated reason was about RC removing everyone's access with no warning.
I seem to remember some of DHH's controversy due to banning politics at basecamp or something. Is it related to that?
https://world.hey.com/dhh/as-i-remember-london-e7d38e64
> I seem to remember some of DHH's controversy due to banning politics at basecamp or something. Is it related to that?
I wouldn't be surprised. The presence of this quote in the linked document:
> A person’s character is determined not only by their actions, but also the actions they stay silent while witnessing.
Suggests that the person who wrote it is deeply obsessed with political activism.
Inaction is an action in itself, they are right in this. IDK where you see a deep obsession in a recognition of this obvious fact.
No, inaction is inaction.
Claiming otherwise is just a roundabout way of saying "you must actively support my agenda at all times, otherwise I will consider you my enemy, even if you take a neutral stance" that political activists love to use to pressure normal people into supporting them.
Also consider that many people are not in the US and are not obliged to wade into US politics.
Inaction is a manifestation of one of two things: ignorance, or conscious decision to not act. I agree that strictly only the latter can be considered an act, while the former .. well. Not an act, but a then the question arises if an unconscious person can even be considered a person _in_relation_to_having_a_conversation_with_them_. That last point I must even more press.
I think this is what we are discussing. Please share your viewpoint on this.
> Inaction is a manifestation of one of two things: ignorance, or conscious decision to not act.
Under which of these categories would you classify the following assertion:
> As much as I've learned about subject X, I still feel that neither I — nor most people who are already acting, for that matter — truly have enough information to take an informed stance here, as the waters are being actively clouded by propaganda campaigns, censorship, and false-flag operations by one or both sides; and I believe that acting without true knowledge can only play into someone's hand in a way that may damage what turns out to be an innocent party I would highly regret damaging, when this all shakes out a decade down the line. I find myself too knowingly ignorant to conscientiously act... yet I also do not highly prioritize gaining any more information about the situation, as I have seemingly passed the threshold where acquiring additional verifiable and objective information on the conflict is cheap enough to be worth it; gaining any further knowledge to inform my stance is too costly for someone like me, who is neither an investigative journalist, nor a historiographer, nor enmeshed in the conflict myself. So I fear I must opt out of the conflict altogether.
I find myself increasingly arriving at exactly this stance on so many subjects that other people seem to readily take stances (and allow themselves to be spurred to action) on.
I suppose I may differ from the average person in at least one way — that being that, if I were tricked into harming innocent parties, I would hold myself to account for allowing myself to be tricked, rather than externalizing blame to the party responsible for tricking me. After all, only by my learning a lesson in avoiding being manipulated, do I actually lessen the likelihood of the next innocent party coming to harm. Which is a lot more important to me, in a rule-utilitarian sense, than is avoiding social approbation for not taking a stance.
There is no "neutral stance," only ignorance of bias.
https://news.ycombinator.com/item?id=10970937
Didn't RC drop DHH from RailsConf because of his views? Seems weird to think they're collaborate on a coup or whatever is being suggested here.
> maintainers have recently quit (including their only full-time engineer) due to their continued relationship with DHH.
Ehh, what?! Basically 0 developers in the US have quit as a protest against literal totalitarianism, major and obvious corruption, the end of vaccines (will kill countless) and the end of USAID (already killed.. how many kids?).
But, sure, DHH.. that's where we draw the line!
FFS
Edit: maybe I misunderstood why they quit, quite confused. Still..
Edit 2: Unclear if this has anything to do with DHH? And it turns out I also disagree with some of his views. But, it still stands, he's writing a blog, not literally killing kids. Where's the mass quittings for those people?
what do those things have to do with Ruby? whereas DHH has a clear link
Nothing, I'll give you that. It's just frustrating to see so little action taken against those with actual power who are doing quite horrible stuff
DHH is a white supremacist. Here he complains about too many brown people in London.
https://world.hey.com/dhh/as-i-remember-london-e7d38e64
Over the years, I saw him inching closer to white supremacy. I didn't realize that he's gone this far off the deep end, yikes.
Ok... wow. I was willing to give the benefit of the doubt, but hearing him decry the lack of "native Brits"[0] and support the Tommy Robinson march is... something.
> In 2000, more than sixty percent of the city were native Brits. By 2024, that had dropped to about a third.
[flagged]
In the linked article, DHH links out to a wikipedia article titled "Ethnic groups in London"[0].
He then uses a statistic that "only a third" are native brits in 2021, which roughly lines up with the "White British" line in the chart.
You can argue that "white supremecist" is a charged and problematic term, but I'd say that "Here he complains about too many brown people in London." is a fairly accurate representation of the article. I'd say "disgraceful slander" is a bit too strong as a rebuttal.
[0] https://en.wikipedia.org/wiki/Ethnic_groups_in_London
No dog in this race but, as an outsider, it's always seemed really odd that some countries (Japan sticks out) are allowed to prioritize cultural preservation but European countries are not.
That's an interesting observation and I think it comes down to immigration policy. I haven't actually looked into it but I've heard that Japan basically doesn't allow for long-term immigration, except probably in exceptional cases like PhDs.
Where EU countries (I know this excludes the UK but it didn't for a long time) allow easy long-term immigration by EU policy. Even with Brexit, I don't think that culture of easy immigration is going to just up and disappear. So having a culture and/or policy of easy immigration alongside "well, actually, not those guys" where "those guys" includes anybody who's not already culturally/ethnically part of the nation is, minimally, counter-productive and perhaps a bit hypocritical.
There aren't a whole lot of people celebrating Japan's immigration policies. Further, their policies have been around for quite some time. It's one thing to continue enforcing decades old policies and quite another to create those same policies today.
A very ironic example is that Americans moving to Mexico is seen as bad, whereas Mexicans moving to the US is seen as necessary by the left...
In Canada here, we have land acknowledgements and it's politically correct to say we stole the land and should give it back to the natives. Then when native Europeans want to keep their land, it's white supremacy...
It's a very obvious double standard.
just double checked, there is a separate section of the article that has the "foreign born" population of london, which is 36%, so he's definitely excluding any non-white english people there.
I used to work at a Ruby on Rails shop many years ago (New Bamboo, now part of ThoughtBot) which is in London.
I got pointed to the blog post, and it was such a strikingly-bad hot take that I had to write a response: http://paulbjensen.co.uk/2025/09/17/on-dhhs-as-i-remember-lo...
In my opinion, initially I thought "Oh David's been sucked into some kind of social media bubble (on X) or disinformation space", but then as I read the post, down to the bit where he started talking about "demographic replacement", I came to the view that this is who he is a person.
It's shocking and disappointing.
Thanks for your post! Is there a way to add a comment there?
This is only one of many examples over years of DHH’s ideology. Analyzing this one instance (the most recent) does not change anything, this is a drop in a bucket
[flagged]
Don't write long blog posts about how your country doesn't have enough white people (and should start deporting brown people) and you won't be called a white supremist. Pretty simple.
The recent actions taken by Ruby Central - removing long-time RubyGems and Bundler maintainers without warning, seizing administrative access, and consolidating control under a small, centralized group - represent a serious breach of trust within the Ruby ecosystem.
This was not a misunderstanding. It was a hostile takeover of key infrastructure, undermining both the long-standing maintainers and the broader community that relies on RubyGems and Bundler every day.
The Ruby ecosystem thrives on collaboration, openness, and mutual respect. What we've witnessed over the past week violates those principles. Ruby Central's actions - unilateral access revocations, exclusion of experienced volunteers, and refusal to engage in transparent dialogue - are not just organizational missteps. They're a threat to the decentralized and community-driven spirit that has sustained Ruby for decades.
I oppose this power grab.
Even more concerning is the idea that contributor access could become contingent on employment status or ideological alignment. Whether someone is employed by Ruby Central - or holds left-leaning, right-leaning, or apolitical views - should have no bearing on their ability to contribute to open source. Merit, dedication, and community trust must remain the foundation.
If Ruby Central is serious about supporting the Ruby community, they must:
- Immediately restore access to all maintainers removed during this incident.
- Publicly commit to a transparent, community-driven governance model, similar to what the RubyGems team had begun drafting.
- Respect the autonomy of open source maintainers, regardless of whether they are employed by Ruby Central.
- Acknowledge the harm caused by these actions and engage in meaningful dialogue to rebuild trust.
The Ruby community has always been about people - diverse, passionate, and united by a love for a beautiful language. It's time we demand that the institutions claiming to represent us act accordingly.
And if Ruby Central does not do this we must pressure sponsors to stop funding Ruby Central and ultimately; if all else fails, we must build and maintain our own infrastructure unencumbered by these shenanigans. Also, in order to re-establish trust in the community; the people responsible for causing this ruckus should be fired.
Ruby-Level Sponsors (Top Tier): Alpha Omega, Shopify, Sidekiq
Gold-Level Sponsor Flagrant
Silver-Level Sponsors: Cedarcode, DNSimple, Fastly, Gusto, Honeybadger, Sentry
From https://rubycentral.org/news/strengthening-the-stewardship-o...
> "Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of openness and collaboration."
what do they mean by openness, it doesn't even say who wrote this
Why did you include that list of sponsors at the bottom of your post?
What's with the "contingent on employment status or ideological alignment" bit about? That's not been mentioned anywhere else so far.
Were those parts (or indeed your entire comment) written with the help of an LLM?
> Why did you include that list of sponsors at the bottom of your post?
Clearly, that was because this information directly supports readers following through on the call to action: “And if Ruby Central does not do this we must pressure sponsors to stop funding Ruby Central”. That’s obvious.
> What's with the "contingent on employment status or ideological alignment" bit about? That's not been mentioned anywhere else so far.
Yes, both the original pdf and the RubyCentral statement edplicitly refer to admin status being made contingent on being full-time employee of RubyCentral. If you just mean no one has explicitly brought upthe ideological angle, well, that’s a fairly easy concer to reach wrih something being contingent on employment at a particular nonprofit, so it would be weird to interogate like this even if you had clearly focussed on kn just that point.
Where did the ideological alignment piece come from then?
You can read it here: https://world.hey.com/dhh/no-railsconf-faa7935e
The cancellation of DHH's keynote was purely political. At that time, RubyCentral's response was similarly uncommunicative and their explanation was BS.
This is not the first strike.
> Why did you include that list of sponsors at the bottom of your post?
The paragraph immediately preceding the list begins with a sentence mentioning the sponsors. How did you not see this?
> What's with the "contingent on employment status or ideological alignment" bit about? That's not been mentioned anywhere else so far.
“not been mentioned anywhere else” is false. If you click on the PDF linked to in this very post it mentions that only full time employees of RubyCentral maintained access to their GitHub account.
I find it ironic that you’re so quick to question whether something is LLM-authored given that you write so much about using LLMs.
The post is quite clear? They call on the sponsors to stop funding ruby central, and the employment status bit is a clear concern extending from ruby central’s supposed takeover.
Read the post more clearly before accusing someone of LLM usage. And even if it is, they are still valid points to be discussed, as opposed to trying to bury it with an LLM accusation.
I brought up LLM usage precisely because the two things I called out here are weird - the kind of details an LLM might add.
If that's what happened then it's bad because it leaves people who read the comment confused - hence my questions asking about those.
If the author confirms that those pieces I asked about serve an intentional purpose then I don't care if they used an LLM or not.
My problem isn't with using LLMs to help write comments - there are plenty of reasonable reasons for doing that (like English as a second language). My problem is letting an LLM invent content that doesn't accurately represent the situation or reflect the LLM user's own position.
(The author could also say "I didn't use an LLM", which notably they haven't done elsewhere on this thread yet.)
What content has been invented?
Maybe none? That's why I asked.
> What we've witnessed over the past week
Who is "we"? And what did they witness?
All we got right now is one side of the story.
It is indeed surprising such change wouldn't be immediately followed by a public announcement, but they've been founding and managing RubyGems for a very long time now, so it's not even clear to me how this can be a "takeover".
I'll happily join with my pitchfork if it turns out this is indeed a malevolent move, but until I've read their side of the story, I'd rather wait and see.
Edit: 35 minutes later, here we go: https://rubycentral.org/news/strengthening-the-stewardship-o...
> All we got right now is one side of the story
Well, we have all of Ruby Centrals actions including their action to not be more public during these actions. Their actions are their story. If their actions don't communicate their intent, that is on them to handle that in a professional way to not be in this situation.
All we got right now is one side of the story
That's because Ruby Central chooses not to communicate. I'm not going to reserve judgment against intentionally mute hostile actors.
Organizations are necessarily slower to communicate than individuals, give them a couple days. People need to chill out before jumping to conclusions like that.
Organizations should not do things like this without having their communication done in advance. They new what they were going to do, so they should have the blog post explaining exactly what and why they were doing to release (at the latest) at the same time.
What why? An organization is made up of individuals who had a heads up because they had a bunch of meetings and made the decision to do this, if anything they had a head start on communication. Their silence is their choice.
Based on the OP, the initial changes were made 10 days ago - more than enough time to communicate something publicly.
They couldn't email longtime contributors with a heads up, here's whats happening before revoking commit rights and making changes like this? That's nonsense.
[flagged]
Your account was created 5 minutes ago. Your username is "clanky". That's hilarious.
For future reference, the flagged parent comment was: "Slop."
[flagged]
what are these hallmarks?
is this becoming the latest way to attack an idea? instead of engaging with the actual content you just claim it is AI and therefore it can be ignored? seems disingenuous to say the least.
Overuse of rule of three, cliches like "This was not X. It was Y." and similar, obligatory bulleted list, overall overly grandiose. None of these are a smoking gun, but the smell is definitely here. AI detection tools also confirm my suspicions. I don't have a horse in the race in regards to the content, since I'm not a Ruby developer, I would just prefer to not see AI-written comments on HN. If this is so important, you can take the time to type it out yourself.
em dashes disguised as hyphens as well.
It's not an attack on an idea.
It's pointing out that the person who posted something couldn't be bothered to actually write it themselves. The "content" is the prompt, which is of course never shared because it's probably so trite that it's not going to get anyone's interest unless it's stochastically decompressed into a large amount of text.
Like the sibling commenter, I do not write Ruby and do not care about this conflict apart from a general interest in supply chain stuff. I'm merely tired of the constant encroachment of obvious LLM prose in HN submissions and (albeit less commonly) in comments.
[flagged]
I don't think posts like this: an off-topic reply to a post where the same off-topic topic has already been killed, will have the effect you want it to have.
Unless that effect is to make yourself more angry and to have your comments downvoted in order to feel more righteous and to justify your behavior... but otherwise this won't change anything.
Please do write a blog post about, and feel free to share it on HN.
> Even more concerning is the idea that contributor access could become contingent on employment status or ideological alignment. Whether someone is employed by Ruby Central - or holds left-leaning, right-leaning, or apolitical views - should have no bearing on their ability to contribute to open source. Merit, dedication, and community trust must remain the foundation.
Is there any evidence of this? It's not in the PDF.
Also, this comment is clearly AI and more importantly, it affects the quality. Ex: "It's time we demand that the institutions claiming to represent us act accordingly." It seems "the institutions" have been representing them fine until now, why "it's time"? "This was not a misunderstanding. It was a hostile takeover"..."This was a hostile takeover" (or "is", it's still ongoing). "The recent actions taken by Ruby Central - [list]...Ruby Central's actions - [different list]"...the comment tries to explain what Ruby Central has done and what the maintainers demand, but it's vague and disorganized; the linked PDF is better.
Could someone with more insight as to the decision-making at Ruby Central weigh in on what's going on here? Between this and drama with the conferences over the years I'm just confused. They've been busy launching podcasts and doing fundraising, email campaigns and all that. Has there been a change in leadership?
Yes, they recently hired a new Executive Director.
Links:
https://rubycentral.org/news/reflections-on-railsconf-2025-f...
https://www.linkedin.com/in/shancureton
Someone with absolutely no technical background, a recipe for disaster.
Rhiannon worked with Ruby Central for a bit, left a few weeks ago, and just shared this: https://bsky.app/profile/rhiannon.io/post/3lz6zcflg2s26
Oh wow. I'm absolutely alarmed after reading that. To be honest, I had been wondering if some of the PR disasters this year could be laid on Rhiannon's shoulders, but it sounds like the rot is coming from the top.
Post not found, what did it say?
Interesting. It worked a few hours ago. Sorry, I didn't make a copy of the text.
Opposed to hiring someone with a technical background but no experience running a non-profit?
It's easier to learn to run a non-profit coming from a technical management background than it is for an MBA to learn to be an engineer.
As opposed to someone with experience with both?
I mean, that would be awesome. Got someone in mind?
Non sequitur. False dichotomy.
looking at that CV, I have zero doubt that this will be a subscription service in 5 years time
Yikes! At least they'll have someone "results-driven, client-focused," and "driving stakeholder engagement", because that's really what a software repository needs.
> Going in, I had heard there was something magical about the Ruby community, but I didn’t yet understand what that meant.
... so I decided to destroy it, because I cannot abide things I do not understand.
[flagged]
I'm still not clear about why they dropped RailsConf. I assume the biggest sponsors threw their weight behind Rails World?
At Shopify I was the person who first proposed that we needed to stump up $$$ for RubyGems (and only by implication Ruby Central).
This is not what I had in mind and now I'm embarrassed that I helped make it possible.
Sounds like Shopify has some leverage then to open a line of comms with Ruby Central. "Explain yourselves or we will pull funding"
Ruby Central really need to come out and explain what they are doing here.
At the least this looks like a very destructive and poorly communicated move.
I took comfort in the fact that the ruby community seemed miraculously immune from these petty disputes and takeovers from the benevolent entity running the service. Seems like that’s not the case anymore :(
Sorry for all the maintainers, that must suck.
I miss the days of "we're nice because matz is nice"
I've been a ruby user for almost 15 years. I've been to several RubyConfs in that time. I have never found that to be true. It's a thin veneer over rampant toxicity and political extremism. Many of the evangelists in the Ruby community garnered a horrible reputation outside of Ruby, then migrated to insular social media applications which no one uses, causing the slow and persistent decline in the popularity of the language.
Although I haven't been in the ruby community as long as you, I have been to two RubyConfs. I didn't notice any overt toxicity or political extremism when I went but I'd be interested to hear more about your experience if you don't mind sharing?
Ruby Central's whole thing is they maintain, develop, and secure bundler and ruby gems. Marty was previously a lead at Ruby Central and recently came back to RC as their Open Source Lead. It sounds like there was a clusterfuck getting the repo switched over but I'm not seeing how this is an attack on Ruby gems. Am I missing something?
I think the missing piece here is that almost every person publicly involved with RubyGems’ development has left the project in recent weeks. I don’t have any special insight here, but from an outsider’s perspective it seems as through Ruby Central is trying to turn a former “host” relationship into a “control” relationship.
I think you're right, but I suspect the root here is one of legal liability - if rubycentral is operating as a nonprofit that hosts _a recurring attack vector on other companies_, they'll have legal obligations to secure that service against those attacks. I assume they are continuously deploying out of that repository, and took the simplest route to controlling the attack vectors?
I'm not sure how anyone familiar with open-source communities would fail to predict the backlash though. They really should have forked the repository and switched the deployments over to their downstream fork (if I'm right about the root cause here).
(I'm mostly thinking in terms of supply-chain attacks, like this one: https://blog.rubygems.org/2025/08/25/rubygems-security-respo...)
That would be a pretty broad assumption of liability: I'm not very involved in Ruby but I am involved in Python packaging, and to my knowledge there's been no similar discussion around the PSF's keys-to-the-code control over PyPI (which is in a similar position in terms of supply chain attack vectors).
In other words: that argument is interesting, but it feels strained to me :-) -- I don't think RubyGems or Ruby Central is actually legally liable in this way (or if they are, it suggests a failure of clarity in their EULA/TOS).
Well.. "legal liability" is kind of complex topic. Usually what really matters isn't "what the courts will actually determine if such a case is brought" it's "how much will it cost to prove that lack of liability, and what is the risk that we are wrong?". I also don't believe that such an organization is liable for anything beyond negligence, but whether the lack of an action constitutes negligence is .. well, one can rarely be totally confident in the outcome of that kind of proceeding.
The (mostly PR) explanation they produced seems to express roughly the same thing I was guessing though: https://rubycentral.org/news/strengthening-the-stewardship-o...
there is no contract to assign liability
and I doubt you could ever get negligence to stick, given you are downloading code from some website and running it, on your own accord, entirely unprompted
(but IANAL)
Who? Everyone I recognize is continuing to contribute. https://github.com/rubygems/rubygems/graphs/contributors?fro...
Your comment reminds me of this video: https://youtu.be/R3gef1Wn9BE
Looks like Homebrew are mediating in some capacity: https://bsky.app/profile/mikemcquaid.com/post/3lz6pkabzwk2o
Not Homebrew, yes me. Just trying to mediate and meeting with as many people on both sides (past and present) as possible.
Why is homebrew involved in this?
Homebrew is one of the most developer-visible Ruby projects around.
It's not. The lead maintainer of Homebrew (Mike McQuaid) is helping to mediate the conversation between the parties, per his own post.
Has nothing specifically to do with Homebrew.
There's a Q&A to sign-up to next Tuesday here (https://us06web.zoom.us/meeting/register/auIbrbS9RSS7Eukzj7b...).
I can already see the future:
The Rails Foundation will start its own central gem registry and set of forked tools.
Then, RailsCentral will lose its sponsors and fade into irrelevance.
Nevermind, this tweet (mostly) disproves my prediction:
https://x.com/dhh/status/1969051000867610709
So Ruby Central did a hostile takeover of RubyGems enterprise account in GH. Wow
For those like me who are not Ruby users/devs, it might be good to explain who exactly Ruby Central is? I assumed they were analogous to Python Soft Foundation or Linux Foundation etc. as the entity of maintainers/owners/whatever of Ruby.
But it seems that they have nothing to do with the ruby-lang.org site where the Ruby binaries itself are distributed. Instead, their own site appears to primarily list them as responsible for organizing an annual conference?
And who owned the RubyGems infrastructure before this takeover? The website (and domain that the client actually calls to get the gems, presumably) seem to have already been part of Ruby Central, so what exactly changed here ownership wise, beyond just kicking the maintainers?
(unrelated -- seeing a mention of DHH here reminded me that I haven't seen anything of the Matt/WP drama in a long time on HN -- time to go Google whatever the resolution of that was)
Until a few years ago, RubyCentral was very similar to the Python Software Foundation in that it managed all the infrastructure and the main conferences - everything except language development.
A few years ago, RubyCentral lost power when the Rails Foundation was created (most of the Ruby world revolves around Rails). The Rails Foundation organizes its own yearly conference, and RubyCentral stopped hosting theirs.
However, RubyCentral still controls the package management tools and the package registry.
Ruby Central's 'our team' fills me with over-corporate dread. "Organizational Compliance Advisor"? Egads.
https://rubycentral.org/about/
Welp, so there goes another ecosystem I considered exploring.
What almost surprises me the most, is that such a mature ecosystem still doesn't have a formalized governance structure after all this time. How common is this among large and widely-used open source projects?
Problem with package managers are they are quite expensive to run, so hard to manage in an otherwise open source ecosystem. There was some controversy around NPM before the GitHub acquisition https://www.businessinsider.com/npm-cofounder-laurie-voss-re..., which I guess is the exact problem a non-profit such as RubyCentral tried to solve.
I would GitHub would be quite well-positioned to set up infrastructure around a fork of RubyGems if things fall apart.
I don't understand yet how that relates to formalizing your decision structures as a group.
I'm sure NPM as a company has some form of decision hierarchy and RubyCentral does as well, but it seems like Ruby Gems doesn't (or didn't). I learned the hard way that writing this down is one of the first thing you should do in any kind of group formation process.
I get that organically grown tech projects don't have that from the start (and that they might not immediately recognize that they're a group at all), but I'd reckoned that an organization of the size of Ruby Gems, with such an importance, would have taken care of that a while ago and I think it's quite irresponsible that they didn't.
See also https://bsky.app/profile/duckinator.bsky.social/post/3lz6exz...
Hasn't Ruby Central always 'owned' RubyGems.org, Bundler, and all related infra?
Removing existing maintainers from the project isn't good - and hopefully it's a temporary oversight as Ruby Central gets things set up in the new org. Either bad communication from Ruby Central - or they really did made a bad mistake here (maybe even with the best intentions, given recent NPM issues).
Edit: It seems like there's a lot more to the story here. Many volunteer RubyGems/Bundler maintainers have left because they disagree with decisions that Ruby Central (the nonprofit organization) has made and it seems like all of this is fallout related to that.
See also: https://andre.arko.net/2025/09/19/goodbye-rubygems/
Jesus, this is the absolute antithesis of MINASWAN.
https://en.wiktionary.org/wiki/MINASWAN
You'll never see anyone writing an acronym of DHHIN...
Copy-pasted below for posterity in case it goes down because I think this is a huge deal:
## Ruby Central’s Attack on RubyGems
Hi! I’m Ellen, but you probably know me as duckinator or puppy.
I really wish I didn’t have to write this, but I feel the Ruby community needs to know it.
I have been part of the Ruby community since I was 13, and one of the RubyGems maintainers for the last decade.
This community has helped me through very hard times, and you mean the world to me.
One of the most important lessons I learned from y’all is this:
> A person’s character is determined not only by their actions,
> but also the actions they stay silent while witnessing.
## This Month Has Been A Fuck Of A Year
This is what unfolded between September 9 2025 and September 19 2025, as I understand it.
On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
renamed the “RubyGems” GitHub enterprise to “Ruby Central”, added non-maintainer Marty Haught of Ruby Central, and removed every other maintainer of the RubyGems project.
He refused to revert these changes, saying he would need permission from Marty to do so.
On September 15th, this maintainer said he restored the previous permissions after talking with Marty. Marty stated the deletion was a “mistake” and “should never have happened”.
The “restoration” kept a notable change: Marty was now an owner of the GitHub enterprise.
The RubyGems team responded by immediately began putting in place an overdue official governance policy, inspired by Homebrew’s.
On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams.
By doing this, he took control for himself and other full-time employees of Ruby Central.
Later that day, after refusing to restore GitHub permissions, Ruby Central further revoked access to the bundler and rubygems-update gems on RubyGems.org
I will not mince words here: This was a hostile takeover.
## My Stance On This
I consider Ruby Central’s behavior a threat to the Ruby community as a whole.
The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action. Ruby Central crossed a line by doing this.
When called out, these changes were mostly reverted. Then, it was done again.
By crossing that line a second time after being called out for it, Ruby Central has made it extremely clear to me that they are not engaging in good faith.
Ruby Central’s behavior has forced my hand. I refuse to watch this without speaking up.
I am resigning from my position at Ruby Central, effective immediately.
To remove any doubt: Ruby Central unilaterally, with no explanation, revoked all access to RubyGems against both my wishes and the wishes of the entire RubyGems team.
Ellen Dash (@duckinator)
September 19, 2025
https://web.archive.org/web/20250919130055/https://pup-e.com...
sus, inb4 rugpull/verification can
[dead]
[flagged]
The only people who believe the world isn’t on fire are the ones with the matches
The American Ruby community...
They tried to cancel Matz for not supporting weird DEI corporate speak in the TOS, they've been trying to cancel DHH for years for his mild conservative lean.
There's also a weird contingent who keep trying to push stuff like TypeScript for Rails and typing for Ruby, at one point they wanted to fork Rails when DHH made Hotwire default (they wanted React), etc..
Outside the weird US corporate bubble, Ruby is doing just fine. Japan, Europe, Canada, etc... Rails World gets bigger and bigger, Ruby Kaigi is growing, etc...
> mild conservative lean
you're whitewashing that he's racist
Do you have a source for this?
Also, do you watch his podcast? His host (who's literally also one of his employees) is a black woman. Not proof he's not racist, but suggests probably not.
Unless you just assume anyone to the right of you equals racist, which lots of leftists do. Which is one of many reasons why the global right is rising...
Is he? I use Ruby and Rails, but I don't pay much attention to DHH so this is news to me. Would you mind pointing me to a source for this?
I love seeing where Ruby Kaigi is going. Do you happen to have a link regarding a cancel against Matz? I'm often heads down and am genuinely curious to know more.
https://github.com/ruby/www.ruby-lang.org/pull/2690
This was the original issue.
https://news.ycombinator.com/item?id=28712821
HN thread. Plus lots of Twitter nonsense at the time.
The heat's died down now that COVID is over, changing politics worldwide, etc...
A very biased take to be sure. Who is the "they" you are referring to? Who is "the American Ruby community"? Sounds like a thinly-veiled attack on "leftists".
I know plenty of Rubyists in Europe who these days find DHH as a person to be completely odious, not to mention a maintainer in violation of CoC.
> mention a maintainer in violation of CoC.
Is he a Ruby maintainer? First I've heard of this...
> know plenty of Rubyists in Europe who these days find DHH as a person to be completely odious
Different circles I guess. I live in Europe half the year and most of the Europeans I know are way more right wing than DHH...
IMHO he violated the CoC of the Turbo project. FWIW, I'm by no means a TypeScript guy so I was even sympathetic to his general ideas on that topic. But his handling of it was terrible.
[flagged]
[flagged]
[flagged]
Look I don't even know what sides the various actors in this spat would see themselves on so don't consider what I'm about to say as an endorsement of their beliefs because I don't know what they are.
That being said the freedom of (non-)association is one of the few non-violent means to signal your disapproval of someone else in a way that actually matters. The fact that folks are insulated from the consequences of their actions I think is a big part of how we got here. People spew hateful nonsense and sling accusations at each other that in person would get their teeth knocked out. Refusing to work with or collaborate with someone you consider to be distasteful is pretty mild and not terribly unreasonable even if it makes things awkward.
I can't exactly blame someone for acting on their conscience even if I don't like it. Working with someone who are at odds with despite your differences I consider praiseworthy but obligatory.
I know its against the content policy on HN but I really wish I could reply with that gif from Veep where she's nervously laughing while mouthing "what the fuck".
Seriously... wtf.