> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
> added non-maintainer Marty Haught of Ruby Central, and
> removed every other maintainer of the RubyGems project.
> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams
Which is important context that was left out of this board member's statement.
How you can tell this is all lies from the board is simple:
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
The first thing is they didn't tell them. The second bit is simple:
"Hi [x], I'm sure you've seen the news about npm. Given supply chain attacks directed at them and the one recently foiled against the python folks, we're [doing fill in here], including reducing permissions. [More info here.] Further updates as soon as we have them."
There's a bunch of red flags here. The author of the article is desperately trying to sound like pert of the Ruby developer community, not some corporate type power player trying to maximise profits and their own bonus...
In the linked post the author claims to be just some grateful Ruby developer volunteering their time to mundane bookkeeping tasks for an organisation they feel lead to support, describing themselves with:
When I first discovered Ruby, watching some crazy video where a blog was built in just a few minutes, I was just a young man working at a bank who would sometimes get paid to build software for other people on the side. Ruby opened my eyes to the idea that code could be a craft, a skill I could hone and develop. It also introduced me to the idea that code could be poetry... code could be art.
20 years later, and here I am, a reasonably successful person who's built a career out of building software.
Freedom Dumlao is a seasoned technology executive with experience at leading companies like Vestmark, Flexcar, Zipcar, Wayfair, and Amazon. Currently the CTO of Vestmark, Freedom brings strategic insights that will help drive Ruby Central’s efforts to expand the Ruby ecosystem and build stronger connections with top companies and startups.
The post appears to be signed as "MINASWAN", a well know pseudonym for Yukihiro Matsumoto, the chief designer of the Ruby programming language. Hard to imagine a scenario where that was accidental and not an attempt to manipulate readers into assuming Yukihiro has something to do with writing the post.
It's posted to a Substack launched 1 day ago. With the username/subdomain "apiguy" - suspiciously not 'ctoguy' or 'seasonedtechnologyguy'.
I place pretty close to zero respect for the OPs position, compared to well known names in the decade long Ruby Gems committer community.
> Initialism of Matz is nice and so we are nice: a motto of the Ruby programming language community, in reference to the demeanor of Yukihiro Matsumoto (nicknamed Matz) [...].
Reasonable people would've accepted that fine. And you don't have to worry about unreasonable people, because most people will find them unreasonable and dismiss anything they say.
No, reasonable people would not have accepted "we're unilaterally deciding to lock you out with no advance notice, over something we could and should have been discussing for many months or years, but instead screwed up so badly that we're doing it ten minutes from now".
Wow! When that one DHH blog went around the other day, I didn't actually pay attention to who the author was. All I saw was yet another bigoted rant and just skimmed it and rolled my eyes. (e: here it is to save people the effort: https://world.hey.com/dhh/as-i-remember-london-e7d38e64 )
I should not have skimmed it. From your link:
> In the same post he praises Tommy Robinson (actual name Stephen Christopher Yaxley-Lennon), a right-wing agitator with several convictions for violent offences and a long history of association with far-right groups such as the English Defence League and the British Nationalist Party. He then goes on to describe those that attended last weekend’s far-right rally in London as “perfectly normal, peaceful Brits” protesting against the “demographic nightmare” that has enveloped London, despite the violence and disorder they caused.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report from the Quilliam Foundation, an organisation with ties to both the the US Tea Party, and Tommy Robinson himself.
This is ... disqualifying. That's the best word I can summon here to express my dismay. This is a crossed line. Absolutely nutso.
edit2: Uh wow I really should not have skimmed it. Here's one paragraph from DHH's blog itself:
> Which brings us back to Robinson's powerful march yesterday. The banner said "March for Freedom", and focused as much on that now distant-to-the-Brits concept of free speech, as it did on restoring national pride. And for good reason! The totalitarian descent into censorious darkness in Britain has been as swift as its demographic shift.
Well, if that doesn't speak volumes as to DHH's values, I don't know what does.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report
Were independent inquiries also repeating weaponised tropes from long since discredited reports?
“By far the majority of perpetrators were described as 'Asian' by victims, yet throughout the entire period, councillors did not engage directly with the Pakistani-heritage community to discuss how best they could jointly address the issue. Some councillors seemed to think it was a one-off problem, which they hoped would go away. Several staff described their nervousness about identifying the ethnic origins of perpetrators for fear of being thought racist; others remembered clear direction
from their managers not to do so.”
The ultimate problems lie in the police: they are generally terrible at handling rape cases, and in this case there are claims that they were actively complicit in some of the rapes.
Using the actions of some members of an ethnic minority to justify .. well, any action against people who were not actually personally involved, is textbook discrimination.
This post is full of outright nonsense. I was in Central London last Saturday and watched a lot of it go down, before heading to Islington and then catching the last dregs of the crowd nearer Euston and chatting in the pub with some of them.
As a "native Brit" and "native Londoner" that DHH wouldn't recognise as such, he can absolutely do one.
He makes his position clear enough in the second paragraph,
for those who know how to read between the lines.
"London is no longer the city I was infatuated with in the late '90s and early 2000s. Chiefly because it's no longer full of native Brits."
Yeah, it was funny the first time a YouTuber[0] did something like that but now I feel like the joke got out of hand a bit, I blame the uptrend of opinionated configs to turn code editors into bona fide IDEs[1][2][3] for this.
Welp, looking forward to the holy wars between people running different influencers' configs five years from now. Who knows, maybe we'll see premium versions of those too.
Not all _that_ surprising. From where I see things, pretty much every time you see "Cloudflare" and "free speech" in the same sentence, it always end up being about Cloudflare supporting free speech for nazis or white supremacists. DHH's racist and xenophobic views are totally on-brand for them.
This comment is so off the rails I'm not going to bother responding to it, but it does make me think about why political discourse is so deeply broken today.
When someone lives this far into an alternate relatity it leaves basically no room for discussion. The amount of work that has to be done just to get everyone back to some relative place of sanity is damn near insurmountable. It leaves no time or energy left to have an actual discussion.
"People" have differing opinions, but the one I mostly see from the left is that they want Palestinians to live in the land they owned before Israeli colonisers invaded it and forced them to relocate to subhuman conditions. What I haven't seen is the desire to expel the Israelis currently living there, as long as they agree to let the Palestinians lead a decent life.
Do you think that the long-term answer to the Israel-Palestinian dispute is for Arab states to absorb the Palestinians, for there to be two states, Israel and Palestine, or for Israel to be ended and given to Hamas and the Palestinians?
When the Israeli government says it, they mean removing or exterminating all Palestinians on "their" land. When Palestinians and their allies say it, they mean they want to live in their land without fearing for their lives.
Not sure what land is “their” land in the first sentence but the are as many Palestinians citizens of Israel as there are Palestinians living in Gaza - and I don’t think the former fear much more for their lives than other citizens of Israel.
Maybe you don’t think that most college-age people in the US - who according to that survey would like Israel to be ended and given to Hamas and the Palestinians rather than see a two-state solution - are allies of Palestinians but surely they are not allies of Israel.
Oh this sort of thing is far from new for DHH, there's long been a desire to oust him from Rails or fork it, but it's never quite came to fruition, and unless Shopify were to back it, it is unlikely it would survive :-\
I guess I wasn't aware since I'm not really involved in the Ruby community. I always knew he was kind of an oddball from a few of his posts I've seen and podcasts I've heard him on. Never would have guessed it was this bad.
Until now I thought his craziest idea was that dynamic typing is better than static typing. (Just a joke, not trying to start a war over dynamic vs static lol)
As a fellow Scandinavian, DHH is just writing what the vast majority of us think. And it isn’t racist. That word is being misused until it soon has no value left; you sure you want that?
I've been thinking about whether "$some_country rape gangs" seems racist to me. I've come down on "yes".
The reason might seem odd. But it ocurred to me that if you want to use immigration to reduce crime, including rape, the obvious solution is to ban all male immigration.
That shocked me because it seems so wildly discriminatory. Yes, most violent crimes are committed by men. But very few men commit violent crimes. Banning male immigration would punish a large group for the appalling actions of a few. Making it about "$some_country's men" doesn't seem a whole lot better. It's still unjust to punish someone for someone else's crime.
If anyone is curious about the exercise, I recommend trying it. It was disconcerting to sit with the idea of banning male immigration, really seriously consider it and realise how viscerally shocked I was by the idea.
Edit: for context, in the UK right now, phrases like "rape gangs" are part of the debate/argument about immigration.
Your solution of banning male immigration makes perfect sense to me. Maybe not ban it entirely but at least ensure a 1-1 ratio of men to women (male surplus has a tendency to turn countries into shitholes).
Disallowing someone from immigrating is not a punishment because there is no right to immigration anyway. In fact I believe we should go even further and see immigrants as investments. If the immigrant is unlikely to have a net positive tax contribution (or at least not being a rapist, for a more realistic target), I don't see any reason to allow him or her to be here. If you accept this idea, there is nothing wrong with training a neural network on characteristics of existing immigrants to predict the future value of a particular potential immigrant.
The Grooming Gangs feature a lot of nationalities, but some more than others.
There's nothing racist about the facts. How one responds to it can indeed be racist -- ie. "all people of one of said nationalities are like these ones" would be racist. But observing that a nationality of immigrants are vastly overrepresented is just using your eyes to observe reality.
I'm happy to say that ~80% of Sweden and Norway don't vote for right wing populist parties like SD and Fremskrittspartiet, so "vast majority of us" might be a bit of a stretch.
That's a misrepresentation of statistics though. FRP is the second largest party this election, with 23,8% of votes, only second to AP who got 28%. But many people won't vote based on the immigration issues, because so far, other issues are more pressing.
But my point was that I am absolutely sure the majority of Norwegians _want Norway to remain a country that retains its cultural history_ while not being exclusive to one ethnic group. It's about retaining a majority.
I don't understand why that sentiment is so problematic here on HN, because simultaneously people are clamoring for a Palestinian state for the Palestinian people.
Why can't Norway have a Norwegian state for the Norwegian people? Or Denmark? Or the UK?
> That's a misrepresentation of statistics though.
I can't speak for Norway, but in Sweden the only party worth keeping an eye on that adheres to the usual combination of pro-Russia, anti-abortion, anti-immigrant, anti-EU rhetoric etc is Sverigedemokraterna (formerly Bevara Sverige Svenskt, a party based solely on the idea of an ethnostate). They're hovering around 20%.
> But my point was that I am absolutely sure the majority of Norwegians _want Norway to remain a country that retains its cultural history_ while not being exclusive to one ethnic group. It's about retaining a majority.
Is the existence of history dependent on the ethnicity of the person reading it? I'm sure you've met non-native people who are in all other respects very much Norwegian.
Unless you mean to imply that culture is constrained to genetics. I deeply hope that that is not what you meant.
> I don't understand why that sentiment is so problematic here on HN, because simultaneously people are clamoring for a Palestinian state for the Palestinian people.
How many Norwegian cities were leveled by bombs this year? How many were murdered by foreign military?
> Why can't Norway have a Norwegian state for the Norwegian people? Or Denmark? Or the UK?
Frankly, I might be sympathetic to this view, except for a few countries: The US, the UK, France, Belgium and maybe a few others. The US is a country of immigrant, so none of that cultural history nonsense holds, except maybe for the Native Americans. As for France and the UK, yeah no one told them to go colonize a bunch of countries around the world and impose their culture on them. They don't get to complain about retaining their cultural history. Belgium doesn't get to complain either after the atrocities they committed in Central Africa.
No it's not. Stop diluting terms. You're making this problem worse for everyone, even the people you think you're on the side of, whoever they might be.
The word racism is not diluted. It is that just some full on racists feel like it says something negative and thus don't want the label put on racists stuff they like.
So do you consider what the Danish PM said racist?
> There are really a lot of us Danes who believed that when people came to this ‘world’s best country’ and were given such good opportunities, they would integrate. They would become Danish, and they would never, ever harm our society. All of us who thought that way have been wrong.
That's objectively observed reality in Denmark. And in Scandinavia in general. It's not about race, it's not about skin color, it's about cultural heritage and values.
All we're saying is that to retain a country's cultural heritage and carry it -- and obviously shape it -- into the future, you have to retain a majority of that heritage, and integrate newcomers. Otherwise it's no longer Denmark.
you have to retain a majority of that heritage, and integrate newcomers. Otherwise it's no longer Denmark.
what you are asking is not possible without rejecting immigration.
that is the delusion. it is the same all over europe. people expect 100% integration. yet at the same time, prejudices will reject them if they are not completely invisible. that is not possible, and it is not the integration i would want. i have written about this before: https://news.ycombinator.com/item?id=44746099
London is no longer the city I was infatuated with in the late '90s and early 2000s. Chiefly because it's no longer full of native Brits. In 2000, more than sixty percent of the city were native Brits. By 2024, that had dropped to about a third. A statistic as evident as day when you walk the streets of London now.
Copenhagen, by comparison, was about eighty-five percent native Danes in 2000, and is still three-quarters today. Enough of a foreign presence to feel cosmopolitan, but still distinctly Danish in all of its ways. Equally statistically evident on streets and bike lanes.
But I think, what would Copenhagen feel like, if only a third of it was Danish, like London? It would feel completely foreign, of course. Alien, even. So I get the frustration that many Brits have with the way mass immigration has changed the culture and makeup of not just London, but their whole country.
no it isn't because everyone has a different idea what limited, controlled immigration means. for some 20% is ok, for some 10% is to much. and for some only those who can integrate to 100% and become invisible is ok. practically speaking, for most people controlled immigration means: only allow the people that we like, and don't allow any of the people that we don't like.
We will never solve the scale of what's acceptable or not. That will always require dialogue and will change over time with the economic state of a country and many other factors, including culture.
However this argument is usually used to imply "there should be no limits", and that's obviously not practical nor ethical for anyone involved.
yes, the limits are economical. not cultural. you can't control the effect on culture by limiting immigration. economics is a different issue. the problem of course is that these issues get mixed, and people use economics as a reason when culture is their problem. and they are blaming their own economic situation on to much immigration when often that is simply not true.
germany has 200.000 open positions in IT right now. what would happen if we invited 200.000 experienced IT people from india? half the people without a job would complain that the indians are taking away their jobs. and lots of people would rant about how all these indians change our culture.
and what about the civil war in syria that produced 5 million refugees leaving the country? or ukraine, another 5.7 million refugees?
do you want to reject them just because you feel they threaten your culture?
since you claim that not having a limit is not ethical, let me quote the german chancellor merkel at the time: "The fundamental right to asylum for the politically persecuted knows no upper limit; that also goes for refugees who come to us from the hell of a civil war."
when merkel said "everyone is welcome" this was literally the first time in my life that i was proud of germany. and you should know that in germany being proud of germany is a politically very sensitive statement usually associated with extreme-right groups.
so when it comes to refugees there can't be an upper limit.and beyond that, the limit depends on the economic situation. if we need the workers, the limit goes up. it has to. culture doesn't factor into it at all. you can't have it both ways.
And look at Germany now. I have friends and family there. Merkel’s utopian naïveté has certainly not benefited Germany at this point. It went way too far.
I can’t believe people are like this. But it explains why Europe is more and more split on this topic: It’s two irreconcilable worldviews and one of them requires ignoring observed reality.
you are completely missing the point. what exactly should germany have done? let those people suffer? stick them in crowded refugee camps?
you do not get to turn a generous humanitarian aid gesture into blaming germany for being dumb to let all these people in.
this is not ignoring observed reality. observed reality is a consequence of people not being welcoming enough. of not being supporting and considerate of the foreign culture and not doing enough to befriend these people. as i linked in my other post, i wrote about this before: https://news.ycombinator.com/item?id=44746099 we are not letting these people integrate in a way that allows them to keep some of their culture while giving them an opportunity to learn about our culture.
yes, the current reality may be rough. but those are growing pains. and they are consequences of war, and not consequences of allowing to many people to enter the country. by sharing the consequences of these wars germany becomes an ally to the victims, and that is a good thing. rejecting refugees would have turned germany into a villain and an ally of the perpetrators. i'd be ashamed if that happened.
I’m sorry, but not being welcoming _enough_!? Seeing the incredible, life altering strain the German model has put on the lower and middle class while they’ve bent over backwards to be more welcoming to strangers that share none of their values and consistently and purposefully alienate themselves from the general German population, I simply cannot agree we are observing the same reality.
Full disclaimer: Some of my friends are also immigrants from the 80’s. And they’re equally exacerbated by the state of Germany because the country and culture they love is deteriorating out of suicidal empathy.
i have traveled and lived in countries all over the world. first in europe and western countries. already there i found there is a gradual change of friendliness the farther south i went. among western countries the US is the most friendly. despite their issues with racism, the people are welcoming to foreigners and immigrants.
then i visited asia, and i was shocked how much more friendly and welcoming people are there. if you haven't been there it is unimaginable. same goes for africa. seriously. on a global scale, europeans are the worst in being welcoming. so, yes. germans are not welcoming enough. they are principled however, and it is those principles that made them invite those refugees.
the state of germany is not deteriorating because of empathy, but because of the unwillingness of some people to adapt and adjust to the new reality. this lack of adaption leads to confrontation, and that confrontation is the cause of any deterioration. the culture is not destroyed by immigrants. it is destroyed by lack of tolerance and unreasonable expectations.
Tekin's conclusion: "it will send a clear message to the wider Ruby community (and those who may be considering joining it) that the majority does not stand with DHH and his toxic views."
He is going to be ultra surprised to learn what the majority thinks and how it's not what he thinks it is.
Using your personal brand to espouse the values of ethnonationalism fundamentally serves the capital class wishing to divide and exploit social order among those who labor. This is so rich, coming from the guy who literally created a tool that increases the value of labor.
So, if I had to guess, the smart, critical thinkers in the _global_ Ruby community might find this whole situation reeks.
If I were an immigrant to the UK and a Rails developer, and DHH is getting re-platformed while saying crazy stuff like this, I would think twice about my career choices going forward — Or, push the Ruby community not to stand with a garbage attitude like this, even if from a BDFL-type personality. I _invested_ my life into promoting the use of your tool, while you disparage me based on skin color and country of origin for the sake of some 'ye olde country' vibefest?
Tekin, what makes a Turk less white than a Greek or Spaniard?
If it's cultural (religion, music/sports related subcultures and codes) then it's chosen. Nobody can force you into a subculture in the West. As soon as you turn 18 you can essentially do what you want, most likely even way before that.
You can chose your subculture, how you dress, style your hair, talk and are read by the mainstream society. Actual racists go by skin color and ignore your cultural choices, fuck them.
Not really, racists often include ethnic features such as hair texture or even nose shape within their criteria for racial exclusion.
While in certain cultural contexts Turks may be read as white, within Europe there is a history of excluding them from whiteness and presenting them as a threat to European culture, mostly due to Islamophobia
The last paragraph is funny because Turks themselves use the expression White Turks to refer to the modern/secular/Western (as opposed to the Black Turks, conservative/Islamist).
Ethnic features = things you can nothing for, same category as skin color.
I was talking about the culture you chose and the stereotypes that go along with it. Stereotypes override ethnic features unless you actually deal with real racists.
DHH might not be street smart enough (like most people in tech) to see through those stereotypes on the streets of London.
I'm not sure I completely understand what you are saying.
You start your original comment by asking what makes Turks non white which I answered, and from what I understand you believe that choosing to participate in a culture from the diaspora you are a part of means that you have to bear the burden of the stereotypes about that culture, even if they are racist in nature?
And furthermore, you believe that people that believe these stereotypes are not real racists because real racists only care about skin color?
Again, I could be misunderstanding, but I don't think that you need to only care about skin color to be racist. I think that DHH's anxieties about replacement of naitives being mostly focused on MENA people feels like a pretty clear sign he believes that non European (aka non white) immigrants are a problem, which to me, is racist.
It was not left out of the statement. I understood that was essentially what happened by the time I got to the end of his piece. The only exception being the “with no warning or communication” part. Obviously there is disagreement about whether that is true or not.
Everything you're quoting is from one aggrieved person, who clearly felt slighted, and who left out a whole lot of context in their own post. The article above is a lot more reasoned, less emotional, and seems completely reasonable to me. Ruby Central clearly has issues with both internal and external communication. And the above article isn't an official statement either; it's just one person, not involve in the decision, offering another perspective.
Between the initial removal of access, then giving it back after explaining it was a mistake; the people involved started a conversation about governance to clarify/fix things.
The conversation terminated because the majority of those people then had their access revoked again.
When weighing the facts here; which group or claimant has the most evidence for their claims?
The technical folks with lots of commits over many years, or the treasurer of an organisation who says the impetus for this was a "funding deadline" so all access had to be seized?
I think this person has good cause for being very upset at the lack of communication and the sudden removal of them from the organization. They were a maintainer of RubyGems for a decade.
A maintainer of RubyGems was forcibly removed from the RubyGems GitHub org — which was renamed to Ruby Central — along with every other maintainer. Then access was restored, then revoked again. There was no explanation, no communication, and no understandable reasoning for this.
This wildly transcends "issues with both internal and external communication" or "we're just a bunch of makers who can't be expected to be good at organization or communication" (to highly paraphrase TFA). This is an absolutely disastrous breach of the community's trust.
Right now the board is acting indistinguishably from Andrew Lee during the Freenode collapse, and, like, everyone else who ever did a hostile takeover of an open source project ever. Supporters of the board are acting indistinguishably from supporters of Andrew Lee during the Freenode collapse.
Less emotional? It comes from someone who has no personal stake in the outcome, and was in the loop for the decision making. Versus someone who was personally slighted and was not properly communicated with about such a big change.
So Ruby Central, by their own admission, agreed to take $$$$$ of funding on the premise that they would "secure RubyGems against supply chain attacks", and then sat on their hands not doing anything about it until a few days before the deadline, when it was too late to seek community consensus or figure out a good transition plan. So they ended up screwing over everybody who was actually doing work on the project in favor of their own funding. And also they apparently used this as an opportunity to consolidate their power in other ways (renaming the github org) for reasons that were unrelated to the self-imposed deadline. How does this make them look better?
For any company that wants to secure and maintain critical source infrastructure for a language, community/maintainer relations is a fundamental responsibility. It is not to be waved away with quasi-candid admissions that you're just too small a team, too technical, etc. Even if this board member is being totally sincere about his feelings for Ruby and its community, it changes little.
> Some of those companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain, but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
This is the most candid bit of the article.
RubyCentral seems to have screwed up. The sense I get after reading this paragraph is that RC's non-apologies about poor communication are smoke. Why did they have to move this quickly/silently? Well...
If you are taking money from businesses in exchange for certain assurances about the security/soundness of RubyGems, you have a responsibility the minute pen leaves paper to KYC(ontributors). Not when there's suddenly a fire, or when your clients notice.
By all appearances, RC was negligent, if not necessarily in the legal sense. They were highly reactive in response to a problem they should have been across already, and they have paid for it with a chunk of the Ruby community's trust.
To now retcon this action as poorly-communicated but ultimately noble and security-minded does not sit very well.
I think that most Rubyists want to forgive each other and move forward. The board, staff, and volunteers at Ruby Central are all people and people are fallible, that's fine. The way to receive forgiveness isn't to convince others (who weren't there and who don't have the full context) that what was done was reasonable or justified. It doesn't matter. It doesn't even matter who is at fault. What matters is who will take responsibility.
The actions taken by people in service of Ruby Central have had unintended consequences, including damaging the community's trust in Ruby Central's stewardship.
A new governance model will solve only the problem of there not being a governance model. There also has to be an acknowledgment that the lack of an existing appropriate governance model wasn't just a "fiduciary failure," but a failure which cased harm to the community and contributors. Contributors who—like the board—are volunteers, and would have probably liked to have their significant dedication shown more respect.
You show respect to someone by giving them important information from which they can use to make their own decisions. As opposed to withholding information because you are uncomfortable with the possibility that they may make a decision you don't want them to.
A lot of people are arguing about whether locking down access was justified to resolve the security issues. I guess it's debatable.
But I don't see any excuse for not putting out a statement when you do it. You have to know there will be a fight, and you will look like the bad guy. Perhaps I could see directly communicating to the maintainers that you expect that they'll be reinstated. But to say nothing? To let the post by duckinator float around for days without having a "we did this because of security concerns, we want to work together and find a resolution..." It's incomprehensible that they thought this would go well.
Firstly, you can tell them you’re working on SOC2 compliance, and secondly, those colleagues are getting paid in dollars, not doing it for the love of the work.
I don't know more about the controversy than what's explained here, but, reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation. (When they work, of course; sometimes those institutions don't work very well.)
I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.
Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.
> reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation.
There was a funding agreement which imposed obligations upon the operators. Those obligations were to be sure that supply chain attacks were reasonably secured against. The volunteers didn’t have to sign that agreement - they chose to and received consideration for their decision to sign.
Licensing terms don’t change the underlying mechanism of a contract and the message is even easier. If your organization cannot abide by the terms of a contract, don’t sign it.
This is a reasonable perspective but leaves a lot of unanswered questions and creates more questions. Who is the funder threatening to pull funding and why were they not more collaborative or flexible with Ruby Central? Did they know that this is how their request would be handled?
How much information and what information did Board members have when making their votes?
One thing that hasn’t been addressed is who was responsible for communications and implementation of this. It says here that the Director of Open Source did what the Board asked of him. Outside of the Board, which as stated here were heads down and trying to problem solve, Ruby Central’s website also shows a staff of several non-technical employees. Prominently, there is an Executive Director with a background in communications and non profit work per their LinkedIn. Where was this Executive Director and the other staff members during this? Were they involved with decision making and communication around this? How involved was the Board of Directors in implementation after the decision was made? It is a hollow statement to say they are just technical people trying to problem solve when there appears to be a whole team of non-technical staff members and an executive specializing in communications. Something clearly went wrong here and there are a lot of missing pieces around what happened after the vote took place. Most of this could have been mitigated with standard processes and simply communicating to maintainers and the community.
To add, did Ruby Central consider going to the community and asking for funding so they wouldn’t have to be beholden to one or a small group of key funders? If they were at risk of shutting down without this funding source I think the community might have rallied around them so they could make more independent decisions in the best interests of the community.
This is not to say that they didn’t act in the best interests of the community by tightening security, but an organization of this nature should be able to act more independently.
This program is public and has been for a very long time - it’s called the Community Support Program because Windows devs don’t have enough nightmares of the acronym CSP.
Do you contribute? I can send you a link if you don’t.
Why would someone contribute to Ruby central now, when the org has been shown to be callous and incompetent stewards who are utterly incapable of showing even minimal respect to their community?
I don’t know why the funder matters. RC agreed to a contract that provided a fixed date by which these issues needed to be resolved or funding would be terminated. Exploding terms are rare in funding agreements because they don’t make the funder look good when they explode. Back in my non profit board days, I learned that contracts with exploding terms need to go in front of the entire board instantly for action or lawyers will get paid.
Actions were taken, at the request of a major funder or group of funders, that have become a PR problem for the entire Ruby language. This is the third article I’ve seen on HN in the last week and it’s not just Rubyists commenting. This is damaging to everyone who uses Ruby and developers who want job security in the future. These funders should want to maintain the reputation of Ruby, and forcing a nonprofit to take an extreme action like this in a pressure cooker situation puts all of Ruby at risk when it explodes into a scandal. These companies need to work transparently in the best interest of the whole community.
> Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
Seems pretty clear after reading this. If 1-2 companies pulling funding is enough for them to force you to to what they want, its hard to stay independent.
Locking out a guy like David Rodriguez (the main person I see doing bundler commits) in a dramatic fashion just seems like absolute craziness. I can't fathom doing it without a very good reason, which has yet to be revealed if it exists.
'My work in Bundler & RubyGems is completely halted, including the Bundler 4 project which I expected to complete in the next ~2 months. The immediate reason for this is simple: my commit access to the repository has been revoked, so I can no longer do the job anymore. The more fundamental reason is that I completely lost motivation after all the recent events, regardless of whether work is paid or not.
I'll be happy to resume my work in Bundler & RubyGems if maintainer ownership prior to September, the 9th is restored, and thus the previous maintainer's team is allowed to continue building a transparent and democratic governance model for the project.'
Does “lest we lose critical funding because we don’t have proper agreements with our committers” not cut it as a reason for you? Genuinely curious, it seems like a reasonable explanation assuming it’s true.
Given that access was cut, then restored, then cut again, then days, then someone finally says "hey were were going to lose critical funding" makes it seem like a post-facto excuse for a hostile takeover.
And the whole "oh, well, we're bad at comms" makes it sound even worse!
Which is the whole crux of the issue. At no point in any of this did Ruby Central do anything reasonable. The they tried to explain that their unreasonable actions were reasonable, if you only knew the things they knew, which they were for some reason unable to tell people until just now.
> Let's get some kind of committer agreement in place with those folks who need access (the same way many other high profile open source projects have), and remove access from those who don't, while still being fully open to accepting PRs and being open to re-welcoming them as committers if they decide that is how they want to spend their time in the future.
> Here's the challenge. How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
Ruby Central sponsors him to work on the project. They also own the project. Sure it’s not ideal that they’ve apparently come to an impasse of some sort but locking him out is not bonkers.
I've seen some contention around that. RC owns the rubygems infrastructure. But it's not clear that they should own the repos of the open source rubygems or bundler projects that they use. They just seem to have fallen to that organization by way of some admin owner passing through, rather than an official hand off.
Ruby Central as an organization touts that it is responsible for RubyGems. Assuming this narrative is accurate, they needed to get agreements in place with contributors to appease some funding partners.
This shit happens. Especially as an open-source project started by one dude in 2009 turns into critical infrastructure managed by a 501(c)(3) non-profit.
That they failed so fucking spectacularly speaks incredibly poorly of their board.
Then you act in advance or with notice to get those agreements in place. Just dropping an atom bomb on the commit rights of the biggest contributor is very disrespectful.
If you can't work out an agreement after a good faith period... then that can become a good reason.
What's the point of a foundation having funding if there's no ecosystem left to spend it on? And if a single source of funding is so critical that they can demand immediate wide-spreading changes to the ecosystem, is the foundation even independent at all, or just a corporate puppet pretending to be?
Who cares that you have funding for things like build servers and meetups when your core developers walk away and the project is left to rot?
I'm truly hoping for a reasonable resolution on all sides for this situation. IMO Ruby is too small, and shrinking compared to Python and JS/TS especially in the AI era, to be able to afford any splintering of efforts.
Agreed. I wish the communications would move away from FUD that could scare people away from using Ruby when things are already splintered. A more honest and transparent accounting of what really happened is necessary.
> A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
This makes a lot of sense, and it puts the 'drastic' action in understandable light.
It also contrasts with the 'On September 9th, with no warning or communication, a RubyGems maintainer unilaterally...' from the Goodbye RubyGems letter. Perhaps that person did not have communications or insight?
Going forward I think we could judge the good faith, if it's uncertain, by if we do see people reinstated. Cutting off access (for urgency with a deadline) followed by reinstatement (because they contribute) would match this post. No doubt there will be hurt feelings on all sides, which is understandable, but I hope as humans everyone can get through it.
Agreeing with most of the other comments here that this discussion needs more context which we don't have...
If the request for additional access controls/access cleanup came from one of the Ruby Central funders, could we not know who that was and what exactly their ask consisted of? I am interested in knowing their side of the story, and what the motivation was. (But in general, cutting off long-time maintainers' access seems like a bad choice - as presumably they have long since proven their good will toward the ruby community as shepherds of these projects.)
I think that if they had been up front and transparent, and cut the PR bullshit corpospeak from their damage-control post, this would have been something that's much less embarrassing for all involved.
Something like:
"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."
Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...
Sounds like you should volunteer for Ruby Central to help them with their communications! I don't mean that facetiously: it seems that they could use you, or someone like you, with comms. As the OP readily admits, this is not a strong point for them.
My general take on this:
1) Nerds are often not the best at communicating.
2) People on the Internet can be very cruel towards people they don't know.
We could all do better, especially with #2. The Internet used to be cool as hell. Now, by and large, it sucks.
> Ruby Central has been responsible for RubyGems and Bundler for a long time. This isn't a new development, and I'm honestly very confused about the confusion.
That's the opposite claim from a coup. It's not fair for you to put those words in his mouth.
He is claiming that Ruby Central has the authority. True or not, that claim is not consistent with a coup. You seem to be catastrophizing and constructing misleading quotes, including inverting his words, not because his claim is not true but because of how he communicated it and the impact of it.
My point is that he chose to communicate the way he did; it is poorly thought out and extremely difficult to accept as an explanation.
Objective tests you yourself can perform.
1) How much of the publication talks about himself? Why is that relevant?
2) How much does it directly provide links, context, history? Can you find the opposing point of view directly linked from it, or is it omitted?
3) From reading the content, does this person represent the board, or not? Do they make any conflicting claims that are difficult to both be true at the same time?
4) A coup d'etat is a "a sudden, violent, and unlawful seizure of power from a government"
Were the people who lost access acting as a governing body?
Was the loss of access sudden and unexpected?
Did the loss of access follow any of the rules of the governing group?
Did the loss of access harm individuals?
With the answers to the above, reflect on the following:
Why would someone write about themselves, their experience, etc for 6 paragraphs? Would you say it is clear they have only been appointed since Jan 2025? Or are they trying to establish themselves as an authority? If they are not attempting to appeal to authority, why is it relevant?
Did they actually apologise? If so, to who? Is it specific? Does it clearly articulate what the person did, admit fault, recognise harm? Or is there downplaying of impact, vague language, downplaying of involvement?
Does it characterise the contrary point of view in a way that trivial uses the concerns? Are the conversations "emotional" or is it implied the people experiencing the negative act are? Is the author emotional?
If you were the person or people affected, would you accept this explanation? If you were the person taking these actions, would you explain why like this? Why or why not?
I strongly encourage you to do this exercise, putting aside feelings or initial responses even if you think I am wrong.
I’m the Homebrew Project leader and care a lot about Ruby so met with both sides to attempt to mediate and posted two threads on Bluesky about what went down:
TL;DR: Regardless of what you think of RubyCentral’s actions, it’s very clear they absolutely screwed up the execution and communication here. In general the transparency is far below what you’d expect from an open source organisation.
What I'm missing is what, if any, communication Ruby Central had with maintainers.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
Start by letting go of the goal of not upsetting them. Make sure you do communicate clearly. Just say what you said a paragraph earlier: open source ecosystems, including ours, are increasingly suffering supply chain attacks. To guard against this, we need to tighten access that has traditionally been fairly loose. Starting <date>, we're going to remove general access and ask that contributors sign <link to agreement> before re-enabling access.
I mean, maybe that is what happened -- as the OP says, he wasn't part of the conversations so can't say. From the earlier public posts, it doesn't _sound_ like that's what happened. But I'd say as a general rule, it's important to communicate disruptive changes ahead of time to those affected and give a clear path to how they can mitigate the disruption.
> I can't speak for the board or the Ruby Central staff. But I know them and they are like me. They do this because they love Ruby and our community. I'm certain of that.
I don't know how to reconcile 'they love Ruby and our community' with moves that are actively hostile to the community.
The only reason why Ruby and other open source projects survive is because large companies can trust them to do the right thing. Given the critical nature of the supply chain attacks, what the board did was 100% right. Like he said, some people's egos got hurt but if no one can trust the maintainers, then Ruby has no future in the industry and it will die quickly.
This is basically like fixing technical debt. It's painful and it's political but sometimes you have to do the right thing for the community as opposed to trying to assuage individuals' egos.
I think you got things mixed up, open source projects survive because volunteers believe in them and want to contribute to them. Large companies rarely get involved, occasionally with some funding.
It sounds like they sold something to their donors they couldn't really guarantee – supply chain safety – and they decided to alienate their contributors to try to appease them.
Only time will tell if this was really damaging to the ruby community or just a temporary hurdle
Look at the core maintainers of Rails for example. Many are paid by Shopify and Basecamp, so it’s much more commercial than your regular open source project.
Which isn’t a bad thing that people get to contribute on company time.
Again this is mixed causality. Rails did not take off because of commercial interests – besides dhh who was working on it on the side, all the initial committers were doing that for fun.
Eventually they brought rails in many commercial companies and these companies succeeded to the point they could pay people to maintain rails.
To be fair to RubyCentral, this year's RailsConf was the last one they have planned, though it's likely that they'll shift focus to on RubyConf in its place
gems and bundler is for everyone though, even hobbyists writing scripts. Alienating contributors who support common infrastructure for no good reason is just plain stupid especially when those projects wasn't theirs to begin with
The board was not 100% right, not even close. I’ll assume their technical actions were justified. But they screwed the communication badly in a domain where informal trust is an important commodity. Therefore, they flubbed a big chunk of their responsibility.
Money.
It's all about money.
This is the only sentence from the post worth reading:
"Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going"
Honestly this description makes me even more concerned. There’s a lot of “I don’t know what happened” and “I wasn’t involved” and “apparently we agreed to”.
In particular, after a long winded introduction and setting of the scene, suddenly there’s a mention out of the blue of a 24 hour deadline to cut off access or face losing funding (forever)? But who was holding this deadline over the board’s head is not explained (in fact the author doesn’t seem to know???).
Overall this just reinforces the impression that the RC board handled this sloppily and in a rushed manner, and failed to communicate with long term community members, and thought of themselves as the only parties who mattered, while not taking responsibility for holding such an important position (see the opening paragraphs about how “we don’t have time to communicate to the public because we’re busy programmers without a PR team”).
> I want to apologize, genuinely, to people who have felt (...) outrage (...) after reading some of what others have shared.
He's apologizing for what others have shared, not for what they (Ruby Central) did.
> I often go out of my way to avoid making people feel bad
"I'm the good guy."
> and so to be part of what's caused so much chaos lately has really been awful.
"_I_ feel awful."
"I'm sorry for what others have said about what we _did_. I feel awful for people being outraged" Amazing.
> this is a small group of volunteers spread out all over the globe. (...) It's just us.
You didn't, for a single moment, think about notifying the people involved that you are removing them? It's the very first thing to do - notify someone who's involved of the change in their status. If your communication skills didn't reach a level in which you thought that would be the thing to do, I don't know what to tell you.
> It is really boring stuff. So why do I do it?
So what? Should we feel sorry for you?
> I love the community. I love the people who use Ruby, (...) I love the people who give their time to Ruby and I love the people and companies who generously provide financial support for Ruby.
Cool.
> I can't speak for the board or the Ruby Central staff. But (...)
proceeds to speak for the board and the Ruby Central staff.
> Ruby Central has been responsible for RubyGems and Bundler for a long time.
This is a lie. RubyGems and Bundler have been maintained by a group of core maintainers. Some members of this group were also Ruby Central staff, but not all.
> It's not a new story that Ruby Central has been working on (or trying to at least) improve the governance model for Bundler and RubyGems.
It's a new story to me. If it's not a new story, do you mind sharing some links to past discussions?
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
You learn some basic English. And then let them know. It's called communication.
> And what if other people who do still need that access claim things like "If you remove their access, I'll just add it back" or "If you remove their access, I'll quit".
It's called consensus. And communication. You talk. You speak with people. And then you agree on a decision.
> These are emotional conversations.
Yes, they are. Is that why we shouldn't have them? When you want to leave your wife, do you just leave? What a strong person with strong values.
> I wasn't a part of them and can't actually speak to the content of the conversations or how they were handled.
Bad. They were handled bad.
Why did you write this post? You don't have information, you don't know what happened...you just love people and community and companies. Happy happy joy joy.
> we don't have a "communications team"
You don't need a communications team. You just need to have a communication channel public or private, where you can reach all of the core members. It could be an email with everyone in CC.
> A deadline (which as far as I understand, we agreed to) loomed.
If you're not sure whether it was agreed on, again, communication. Learn how to communicate.
Which deadline? Who set this deadline?
> With less than 24 hours to go
Did someone give you 24 hours deadline? Why wasn't this discussed long before the deadline?
> Marty, Ruby Central's Director of Open Source
How the f is Marty? If he wasn't one of RubyGems maintainers, why is he suddenly being put as the main maintainer? Aside from communication issues, you also have decision making issues. All of the core members should come to an agreement, without Marty.
> I love this community and I love Ruby.
Cool.
Please find some time to read a book or two on communication skills. As well as decision making.
Read the comments in this thread. Ignore mine, don't think too much about it. Just read other comments. Then think again about your decision and to which percentage people in this thread agree with it. And perhaps reevaluate it.
Christ what a clusterfuck. I only use Ruby because of Rails so whatever DHH says I'll go with. If he says this is bogus it's bogus, otherwise it's not bogus.
> [The Ruby Central board] is a small group of volunteers
is somewhat at odds with
> Some [...] companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain,
but not so much. Then the sentence goes on with
> but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
So something has been wrongly managed or wrongly sold.
Then the final part about the emotional conversations and the dilemma sounds honest or at least very plausible, but as they write, the critical mistake already happened.
Very reasonable other side to this story, which doesn’t come as much of a surprise. Too bad it didn’t hit the front page.
People went WAY too far WAY too fast on this. There HAS to be urgency to this, the software supply chain is presently, undeniably, under attack.
Frankly, everyone blasting RubyCentral the last few days should feel shame and embarrassment. These aren’t evil suits at Microsoft, they’re normal people invested in maintaining a critical piece of infrastructure for the good of all who love and profit from Ruby.
What? This article is absolutely damning re: RC's leadership and the utter lack of proper transparency, strategic planning, marketing/PR, and solid OSS governance. Did we read the same article?!
Honestly I don’t know how to feel about it anymore, but I found the rhetoric way too explosive at the time, when nothing was really known. Now that some time has passed, and more has been said… yeah I get your point too.
Ruby has been a HUGE part of building my career, I don’t want to see it slide away one questionable move at a time into full corporate control. It’s not TOO hard to see how this whole thing could just be step one of that :/
I hate this for the community - I’m an outsider, who always wanted to give Ruby (and Rails) a good swing. However, after this, and after learning about dhh’s awful (imo) stances, I’m not ever going to go near any of it.
I had a similar “yuck” when WPEngine started taking Mullenweg to task over all of the WordPress shenanigans - that hit a lot closer to home for me, as I’ve spent about half of my career building great sites and applications on top of Wordpress. Although I’ve moved on, I was still an active contributor on the WP StackExchange and had my ear to the ground in several plugin repos I authored for employers who contributed to Five for the Future, and replied to comments on blog posts from people who found my previous insights helpful.
I have zero interest to ever go back to that project because of how poorly it’s been managed - if you want to see one man completely wreck an open-source ecosystem, it’s quite a fascinating if not depressing story.
i read the article, but didn't see anything damning about it. how big of a staff do you think a tiny 501c3 like RubyCentral is? RC shepherds a pretty small community around a niche DSL with a shoestring non-profit budget that mostly goes towards running conferences.. you can see their financial reports here https://projects.propublica.org/nonprofits/organizations/300...
expectations around "strategic planning" and "marketing/PR" are not realistic. You should just be glad these randos don't have admin access to the Github org anymore. Any one of them were huge targets for adversaries who want to ship malware in Rubygems, supply chain attacks are very real and having commit access directly to rubygems/bundler is too powerful for a rando.
my main takeaway from reading all this is why were so many assorted people given such high levels of access..
"These randos" are our friends and fellow contributors. Probably everybody in the Ruby community has worked with theme in one capacity or another. The article provides no reason why they should have had their contribution permissions revoked. Just because you think of Ruby as a "niche DSL" and the people maintaining its core infrastructure as "randos" doesn't mean the rest of us do.
just because someone is a nice community member doesn't mean they deserve rewrite-the-commit history admin level access to rubygems and bundler. they can be great committers even without the ego boost of knowing you hold the keys to get a ton of companies hacked without interference.
also, if you step back, Ruby's problem is it consists of a fading community of millenials and Gen Xers who first came to Rails when it was the best/coolest option. however with the majority of builders now turning to JS for web, Rust (and Go) for systems, and Python for ML, it doesn't have a use case anymore that can drive a community or any hope for growth in the future. so a "niche DSL" for legacy webapps and plugin systems is what's left IMO, but i'm sorry for being super frank about it
languages like this with a shrinking community and loose security policies pose around the centralized package management system pose high security risks to its users.
I'm for least privildge and tightening up perms, reviewing who has access. But it just needed some comms and timeline. Unless there was an obvious immediate threat.
I think a lot of people did read the OP and were left wanting - I know I did and was.
Breaking down the posted article, there’s a lot missing (which the author admits), and it’s not clear really what the goal of the post was other than to say “someone, not me, made an oops. But it’s fine, right, because the community needed this to happen.”
Parts that were particularly odd, that others have said with better words:
- Who imposed this ultimatum on RC?
- How long was the timeline to “tighten things up”? It sounds like there was both a decent amount of time and an immediate urgency - it can’t be both.
- “We’re nerds who can’t communicate well” (paraphrased) is such a poor argument - I get it, I’ve had to do a lot of work to figure out how to navigate social spaces and how to communicate effectively in professional settings. That said, the author is writing as if they’ve never had a single conversation with a technical person that they didn’t know well; that any conversation about removing or reducing access would be a catastrophe. That’s ridiculous.
It seems that either there was poor planning around this, or someone forgot about the deadline and YOLO’d it, or there was a malicious push to oust some of the biggest contributors under the guise of security.
One thing is clear, regardless of what the root cause of this all was: RC showed a deep lack of respect for the people that make their community what it is, and that stinks.
This story is missing any context around what occurred. The only thing I was able to find was by searching, and I came to this PDF statement.
https://pup-e.com/goodbye-rubygems.pdf
> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
> added non-maintainer Marty Haught of Ruby Central, and
> removed every other maintainer of the RubyGems project.
> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams
Which is important context that was left out of this board member's statement.
How you can tell this is all lies from the board is simple:
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
The first thing is they didn't tell them. The second bit is simple:
"Hi [x], I'm sure you've seen the news about npm. Given supply chain attacks directed at them and the one recently foiled against the python folks, we're [doing fill in here], including reducing permissions. [More info here.] Further updates as soon as we have them."
That email takes 10 minutes to write and send.
There's a bunch of red flags here. The author of the article is desperately trying to sound like pert of the Ruby developer community, not some corporate type power player trying to maximise profits and their own bonus...
In the linked post the author claims to be just some grateful Ruby developer volunteering their time to mundane bookkeeping tasks for an organisation they feel lead to support, describing themselves with:
-----------------------------------------------------------------
When I first discovered Ruby, watching some crazy video where a blog was built in just a few minutes, I was just a young man working at a bank who would sometimes get paid to build software for other people on the side. Ruby opened my eyes to the idea that code could be a craft, a skill I could hone and develop. It also introduced me to the idea that code could be poetry... code could be art.
20 years later, and here I am, a reasonably successful person who's built a career out of building software.
-----------------------------------------------------------------
Yet the Ruby Central website describe them like this:
-----------------------------------------------------------------
Freedom Dumlao is a seasoned technology executive with experience at leading companies like Vestmark, Flexcar, Zipcar, Wayfair, and Amazon. Currently the CTO of Vestmark, Freedom brings strategic insights that will help drive Ruby Central’s efforts to expand the Ruby ecosystem and build stronger connections with top companies and startups.
-----------------------------------------------------------------
The post appears to be signed as "MINASWAN", a well know pseudonym for Yukihiro Matsumoto, the chief designer of the Ruby programming language. Hard to imagine a scenario where that was accidental and not an attempt to manipulate readers into assuming Yukihiro has something to do with writing the post.
It's posted to a Substack launched 1 day ago. With the username/subdomain "apiguy" - suspiciously not 'ctoguy' or 'seasonedtechnologyguy'.
I place pretty close to zero respect for the OPs position, compared to well known names in the decade long Ruby Gems committer community.
> The post appears to be signed as "MINASWAN", a well know pseudonym for Yukihiro Matsumoto, the chief designer of the Ruby programming language.
From https://en.m.wiktionary.org/wiki/MINASWAN
> Initialism of Matz is nice and so we are nice: a motto of the Ruby programming language community, in reference to the demeanor of Yukihiro Matsumoto (nicknamed Matz) [...].
Oh yeah, 100% corporate speak damage control attempt.
100%
Reasonable people would've accepted that fine. And you don't have to worry about unreasonable people, because most people will find them unreasonable and dismiss anything they say.
> Reasonable people would've accepted that fine.
No, reasonable people would not have accepted "we're unilaterally deciding to lock you out with no advance notice, over something we could and should have been discussing for many months or years, but instead screwed up so badly that we're doing it ten minutes from now".
Exactly.
And communicating [situation], [action(s)], [how this affects you] is one of the most basic professional communication skills you could imagine.
99% agree, but it's a very sensitive topic and I'd take like an hour to pulish it.
I found this helpful in explaining what's happened: https://www.theregister.com/2025/09/22/ruby_central_rubygems...
Sounds like they made some really big changes and put zero effort into communicating to people who've spent 10+ years working on the project.
Thanks - that was helpful indeed. From there, I also found the linked post by Tekin Süleyman ( https://tekin.co.uk/2025/09/the-ruby-community-has-a-dhh-pro... ) to be informative.
Wow! When that one DHH blog went around the other day, I didn't actually pay attention to who the author was. All I saw was yet another bigoted rant and just skimmed it and rolled my eyes. (e: here it is to save people the effort: https://world.hey.com/dhh/as-i-remember-london-e7d38e64 )
I should not have skimmed it. From your link:
> In the same post he praises Tommy Robinson (actual name Stephen Christopher Yaxley-Lennon), a right-wing agitator with several convictions for violent offences and a long history of association with far-right groups such as the English Defence League and the British Nationalist Party. He then goes on to describe those that attended last weekend’s far-right rally in London as “perfectly normal, peaceful Brits” protesting against the “demographic nightmare” that has enveloped London, despite the violence and disorder they caused.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report from the Quilliam Foundation, an organisation with ties to both the the US Tea Party, and Tommy Robinson himself.
This is ... disqualifying. That's the best word I can summon here to express my dismay. This is a crossed line. Absolutely nutso.
edit2: Uh wow I really should not have skimmed it. Here's one paragraph from DHH's blog itself:
> Which brings us back to Robinson's powerful march yesterday. The banner said "March for Freedom", and focused as much on that now distant-to-the-Brits concept of free speech, as it did on restoring national pride. And for good reason! The totalitarian descent into censorious darkness in Britain has been as swift as its demographic shift.
Well, if that doesn't speak volumes as to DHH's values, I don't know what does.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report
Were independent inquiries also repeating weaponised tropes from long since discredited reports?
“By far the majority of perpetrators were described as 'Asian' by victims, yet throughout the entire period, councillors did not engage directly with the Pakistani-heritage community to discuss how best they could jointly address the issue. Some councillors seemed to think it was a one-off problem, which they hoped would go away. Several staff described their nervousness about identifying the ethnic origins of perpetrators for fear of being thought racist; others remembered clear direction from their managers not to do so.”
https://www.rotherham.gov.uk/downloads/file/279/independent-...
https://www.telegraph.co.uk/news/2025/07/29/officer-raped-ro...
The ultimate problems lie in the police: they are generally terrible at handling rape cases, and in this case there are claims that they were actively complicit in some of the rapes.
Using the actions of some members of an ethnic minority to justify .. well, any action against people who were not actually personally involved, is textbook discrimination.
OMFG
This post is full of outright nonsense. I was in Central London last Saturday and watched a lot of it go down, before heading to Islington and then catching the last dregs of the crowd nearer Euston and chatting in the pub with some of them.
As a "native Brit" and "native Londoner" that DHH wouldn't recognise as such, he can absolutely do one.
He makes his position clear enough in the second paragraph, for those who know how to read between the lines. "London is no longer the city I was infatuated with in the late '90s and early 2000s. Chiefly because it's no longer full of native Brits."
... and this is the guy whose Linux "distro" Cloudflare has just announced funding for.
Yeah, it was funny the first time a YouTuber[0] did something like that but now I feel like the joke got out of hand a bit, I blame the uptrend of opinionated configs to turn code editors into bona fide IDEs[1][2][3] for this.
Welp, looking forward to the holy wars between people running different influencers' configs five years from now. Who knows, maybe we'll see premium versions of those too.
[0] DistroTube which maintains DTOS, https://distro.tube/dtos/
[1] LunarVim
[2] AstroVim
[3] Doom Emacs
Not all _that_ surprising. From where I see things, pretty much every time you see "Cloudflare" and "free speech" in the same sentence, it always end up being about Cloudflare supporting free speech for nazis or white supremacists. DHH's racist and xenophobic views are totally on-brand for them.
2025 has been wild but DHH outing himself as a crazy racist was definitely not something I was expecting...
If he’s a crazy racist, what would you call an actual racist?
The venn diagram of actual racists and crazy racists is a circle.
So if I understand correctly, people want a state for the Palestinian people. But they do not accept that people want a state for the Danish people.
Is that it?
This comment is so off the rails I'm not going to bother responding to it, but it does make me think about why political discourse is so deeply broken today.
When someone lives this far into an alternate relatity it leaves basically no room for discussion. The amount of work that has to be done just to get everyone back to some relative place of sanity is damn near insurmountable. It leaves no time or energy left to have an actual discussion.
"People" have differing opinions, but the one I mostly see from the left is that they want Palestinians to live in the land they owned before Israeli colonisers invaded it and forced them to relocate to subhuman conditions. What I haven't seen is the desire to expel the Israelis currently living there, as long as they agree to let the Palestinians lead a decent life.
You have never seen the slogan “from the river to the sea”?
https://harvardharrispoll.com/wp-content/uploads/2023/12/HHP...
Do you think that the long-term answer to the Israel-Palestinian dispute is for Arab states to absorb the Palestinians, for there to be two states, Israel and Palestine, or for Israel to be ended and given to Hamas and the Palestinians?
51% in the 18-24 group chose the third option.
When the Israeli government says it, they mean removing or exterminating all Palestinians on "their" land. When Palestinians and their allies say it, they mean they want to live in their land without fearing for their lives.
Not sure what land is “their” land in the first sentence but the are as many Palestinians citizens of Israel as there are Palestinians living in Gaza - and I don’t think the former fear much more for their lives than other citizens of Israel.
Maybe you don’t think that most college-age people in the US - who according to that survey would like Israel to be ended and given to Hamas and the Palestinians rather than see a two-state solution - are allies of Palestinians but surely they are not allies of Israel.
Ethnostates are a terrible idea regardless of whose ethnicity we're talking about, because they can only be maintained by violence.
The state of Palestine is an answer to the question of "what nationality do the residents of Gaza and the West Bank have?"
Oh this sort of thing is far from new for DHH, there's long been a desire to oust him from Rails or fork it, but it's never quite came to fruition, and unless Shopify were to back it, it is unlikely it would survive :-\
I guess I wasn't aware since I'm not really involved in the Ruby community. I always knew he was kind of an oddball from a few of his posts I've seen and podcasts I've heard him on. Never would have guessed it was this bad.
Until now I thought his craziest idea was that dynamic typing is better than static typing. (Just a joke, not trying to start a war over dynamic vs static lol)
To be fair it is an objectively crazy idea that dynamic typing is better than static typing (I'll start the war, it's fine).
Lol. I assumed a Ruby person would prefer dynamic typing and I didn't want to insult you.
But yeah I agree. Given the opportunity I'm almost always going to go for a statically typed language.
As a fellow Scandinavian, DHH is just writing what the vast majority of us think. And it isn’t racist. That word is being misused until it soon has no value left; you sure you want that?
I've been thinking about whether "$some_country rape gangs" seems racist to me. I've come down on "yes".
The reason might seem odd. But it ocurred to me that if you want to use immigration to reduce crime, including rape, the obvious solution is to ban all male immigration.
That shocked me because it seems so wildly discriminatory. Yes, most violent crimes are committed by men. But very few men commit violent crimes. Banning male immigration would punish a large group for the appalling actions of a few. Making it about "$some_country's men" doesn't seem a whole lot better. It's still unjust to punish someone for someone else's crime.
If anyone is curious about the exercise, I recommend trying it. It was disconcerting to sit with the idea of banning male immigration, really seriously consider it and realise how viscerally shocked I was by the idea.
Edit: for context, in the UK right now, phrases like "rape gangs" are part of the debate/argument about immigration.
Your solution of banning male immigration makes perfect sense to me. Maybe not ban it entirely but at least ensure a 1-1 ratio of men to women (male surplus has a tendency to turn countries into shitholes).
Disallowing someone from immigrating is not a punishment because there is no right to immigration anyway. In fact I believe we should go even further and see immigrants as investments. If the immigrant is unlikely to have a net positive tax contribution (or at least not being a rapist, for a more realistic target), I don't see any reason to allow him or her to be here. If you accept this idea, there is nothing wrong with training a neural network on characteristics of existing immigrants to predict the future value of a particular potential immigrant.
The Grooming Gangs feature a lot of nationalities, but some more than others.
There's nothing racist about the facts. How one responds to it can indeed be racist -- ie. "all people of one of said nationalities are like these ones" would be racist. But observing that a nationality of immigrants are vastly overrepresented is just using your eyes to observe reality.
I'm happy to say that ~80% of Sweden and Norway don't vote for right wing populist parties like SD and Fremskrittspartiet, so "vast majority of us" might be a bit of a stretch.
That's a misrepresentation of statistics though. FRP is the second largest party this election, with 23,8% of votes, only second to AP who got 28%. But many people won't vote based on the immigration issues, because so far, other issues are more pressing.
But my point was that I am absolutely sure the majority of Norwegians _want Norway to remain a country that retains its cultural history_ while not being exclusive to one ethnic group. It's about retaining a majority.
I don't understand why that sentiment is so problematic here on HN, because simultaneously people are clamoring for a Palestinian state for the Palestinian people.
Why can't Norway have a Norwegian state for the Norwegian people? Or Denmark? Or the UK?
> That's a misrepresentation of statistics though.
I can't speak for Norway, but in Sweden the only party worth keeping an eye on that adheres to the usual combination of pro-Russia, anti-abortion, anti-immigrant, anti-EU rhetoric etc is Sverigedemokraterna (formerly Bevara Sverige Svenskt, a party based solely on the idea of an ethnostate). They're hovering around 20%.
> But my point was that I am absolutely sure the majority of Norwegians _want Norway to remain a country that retains its cultural history_ while not being exclusive to one ethnic group. It's about retaining a majority.
Is the existence of history dependent on the ethnicity of the person reading it? I'm sure you've met non-native people who are in all other respects very much Norwegian.
Unless you mean to imply that culture is constrained to genetics. I deeply hope that that is not what you meant.
> I don't understand why that sentiment is so problematic here on HN, because simultaneously people are clamoring for a Palestinian state for the Palestinian people.
How many Norwegian cities were leveled by bombs this year? How many were murdered by foreign military?
> Why can't Norway have a Norwegian state for the Norwegian people? Or Denmark? Or the UK?
They do. Here:
https://en.wikipedia.org/wiki/Norway https://en.wikipedia.org/wiki/Denmark https://en.wikipedia.org/wiki/UK
All fully functioning sovereign states, all internationally recognized by their peers and enemies alike.
Frankly, I might be sympathetic to this view, except for a few countries: The US, the UK, France, Belgium and maybe a few others. The US is a country of immigrant, so none of that cultural history nonsense holds, except maybe for the Native Americans. As for France and the UK, yeah no one told them to go colonize a bunch of countries around the world and impose their culture on them. They don't get to complain about retaining their cultural history. Belgium doesn't get to complain either after the atrocities they committed in Central Africa.
What's the right use for the word and the value of it in your mind? You are commenting in circles in this thread and you could clarify it easily.
it is xenophobia. rather widespread in europe unfortunately. xenopobia is not necessarily racism, but it is closely linked.
No it's not. Stop diluting terms. You're making this problem worse for everyone, even the people you think you're on the side of, whoever they might be.
The word racism is not diluted. It is that just some full on racists feel like it says something negative and thus don't want the label put on racists stuff they like.
So do you consider what the Danish PM said racist?
> There are really a lot of us Danes who believed that when people came to this ‘world’s best country’ and were given such good opportunities, they would integrate. They would become Danish, and they would never, ever harm our society. All of us who thought that way have been wrong.
That's objectively observed reality in Denmark. And in Scandinavia in general. It's not about race, it's not about skin color, it's about cultural heritage and values.
All we're saying is that to retain a country's cultural heritage and carry it -- and obviously shape it -- into the future, you have to retain a majority of that heritage, and integrate newcomers. Otherwise it's no longer Denmark.
They would become Danish
you have to retain a majority of that heritage, and integrate newcomers. Otherwise it's no longer Denmark.
what you are asking is not possible without rejecting immigration.
that is the delusion. it is the same all over europe. people expect 100% integration. yet at the same time, prejudices will reject them if they are not completely invisible. that is not possible, and it is not the integration i would want. i have written about this before: https://news.ycombinator.com/item?id=44746099
Danish PM's comment is about integration. You're mischaracterising it. I'd say it's pro immigration, not what you're trying to spin it as.
"We want immigrants to integrate" is not the same as "we don't want immigrants", which is the point you're trying to make.
DHH didn’t say he is against immigration. Neither did I. Why are you straw manning?
how is this not against immigration?
https://world.hey.com/dhh/as-i-remember-london-e7d38e64
London is no longer the city I was infatuated with in the late '90s and early 2000s. Chiefly because it's no longer full of native Brits. In 2000, more than sixty percent of the city were native Brits. By 2024, that had dropped to about a third. A statistic as evident as day when you walk the streets of London now.
Copenhagen, by comparison, was about eighty-five percent native Danes in 2000, and is still three-quarters today. Enough of a foreign presence to feel cosmopolitan, but still distinctly Danish in all of its ways. Equally statistically evident on streets and bike lanes.
But I think, what would Copenhagen feel like, if only a third of it was Danish, like London? It would feel completely foreign, of course. Alien, even. So I get the frustration that many Brits have with the way mass immigration has changed the culture and makeup of not just London, but their whole country.
It’s being against unlimited, uncontrolled immigration. Is the difference not obvious?
no it isn't because everyone has a different idea what limited, controlled immigration means. for some 20% is ok, for some 10% is to much. and for some only those who can integrate to 100% and become invisible is ok. practically speaking, for most people controlled immigration means: only allow the people that we like, and don't allow any of the people that we don't like.
We will never solve the scale of what's acceptable or not. That will always require dialogue and will change over time with the economic state of a country and many other factors, including culture.
However this argument is usually used to imply "there should be no limits", and that's obviously not practical nor ethical for anyone involved.
yes, the limits are economical. not cultural. you can't control the effect on culture by limiting immigration. economics is a different issue. the problem of course is that these issues get mixed, and people use economics as a reason when culture is their problem. and they are blaming their own economic situation on to much immigration when often that is simply not true.
germany has 200.000 open positions in IT right now. what would happen if we invited 200.000 experienced IT people from india? half the people without a job would complain that the indians are taking away their jobs. and lots of people would rant about how all these indians change our culture.
and what about the civil war in syria that produced 5 million refugees leaving the country? or ukraine, another 5.7 million refugees?
do you want to reject them just because you feel they threaten your culture?
since you claim that not having a limit is not ethical, let me quote the german chancellor merkel at the time: "The fundamental right to asylum for the politically persecuted knows no upper limit; that also goes for refugees who come to us from the hell of a civil war."
when merkel said "everyone is welcome" this was literally the first time in my life that i was proud of germany. and you should know that in germany being proud of germany is a politically very sensitive statement usually associated with extreme-right groups.
so when it comes to refugees there can't be an upper limit.and beyond that, the limit depends on the economic situation. if we need the workers, the limit goes up. it has to. culture doesn't factor into it at all. you can't have it both ways.
And look at Germany now. I have friends and family there. Merkel’s utopian naïveté has certainly not benefited Germany at this point. It went way too far.
I can’t believe people are like this. But it explains why Europe is more and more split on this topic: It’s two irreconcilable worldviews and one of them requires ignoring observed reality.
Are you making the case that Germany should not have united?
you are completely missing the point. what exactly should germany have done? let those people suffer? stick them in crowded refugee camps?
you do not get to turn a generous humanitarian aid gesture into blaming germany for being dumb to let all these people in.
this is not ignoring observed reality. observed reality is a consequence of people not being welcoming enough. of not being supporting and considerate of the foreign culture and not doing enough to befriend these people. as i linked in my other post, i wrote about this before: https://news.ycombinator.com/item?id=44746099 we are not letting these people integrate in a way that allows them to keep some of their culture while giving them an opportunity to learn about our culture.
yes, the current reality may be rough. but those are growing pains. and they are consequences of war, and not consequences of allowing to many people to enter the country. by sharing the consequences of these wars germany becomes an ally to the victims, and that is a good thing. rejecting refugees would have turned germany into a villain and an ally of the perpetrators. i'd be ashamed if that happened.
I’m sorry, but not being welcoming _enough_!? Seeing the incredible, life altering strain the German model has put on the lower and middle class while they’ve bent over backwards to be more welcoming to strangers that share none of their values and consistently and purposefully alienate themselves from the general German population, I simply cannot agree we are observing the same reality.
Full disclaimer: Some of my friends are also immigrants from the 80’s. And they’re equally exacerbated by the state of Germany because the country and culture they love is deteriorating out of suicidal empathy.
i have traveled and lived in countries all over the world. first in europe and western countries. already there i found there is a gradual change of friendliness the farther south i went. among western countries the US is the most friendly. despite their issues with racism, the people are welcoming to foreigners and immigrants.
then i visited asia, and i was shocked how much more friendly and welcoming people are there. if you haven't been there it is unimaginable. same goes for africa. seriously. on a global scale, europeans are the worst in being welcoming. so, yes. germans are not welcoming enough. they are principled however, and it is those principles that made them invite those refugees.
the state of germany is not deteriorating because of empathy, but because of the unwillingness of some people to adapt and adjust to the new reality. this lack of adaption leads to confrontation, and that confrontation is the cause of any deterioration. the culture is not destroyed by immigrants. it is destroyed by lack of tolerance and unreasonable expectations.
Tekin's conclusion: "it will send a clear message to the wider Ruby community (and those who may be considering joining it) that the majority does not stand with DHH and his toxic views."
He is going to be ultra surprised to learn what the majority thinks and how it's not what he thinks it is.
what does the majority think then according to you?
Additional context — DHH's latest blog post: https://world.hey.com/dhh/as-i-remember-london-e7d38e64
Using your personal brand to espouse the values of ethnonationalism fundamentally serves the capital class wishing to divide and exploit social order among those who labor. This is so rich, coming from the guy who literally created a tool that increases the value of labor.
So, if I had to guess, the smart, critical thinkers in the _global_ Ruby community might find this whole situation reeks.
If I were an immigrant to the UK and a Rails developer, and DHH is getting re-platformed while saying crazy stuff like this, I would think twice about my career choices going forward — Or, push the Ruby community not to stand with a garbage attitude like this, even if from a BDFL-type personality. I _invested_ my life into promoting the use of your tool, while you disparage me based on skin color and country of origin for the sake of some 'ye olde country' vibefest?
Does DHH even know where his principles lie?
Tekin, what makes a Turk less white than a Greek or Spaniard?
If it's cultural (religion, music/sports related subcultures and codes) then it's chosen. Nobody can force you into a subculture in the West. As soon as you turn 18 you can essentially do what you want, most likely even way before that.
You can chose your subculture, how you dress, style your hair, talk and are read by the mainstream society. Actual racists go by skin color and ignore your cultural choices, fuck them.
Not really, racists often include ethnic features such as hair texture or even nose shape within their criteria for racial exclusion.
While in certain cultural contexts Turks may be read as white, within Europe there is a history of excluding them from whiteness and presenting them as a threat to European culture, mostly due to Islamophobia
The last paragraph is funny because Turks themselves use the expression White Turks to refer to the modern/secular/Western (as opposed to the Black Turks, conservative/Islamist).
Ethnic features = things you can nothing for, same category as skin color.
I was talking about the culture you chose and the stereotypes that go along with it. Stereotypes override ethnic features unless you actually deal with real racists.
DHH might not be street smart enough (like most people in tech) to see through those stereotypes on the streets of London.
I'm not sure I completely understand what you are saying.
You start your original comment by asking what makes Turks non white which I answered, and from what I understand you believe that choosing to participate in a culture from the diaspora you are a part of means that you have to bear the burden of the stereotypes about that culture, even if they are racist in nature? And furthermore, you believe that people that believe these stereotypes are not real racists because real racists only care about skin color?
Again, I could be misunderstanding, but I don't think that you need to only care about skin color to be racist. I think that DHH's anxieties about replacement of naitives being mostly focused on MENA people feels like a pretty clear sign he believes that non European (aka non white) immigrants are a problem, which to me, is racist.
What exactly is your point? Is abandoning your religion and what music you listen a requirement of integration?
This is how your point reads like: Just cosplay as a white european christian, and if you still experience racism... well fuck those racists.
It was not left out of the statement. I understood that was essentially what happened by the time I got to the end of his piece. The only exception being the “with no warning or communication” part. Obviously there is disagreement about whether that is true or not.
Everything you're quoting is from one aggrieved person, who clearly felt slighted, and who left out a whole lot of context in their own post. The article above is a lot more reasoned, less emotional, and seems completely reasonable to me. Ruby Central clearly has issues with both internal and external communication. And the above article isn't an official statement either; it's just one person, not involve in the decision, offering another perspective.
It's not just one person.
Between the initial removal of access, then giving it back after explaining it was a mistake; the people involved started a conversation about governance to clarify/fix things.
https://github.com/rubygems/rfcs/pull/61
The conversation terminated because the majority of those people then had their access revoked again.
When weighing the facts here; which group or claimant has the most evidence for their claims? The technical folks with lots of commits over many years, or the treasurer of an organisation who says the impetus for this was a "funding deadline" so all access had to be seized?
> who clearly felt slighted,
I think this person has good cause for being very upset at the lack of communication and the sudden removal of them from the organization. They were a maintainer of RubyGems for a decade.
Everything he quoted is a fact, which can be proven or falsified. Taken together (and if true) they're pretty damning.
You responded with an ad-hominem attack. If you can offer a rebuttal of the facts then please do, otherwise try to refrain from personal attacks.
I dunno what you read, but nothing I wrote included any attacks, personal or otherwise.
It’s “felt slighted” that makes me wonder how often you get into arguments that escalate “for no reason.”
Having access revoked with no heads up is a slight. You’re goddamned right they feel slighted. They were slighted.
“Feel slighted” is like “I’m sorry you’re upset”. You put everything on the aggrieved party when you say it like that.
Ah, you're constructively accusing the author of "[leaving] out a whole lot of context". Non-derogatorily.
> Everything you're quoting is from one aggrieved person, who clearly felt slighted, and who left out a whole lot of context in their own post.
^ This was a personal attack.
Wait, what?
A maintainer of RubyGems was forcibly removed from the RubyGems GitHub org — which was renamed to Ruby Central — along with every other maintainer. Then access was restored, then revoked again. There was no explanation, no communication, and no understandable reasoning for this.
And still! If there is an "official" statement, I can't find one on https://rubycentral.org/.
This wildly transcends "issues with both internal and external communication" or "we're just a bunch of makers who can't be expected to be good at organization or communication" (to highly paraphrase TFA). This is an absolutely disastrous breach of the community's trust.
1. Visit https://rubycentral.org
2. Click News.
3. It’s the top item.
Direct link: https://rubycentral.org/news/strengthening-the-stewardship-o...
I saw that. The title did not make me think it was related. But fair enough.
Not "a maintainer", many of the most prominent ones and trustworthy over the years.
I know you're already getting piled on here but
> less emotional,
Expressing emotions is good, actually.
Right now the board is acting indistinguishably from Andrew Lee during the Freenode collapse, and, like, everyone else who ever did a hostile takeover of an open source project ever. Supporters of the board are acting indistinguishably from supporters of Andrew Lee during the Freenode collapse.
Less emotional? It comes from someone who has no personal stake in the outcome, and was in the loop for the decision making. Versus someone who was personally slighted and was not properly communicated with about such a big change.
So Ruby Central, by their own admission, agreed to take $$$$$ of funding on the premise that they would "secure RubyGems against supply chain attacks", and then sat on their hands not doing anything about it until a few days before the deadline, when it was too late to seek community consensus or figure out a good transition plan. So they ended up screwing over everybody who was actually doing work on the project in favor of their own funding. And also they apparently used this as an opportunity to consolidate their power in other ways (renaming the github org) for reasons that were unrelated to the self-imposed deadline. How does this make them look better?
To my untrained eye it looks like a board with a bunch of money and perhaps a fork on their hands.
This definitely has a Mullenweg-esque scent to it.
For any company that wants to secure and maintain critical source infrastructure for a language, community/maintainer relations is a fundamental responsibility. It is not to be waved away with quasi-candid admissions that you're just too small a team, too technical, etc. Even if this board member is being totally sincere about his feelings for Ruby and its community, it changes little.
> Some of those companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain, but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
This is the most candid bit of the article.
RubyCentral seems to have screwed up. The sense I get after reading this paragraph is that RC's non-apologies about poor communication are smoke. Why did they have to move this quickly/silently? Well...
If you are taking money from businesses in exchange for certain assurances about the security/soundness of RubyGems, you have a responsibility the minute pen leaves paper to KYC(ontributors). Not when there's suddenly a fire, or when your clients notice.
By all appearances, RC was negligent, if not necessarily in the legal sense. They were highly reactive in response to a problem they should have been across already, and they have paid for it with a chunk of the Ruby community's trust.
To now retcon this action as poorly-communicated but ultimately noble and security-minded does not sit very well.
I think that most Rubyists want to forgive each other and move forward. The board, staff, and volunteers at Ruby Central are all people and people are fallible, that's fine. The way to receive forgiveness isn't to convince others (who weren't there and who don't have the full context) that what was done was reasonable or justified. It doesn't matter. It doesn't even matter who is at fault. What matters is who will take responsibility.
The actions taken by people in service of Ruby Central have had unintended consequences, including damaging the community's trust in Ruby Central's stewardship.
A new governance model will solve only the problem of there not being a governance model. There also has to be an acknowledgment that the lack of an existing appropriate governance model wasn't just a "fiduciary failure," but a failure which cased harm to the community and contributors. Contributors who—like the board—are volunteers, and would have probably liked to have their significant dedication shown more respect.
You show respect to someone by giving them important information from which they can use to make their own decisions. As opposed to withholding information because you are uncomfortable with the possibility that they may make a decision you don't want them to.
Best comment I’ve seen on this thread so far.
A lot of people are arguing about whether locking down access was justified to resolve the security issues. I guess it's debatable.
But I don't see any excuse for not putting out a statement when you do it. You have to know there will be a fight, and you will look like the bad guy. Perhaps I could see directly communicating to the maintainers that you expect that they'll be reinstated. But to say nothing? To let the post by duckinator float around for days without having a "we did this because of security concerns, we want to work together and find a resolution..." It's incomprehensible that they thought this would go well.
I mean imagine you are at work and you need to so this for SOC2 or something but dont tell your colleagues.
Firstly, you can tell them you’re working on SOC2 compliance, and secondly, those colleagues are getting paid in dollars, not doing it for the love of the work.
> Firstly, you can tell them you’re working on SOC2 compliance
Bingo
I don't know more about the controversy than what's explained here, but, reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation. (When they work, of course; sometimes those institutions don't work very well.)
I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.
Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.
> reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation.
There was a funding agreement which imposed obligations upon the operators. Those obligations were to be sure that supply chain attacks were reasonably secured against. The volunteers didn’t have to sign that agreement - they chose to and received consideration for their decision to sign.
Licensing terms don’t change the underlying mechanism of a contract and the message is even easier. If your organization cannot abide by the terms of a contract, don’t sign it.
This is a reasonable perspective but leaves a lot of unanswered questions and creates more questions. Who is the funder threatening to pull funding and why were they not more collaborative or flexible with Ruby Central? Did they know that this is how their request would be handled?
How much information and what information did Board members have when making their votes?
One thing that hasn’t been addressed is who was responsible for communications and implementation of this. It says here that the Director of Open Source did what the Board asked of him. Outside of the Board, which as stated here were heads down and trying to problem solve, Ruby Central’s website also shows a staff of several non-technical employees. Prominently, there is an Executive Director with a background in communications and non profit work per their LinkedIn. Where was this Executive Director and the other staff members during this? Were they involved with decision making and communication around this? How involved was the Board of Directors in implementation after the decision was made? It is a hollow statement to say they are just technical people trying to problem solve when there appears to be a whole team of non-technical staff members and an executive specializing in communications. Something clearly went wrong here and there are a lot of missing pieces around what happened after the vote took place. Most of this could have been mitigated with standard processes and simply communicating to maintainers and the community.
To add, did Ruby Central consider going to the community and asking for funding so they wouldn’t have to be beholden to one or a small group of key funders? If they were at risk of shutting down without this funding source I think the community might have rallied around them so they could make more independent decisions in the best interests of the community.
This is not to say that they didn’t act in the best interests of the community by tightening security, but an organization of this nature should be able to act more independently.
This program is public and has been for a very long time - it’s called the Community Support Program because Windows devs don’t have enough nightmares of the acronym CSP.
Do you contribute? I can send you a link if you don’t.
Why would someone contribute to Ruby central now, when the org has been shown to be callous and incompetent stewards who are utterly incapable of showing even minimal respect to their community?
I don’t know why the funder matters. RC agreed to a contract that provided a fixed date by which these issues needed to be resolved or funding would be terminated. Exploding terms are rare in funding agreements because they don’t make the funder look good when they explode. Back in my non profit board days, I learned that contracts with exploding terms need to go in front of the entire board instantly for action or lawyers will get paid.
Actions were taken, at the request of a major funder or group of funders, that have become a PR problem for the entire Ruby language. This is the third article I’ve seen on HN in the last week and it’s not just Rubyists commenting. This is damaging to everyone who uses Ruby and developers who want job security in the future. These funders should want to maintain the reputation of Ruby, and forcing a nonprofit to take an extreme action like this in a pressure cooker situation puts all of Ruby at risk when it explodes into a scandal. These companies need to work transparently in the best interest of the whole community.
I really want to know who the funders are, for real. Not the public-facing organization, but the actual source of the money.
> Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
Seems pretty clear after reading this. If 1-2 companies pulling funding is enough for them to force you to to what they want, its hard to stay independent.
Locking out a guy like David Rodriguez (the main person I see doing bundler commits) in a dramatic fashion just seems like absolute craziness. I can't fathom doing it without a very good reason, which has yet to be revealed if it exists.
He's specifically among the 3 people still owner of the bundler gem [0], they were 6 just a few weeks ago [1]
[0] https://rubygems.org/gems/bundler
[1] https://web.archive.org/web/20250824033341/https://rubygems....
He said this on the Bundler discord yesterday:
'My work in Bundler & RubyGems is completely halted, including the Bundler 4 project which I expected to complete in the next ~2 months. The immediate reason for this is simple: my commit access to the repository has been revoked, so I can no longer do the job anymore. The more fundamental reason is that I completely lost motivation after all the recent events, regardless of whether work is paid or not.
I'll be happy to resume my work in Bundler & RubyGems if maintainer ownership prior to September, the 9th is restored, and thus the previous maintainer's team is allowed to continue building a transparent and democratic governance model for the project.'
Does “lest we lose critical funding because we don’t have proper agreements with our committers” not cut it as a reason for you? Genuinely curious, it seems like a reasonable explanation assuming it’s true.
It does not, for me.
Given that access was cut, then restored, then cut again, then days, then someone finally says "hey were were going to lose critical funding" makes it seem like a post-facto excuse for a hostile takeover.
And the whole "oh, well, we're bad at comms" makes it sound even worse!
Which is the whole crux of the issue. At no point in any of this did Ruby Central do anything reasonable. The they tried to explain that their unreasonable actions were reasonable, if you only knew the things they knew, which they were for some reason unable to tell people until just now.
Could it be true? Sure, absolutely.
Does it seem reasonable at the moment? Hell no.
From TFA:
> Let's get some kind of committer agreement in place with those folks who need access (the same way many other high profile open source projects have), and remove access from those who don't, while still being fully open to accepting PRs and being open to re-welcoming them as committers if they decide that is how they want to spend their time in the future.
> Here's the challenge. How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
deivid-rodriguez's last commits were Sept 18: https://github.com/rubygems/rubygems/commits/master/?since=2...
With 7873 commits since 2018 he's 2x over the second one and crushingly the most active contributor since then: https://github.com/rubygems/rubygems/graphs/contributors
However you slice it, none of that fits into TFA's above narrative.
His access being revoked can only be described as complete bonkers.
It's to secure the supply chain.
From the guy who has supplied most of the chain.
Ruby Central sponsors him to work on the project. They also own the project. Sure it’s not ideal that they’ve apparently come to an impasse of some sort but locking him out is not bonkers.
> They also own the project
I've seen some contention around that. RC owns the rubygems infrastructure. But it's not clear that they should own the repos of the open source rubygems or bundler projects that they use. They just seem to have fallen to that organization by way of some admin owner passing through, rather than an official hand off.
It sure fucking is bonkers.
Ruby Central as an organization touts that it is responsible for RubyGems. Assuming this narrative is accurate, they needed to get agreements in place with contributors to appease some funding partners.
This shit happens. Especially as an open-source project started by one dude in 2009 turns into critical infrastructure managed by a 501(c)(3) non-profit.
That they failed so fucking spectacularly speaks incredibly poorly of their board.
Then you act in advance or with notice to get those agreements in place. Just dropping an atom bomb on the commit rights of the biggest contributor is very disrespectful.
If you can't work out an agreement after a good faith period... then that can become a good reason.
What's the point of a foundation having funding if there's no ecosystem left to spend it on? And if a single source of funding is so critical that they can demand immediate wide-spreading changes to the ecosystem, is the foundation even independent at all, or just a corporate puppet pretending to be?
Who cares that you have funding for things like build servers and meetups when your core developers walk away and the project is left to rot?
I'm truly hoping for a reasonable resolution on all sides for this situation. IMO Ruby is too small, and shrinking compared to Python and JS/TS especially in the AI era, to be able to afford any splintering of efforts.
I still remember your The Legal Stuff post on Google Groups from a million years ago. <3
Agreed. I wish the communications would move away from FUD that could scare people away from using Ruby when things are already splintered. A more honest and transparent accounting of what really happened is necessary.
> A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.
This makes a lot of sense, and it puts the 'drastic' action in understandable light.
It also contrasts with the 'On September 9th, with no warning or communication, a RubyGems maintainer unilaterally...' from the Goodbye RubyGems letter. Perhaps that person did not have communications or insight?
Going forward I think we could judge the good faith, if it's uncertain, by if we do see people reinstated. Cutting off access (for urgency with a deadline) followed by reinstatement (because they contribute) would match this post. No doubt there will be hurt feelings on all sides, which is understandable, but I hope as humans everyone can get through it.
Pretty sure github issues would enligghten everyone on the timely communication of funding requirements
Agreeing with most of the other comments here that this discussion needs more context which we don't have...
If the request for additional access controls/access cleanup came from one of the Ruby Central funders, could we not know who that was and what exactly their ask consisted of? I am interested in knowing their side of the story, and what the motivation was. (But in general, cutting off long-time maintainers' access seems like a bad choice - as presumably they have long since proven their good will toward the ruby community as shepherds of these projects.)
I think that if they had been up front and transparent, and cut the PR bullshit corpospeak from their damage-control post, this would have been something that's much less embarrassing for all involved.
Something like:
"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."
Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...
Sounds like you should volunteer for Ruby Central to help them with their communications! I don't mean that facetiously: it seems that they could use you, or someone like you, with comms. As the OP readily admits, this is not a strong point for them.
My general take on this:
1) Nerds are often not the best at communicating.
2) People on the Internet can be very cruel towards people they don't know.
We could all do better, especially with #2. The Internet used to be cool as hell. Now, by and large, it sucks.
The organisation already has non-technical people employed. They should be able to get basic communications right.
This has the advantage of being short and so take way less brainpower to piece what actually happened. Reading between lines is exhausting.
It's such a weird thought process to have gone through, to write this. The sentiments expressed are basically:
"I WANT to apologize ... that I feel awful."
"How can you possibly talk to someone about changing access, when multiple people tell you no, you are wrong?! A coup is the only way!"
"Because funding deadline, we executed a coup, which will keep everyone safe from hostile actors... Taking over accounts and access"
> Ruby Central has been responsible for RubyGems and Bundler for a long time. This isn't a new development, and I'm honestly very confused about the confusion.
That's the opposite claim from a coup. It's not fair for you to put those words in his mouth.
[flagged]
He is claiming that Ruby Central has the authority. True or not, that claim is not consistent with a coup. You seem to be catastrophizing and constructing misleading quotes, including inverting his words, not because his claim is not true but because of how he communicated it and the impact of it.
My point is that he chose to communicate the way he did; it is poorly thought out and extremely difficult to accept as an explanation.
Objective tests you yourself can perform.
1) How much of the publication talks about himself? Why is that relevant?
2) How much does it directly provide links, context, history? Can you find the opposing point of view directly linked from it, or is it omitted?
3) From reading the content, does this person represent the board, or not? Do they make any conflicting claims that are difficult to both be true at the same time?
4) A coup d'etat is a "a sudden, violent, and unlawful seizure of power from a government"
Were the people who lost access acting as a governing body? Was the loss of access sudden and unexpected? Did the loss of access follow any of the rules of the governing group? Did the loss of access harm individuals?
With the answers to the above, reflect on the following:
Why would someone write about themselves, their experience, etc for 6 paragraphs? Would you say it is clear they have only been appointed since Jan 2025? Or are they trying to establish themselves as an authority? If they are not attempting to appeal to authority, why is it relevant?
Did they actually apologise? If so, to who? Is it specific? Does it clearly articulate what the person did, admit fault, recognise harm? Or is there downplaying of impact, vague language, downplaying of involvement?
Does it characterise the contrary point of view in a way that trivial uses the concerns? Are the conversations "emotional" or is it implied the people experiencing the negative act are? Is the author emotional?
If you were the person or people affected, would you accept this explanation? If you were the person taking these actions, would you explain why like this? Why or why not?
I strongly encourage you to do this exercise, putting aside feelings or initial responses even if you think I am wrong.
Most coups happen when someone has power and conflates that with authority.
I’m the Homebrew Project leader and care a lot about Ruby so met with both sides to attempt to mediate and posted two threads on Bluesky about what went down:
https://bsky.app/profile/mikemcquaid.com/post/3lz7klsyue22f
https://bsky.app/profile/mikemcquaid.com/post/3lzfxctubbk2y
TL;DR: Regardless of what you think of RubyCentral’s actions, it’s very clear they absolutely screwed up the execution and communication here. In general the transparency is far below what you’d expect from an open source organisation.
What I'm missing is what, if any, communication Ruby Central had with maintainers.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
Start by letting go of the goal of not upsetting them. Make sure you do communicate clearly. Just say what you said a paragraph earlier: open source ecosystems, including ours, are increasingly suffering supply chain attacks. To guard against this, we need to tighten access that has traditionally been fairly loose. Starting <date>, we're going to remove general access and ask that contributors sign <link to agreement> before re-enabling access.
I mean, maybe that is what happened -- as the OP says, he wasn't part of the conversations so can't say. From the earlier public posts, it doesn't _sound_ like that's what happened. But I'd say as a general rule, it's important to communicate disruptive changes ahead of time to those affected and give a clear path to how they can mitigate the disruption.
> I can't speak for the board or the Ruby Central staff. But I know them and they are like me. They do this because they love Ruby and our community. I'm certain of that.
I don't know how to reconcile 'they love Ruby and our community' with moves that are actively hostile to the community.
> [do what we did], or lose the funding that we use to keep those things online and going
Seems pretty clear-cut to me.
I hate the style of write up. It feels a bit gaslightly (it may or may not be but feels like it). And defensive.
Just drop all the facts. Acknowledge you fucked up. Or dont say anything at all?
A board position means responsibility not just "head down coding". And that means communicating with people.
For clarity I wasnt super keen on the original submission this is responding to, for similar reasons.
The only reason why Ruby and other open source projects survive is because large companies can trust them to do the right thing. Given the critical nature of the supply chain attacks, what the board did was 100% right. Like he said, some people's egos got hurt but if no one can trust the maintainers, then Ruby has no future in the industry and it will die quickly.
This is basically like fixing technical debt. It's painful and it's political but sometimes you have to do the right thing for the community as opposed to trying to assuage individuals' egos.
I think you got things mixed up, open source projects survive because volunteers believe in them and want to contribute to them. Large companies rarely get involved, occasionally with some funding.
It sounds like they sold something to their donors they couldn't really guarantee – supply chain safety – and they decided to alienate their contributors to try to appease them.
Only time will tell if this was really damaging to the ruby community or just a temporary hurdle
Look at the core maintainers of Rails for example. Many are paid by Shopify and Basecamp, so it’s much more commercial than your regular open source project.
Which isn’t a bad thing that people get to contribute on company time.
Again this is mixed causality. Rails did not take off because of commercial interests – besides dhh who was working on it on the side, all the initial committers were doing that for fun.
Eventually they brought rails in many commercial companies and these companies succeeded to the point they could pay people to maintain rails.
Rails was built in a company to build commercial products so I’d say it had commercial interests from day one.
> 37signals built Rails for Basecamp and has since used it to create all their web products.
From: https://rubyonrails.org/foundation/37signals
However it started, there's a big hosting bill and somebody has to pay it.
most of the hosting is donated for free outside of the influence of monetary donations.
For sure – but maybe it doesn't have to be the side project of a non-profit whose main thing is RailsConf.
To be fair to RubyCentral, this year's RailsConf was the last one they have planned, though it's likely that they'll shift focus to on RubyConf in its place
of course Rails is mainly commercial
gems and bundler is for everyone though, even hobbyists writing scripts. Alienating contributors who support common infrastructure for no good reason is just plain stupid especially when those projects wasn't theirs to begin with
The board was not 100% right, not even close. I’ll assume their technical actions were justified. But they screwed the communication badly in a domain where informal trust is an important commodity. Therefore, they flubbed a big chunk of their responsibility.
was it even their project?
just because they host it doesn't mean it's theirs
my webhost doesn't own the community around my projects simply because it's on their server
The ego is what created the software. If you say f the ego, youre saying you want new maintainers
Money. It's all about money. This is the only sentence from the post worth reading: "Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going"
This seems super reasonable.
Honestly this description makes me even more concerned. There’s a lot of “I don’t know what happened” and “I wasn’t involved” and “apparently we agreed to”.
In particular, after a long winded introduction and setting of the scene, suddenly there’s a mention out of the blue of a 24 hour deadline to cut off access or face losing funding (forever)? But who was holding this deadline over the board’s head is not explained (in fact the author doesn’t seem to know???).
Overall this just reinforces the impression that the RC board handled this sloppily and in a rushed manner, and failed to communicate with long term community members, and thought of themselves as the only parties who mattered, while not taking responsibility for holding such an important position (see the opening paragraphs about how “we don’t have time to communicate to the public because we’re busy programmers without a PR team”).
The poster is the treasurer too. How can he not know where the money is coming from and what constraints its beholden to?
Wildly unprofessional or just willful lying.
Here's a little bit of nitpicking:
> I want to apologize, genuinely, to people who have felt (...) outrage (...) after reading some of what others have shared.
He's apologizing for what others have shared, not for what they (Ruby Central) did.
> I often go out of my way to avoid making people feel bad
"I'm the good guy."
> and so to be part of what's caused so much chaos lately has really been awful.
"_I_ feel awful."
"I'm sorry for what others have said about what we _did_. I feel awful for people being outraged" Amazing.
> this is a small group of volunteers spread out all over the globe. (...) It's just us.
You didn't, for a single moment, think about notifying the people involved that you are removing them? It's the very first thing to do - notify someone who's involved of the change in their status. If your communication skills didn't reach a level in which you thought that would be the thing to do, I don't know what to tell you.
> It is really boring stuff. So why do I do it?
So what? Should we feel sorry for you?
> I love the community. I love the people who use Ruby, (...) I love the people who give their time to Ruby and I love the people and companies who generously provide financial support for Ruby.
Cool.
> I can't speak for the board or the Ruby Central staff. But (...)
proceeds to speak for the board and the Ruby Central staff.
> Ruby Central has been responsible for RubyGems and Bundler for a long time.
This is a lie. RubyGems and Bundler have been maintained by a group of core maintainers. Some members of this group were also Ruby Central staff, but not all.
> It's not a new story that Ruby Central has been working on (or trying to at least) improve the governance model for Bundler and RubyGems.
It's a new story to me. If it's not a new story, do you mind sharing some links to past discussions?
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
You learn some basic English. And then let them know. It's called communication.
> And what if other people who do still need that access claim things like "If you remove their access, I'll just add it back" or "If you remove their access, I'll quit".
It's called consensus. And communication. You talk. You speak with people. And then you agree on a decision.
> These are emotional conversations.
Yes, they are. Is that why we shouldn't have them? When you want to leave your wife, do you just leave? What a strong person with strong values.
> I wasn't a part of them and can't actually speak to the content of the conversations or how they were handled.
Bad. They were handled bad. Why did you write this post? You don't have information, you don't know what happened...you just love people and community and companies. Happy happy joy joy.
> we don't have a "communications team"
You don't need a communications team. You just need to have a communication channel public or private, where you can reach all of the core members. It could be an email with everyone in CC.
> A deadline (which as far as I understand, we agreed to) loomed.
If you're not sure whether it was agreed on, again, communication. Learn how to communicate. Which deadline? Who set this deadline?
> With less than 24 hours to go
Did someone give you 24 hours deadline? Why wasn't this discussed long before the deadline?
> Marty, Ruby Central's Director of Open Source
How the f is Marty? If he wasn't one of RubyGems maintainers, why is he suddenly being put as the main maintainer? Aside from communication issues, you also have decision making issues. All of the core members should come to an agreement, without Marty.
> I love this community and I love Ruby.
Cool.
Please find some time to read a book or two on communication skills. As well as decision making.
Read the comments in this thread. Ignore mine, don't think too much about it. Just read other comments. Then think again about your decision and to which percentage people in this thread agree with it. And perhaps reevaluate it.
Christ what a clusterfuck. I only use Ruby because of Rails so whatever DHH says I'll go with. If he says this is bogus it's bogus, otherwise it's not bogus.
Tl;dr: corporate coup.
> [The Ruby Central board] is a small group of volunteers
is somewhat at odds with
> Some [...] companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain,
but not so much. Then the sentence goes on with
> but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
So something has been wrongly managed or wrongly sold.
Then the final part about the emotional conversations and the dilemma sounds honest or at least very plausible, but as they write, the critical mistake already happened.
Not really -- non-profit boards are usually volunteers, even ion the non-profit has revenue used for operations.
So basically they're a bunch of serfs
Very reasonable other side to this story, which doesn’t come as much of a surprise. Too bad it didn’t hit the front page.
People went WAY too far WAY too fast on this. There HAS to be urgency to this, the software supply chain is presently, undeniably, under attack.
Frankly, everyone blasting RubyCentral the last few days should feel shame and embarrassment. These aren’t evil suits at Microsoft, they’re normal people invested in maintaining a critical piece of infrastructure for the good of all who love and profit from Ruby.
What? This article is absolutely damning re: RC's leadership and the utter lack of proper transparency, strategic planning, marketing/PR, and solid OSS governance. Did we read the same article?!
Honestly I don’t know how to feel about it anymore, but I found the rhetoric way too explosive at the time, when nothing was really known. Now that some time has passed, and more has been said… yeah I get your point too.
Ruby has been a HUGE part of building my career, I don’t want to see it slide away one questionable move at a time into full corporate control. It’s not TOO hard to see how this whole thing could just be step one of that :/
I hate this for the community - I’m an outsider, who always wanted to give Ruby (and Rails) a good swing. However, after this, and after learning about dhh’s awful (imo) stances, I’m not ever going to go near any of it.
I had a similar “yuck” when WPEngine started taking Mullenweg to task over all of the WordPress shenanigans - that hit a lot closer to home for me, as I’ve spent about half of my career building great sites and applications on top of Wordpress. Although I’ve moved on, I was still an active contributor on the WP StackExchange and had my ear to the ground in several plugin repos I authored for employers who contributed to Five for the Future, and replied to comments on blog posts from people who found my previous insights helpful.
I have zero interest to ever go back to that project because of how poorly it’s been managed - if you want to see one man completely wreck an open-source ecosystem, it’s quite a fascinating if not depressing story.
i read the article, but didn't see anything damning about it. how big of a staff do you think a tiny 501c3 like RubyCentral is? RC shepherds a pretty small community around a niche DSL with a shoestring non-profit budget that mostly goes towards running conferences.. you can see their financial reports here https://projects.propublica.org/nonprofits/organizations/300...
expectations around "strategic planning" and "marketing/PR" are not realistic. You should just be glad these randos don't have admin access to the Github org anymore. Any one of them were huge targets for adversaries who want to ship malware in Rubygems, supply chain attacks are very real and having commit access directly to rubygems/bundler is too powerful for a rando.
my main takeaway from reading all this is why were so many assorted people given such high levels of access..
"These randos" are our friends and fellow contributors. Probably everybody in the Ruby community has worked with theme in one capacity or another. The article provides no reason why they should have had their contribution permissions revoked. Just because you think of Ruby as a "niche DSL" and the people maintaining its core infrastructure as "randos" doesn't mean the rest of us do.
just because someone is a nice community member doesn't mean they deserve rewrite-the-commit history admin level access to rubygems and bundler. they can be great committers even without the ego boost of knowing you hold the keys to get a ton of companies hacked without interference.
also, if you step back, Ruby's problem is it consists of a fading community of millenials and Gen Xers who first came to Rails when it was the best/coolest option. however with the majority of builders now turning to JS for web, Rust (and Go) for systems, and Python for ML, it doesn't have a use case anymore that can drive a community or any hope for growth in the future. so a "niche DSL" for legacy webapps and plugin systems is what's left IMO, but i'm sorry for being super frank about it
languages like this with a shrinking community and loose security policies pose around the centralized package management system pose high security risks to its users.
I'm for least privildge and tightening up perms, reviewing who has access. But it just needed some comms and timeline. Unless there was an obvious immediate threat.
[flagged]
I think a lot of people did read the OP and were left wanting - I know I did and was.
Breaking down the posted article, there’s a lot missing (which the author admits), and it’s not clear really what the goal of the post was other than to say “someone, not me, made an oops. But it’s fine, right, because the community needed this to happen.”
Parts that were particularly odd, that others have said with better words:
- Who imposed this ultimatum on RC? - How long was the timeline to “tighten things up”? It sounds like there was both a decent amount of time and an immediate urgency - it can’t be both. - “We’re nerds who can’t communicate well” (paraphrased) is such a poor argument - I get it, I’ve had to do a lot of work to figure out how to navigate social spaces and how to communicate effectively in professional settings. That said, the author is writing as if they’ve never had a single conversation with a technical person that they didn’t know well; that any conversation about removing or reducing access would be a catastrophe. That’s ridiculous.
It seems that either there was poor planning around this, or someone forgot about the deadline and YOLO’d it, or there was a malicious push to oust some of the biggest contributors under the guise of security.
One thing is clear, regardless of what the root cause of this all was: RC showed a deep lack of respect for the people that make their community what it is, and that stinks.