Dash said that Shibata refused to revert the changes unless Haught gave permission to do so. Drapper’s report indicates that Haught met with some of the maintainers on Zoom and explained that he had been working on operational planning. He was putting together an agreement that operators of the RubyGems.org service would be required to sign. Shibata had jumped the gun.
To date, Haught has not replied to the discussion again. That day, Dash said, Haught once again “revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams” with no explanation. She added that Ruby Central refused to restore GitHub permissions and also revoked access to the bundler and rubygems-update gems on RubyGems.org. “I will not mince words here: This was a hostile takeover.” (Emphasis in the original.)
Emde said Haught had claimed the original changes were a mistake, “but then broke that truce in the middle of formalizing a clearer governance”. He also said that Haught did not believe Ruby Central was right to take the repositories. “He knows that they were taken from us unfairly.”
Valerie Woolard, president of Ruby Central’s board, said that the changes were “part of an effort to harden our supply chain security posture and will be followed by discussions as how to develop a sustainable governance model going forward”. She also referred people to a post by Ruby Central called “Strengthening the Stewardship of RubyGems and Bundler”. It said, in part:
According to Drapper’s timeline, the on-call rotation mentioned in the post was provided by Shopify employees.
Ruby Central promised a community Q&A session with Haught, members of the Ruby Central board, and its executive director, Shan Cureton, on September 23. The post was updated on September 25 to say the Q&A had been postponed because it was scheduled “on a major holiday in addition to it being an inconvenient time for our global community”, it being the start of Rosh Hashanah.
Ruby Central apparently formed such a committee in August 2023, but did not announce it until November 2024. None of the RubyGems or Bundler contributors or Ruby Central’s “Open Source Team” were involved in this committee, except Haught. A blog post promised that Ruby Central would “discuss the details of how the committee works” in the future. If a post explaining the committee and its work was ever published, I cannot find it.
Before the takeover, the development of these projects carried on as it had for years: with some paid work being funded by a nonprofit, but most of it was still being done on a volunteer basis and governed by lightweight contributor policies. See the RubyGems POLICIES.md and Bundler POLICIES.md for more. The policies are not as comprehensive as one might hope, but they were in place and maintainers had every reason to believe that they would be followed.
The claim that this was urgently necessary due to supply-chain issues has also been questioned. The prevailing counter-theory seems to be that Ruby Central moved when and how it did due to funding problems and influence from a major sponsor: Shopify.
Ruby Central had recently dealt with what it called supply-chain issues. In August, an application-security company, Socket, published its research on what it called “a long-running supply chain attack in the RubyGems ecosystem”.
Since March 2023, a threat actor had published dozens of malicious gems that were advertised as automation tools for Instagram, Telegram, TikTok, WordPress, and others. While the gems did provide the promised functionality, they also sent user credentials to “threat-actor controlled infrastructure”.
Before the pandemic, Haught said, Ruby Central had made a lot of its money from conferences, “and so that funded all this work previously” but that was no longer the case. “So now the open-source program has to figure out how to fund itself”. That had prompted Ruby Central to spin up a corporate sponsorship program in 2024.
Note that a large percentage of Ruby Central’s budget would be allocated to salaries for Haught and Cureton. Both were hired after the 2023 tax year, which is the last filing publicly available; however, the executive director position was advertised with a range between $120,000 and $150,000. Emde speculated that Haught would have a higher salary than Cureton, but he was unsure.
The purpose here is not to get deeply into those controversies, but to acknowledge the fact that Hansson has publicly and regularly taken positions on topics outside of Ruby that alienate quite a few people. That, in turn, put Ruby Central in a bit of a bind; some people (and sponsors) would be upset if Hansson was at RailsConf, others would be upset if he was not. There was no option that would please everyone, so it was a matter of choosing who to upset.
The first time around, Ruby Central chose to distance itself from Hansson. This year, it chose to give him the stage, and that cost the organization a significant chunk of its $1.4 million budget. Many people have also taken note of the fact that Hansson joined the Shopify board of directors last year.
Drapper said that he was told by “an anonymous source” that Ruby Central was presented with a long-term funding proposal at the Rails World 2025 conference, held September 4 through September 5, “but this would only happen if certain RubyGems maintainers were removed”. Dash said that the maintainer to be removed was Arko. Drapper also claims that “Shopify specifically put immense financial pressure on Ruby Central to take full control of the RubyGems GitHub organisation and Ruby gems”.
Ruby Central published an update on September 30, signed by Cureton, that apologized for the confusion caused by failing to communicate “earlier and in more detail”. It denied that what had happened constituted a takeover and said: “We accept responsibility for how our initial communications created the impression of sponsor-driven action.”
Cureton denied that sponsors had directed Ruby Central’s actions. “The Board acted independently, and financial support was NOT conditioned on taking these steps.” It said that the organization would publish regular updates on Fridays, with an update on the status of the repositories “soon”. A brief weekly update was published on October 3; it noted that “discovery work related to supply-chain security and governance concerns” was ongoing and would be shared “as soon as we’re able”.
Ruby Central’s post casts Arko in a sinister light but concludes that there was no evidence that the “security incident” actually compromised anything.
Ruby Central published another update on October 10. This included an email from Haught on September 18 that informed Arko that Ruby Central was “pausing” on-call rotations and directed him to send a pro-rated invoice. It said that there had been no live Q&A “yet” due to a risk of “spreading incomplete information” and excluding contributors who could not participate in real time.
Additionally, it said that a lawyer had sent Ruby Central a cease-and-desist letter on Arko’s behalf with a claim that he owns the Bundler trademark, “along with various other demands”. Cureton said that Ruby Central did not expect to make further public comments until those issues were resolved.
The pass-off that Arko is referring to is the announcement on October 17 by Ruby creator Yukihiro Matsumoto (a.k.a. “Matz”) that the core Ruby team will be assuming stewardship of RubyGems and Bundler. The repository ownership will change in order “to ensure long-term stability and alignment with the broader Ruby ecosystem”.
Since there is little indication that Ruby Central is going to reverse course, it seemed inevitable that there would be a fork or alternative effort from the community. That happened in early October when Martin Emde announced gem.coop. The goal for that project is to, eventually, be a new server for the gems ecosystem.
There has been no public activity in the gem.coop code repository since October 12. Arko told me that this is due to a focus on finishing the project’s governance. “Once project leadership is elected, we expect to resume work on gem server features.”
In September, a group of long-time maintainers of Ruby packaging tools projects had their GitHub privileges revoked by nonprofit corporation Ruby Central in what many people are calling a hostile takeover. Ruby Central and its board members have issued several public statements that have, so far, failed to satisfy many in the Ruby community. In response, some of the former contributors to RubyGems are working on an alternative service called gem.coop. On October 17, ownership of the RubyGems and Bundler repositories was handed over to the Ruby core team, even though those projects had never been part of core Ruby previously. The takeover and subsequent events have raised a number of questions in the Ruby community.
Ruby Central is a nonprofit that was formed by David Alan Black and Chad Fowler in 2001 to organize events for the Ruby community. It soon began supporting other initiatives, such as RubyForge, which shut down in 2014, and has helped pay for RubyGems.org hosting since its inception. However, Ruby Central has always been primarily an organization to put on conferences—it has not been actively involved in maintenance or operations until its merger with Ruby Together. The work to maintain and operate RubyGems.org, the Ruby community’s hosting service for Ruby gem packages, has been undertaken primarily by volunteers for most of its existence. LWN covered this in more detail in the article “A brief history of RubyGems.org”.
Development of RubyGems, Bundler, and software for RubyGems.org has been maintained in repositories under the RubyGems GitHub organization for many years. Organizations are used to manage shared accounts for multiple repositories; organization administrators can configure the roles and permissions granted to users for one or more repositories under the organization. Note that GitHub roles are only visible to members of an organization with push access to a repository; it is not possible to verify a person’s role in a repository without that access, which makes it impossible for outsiders to audit these changes.
You must be logged in to post a comment.