41 comments

[ 2.3 ms ] story [ 152 ms ] thread
So Ruby Central did a hostile takeover of RubyGems enterprise account in GH. Wow
Ruby Central really need to come out and explain what they are doing here.

At the least this looks like a very destructive and poorly communicated move.

(comment deleted)
Copy-pasted below for posterity in case it goes down because I think this is a huge deal:

## Ruby Central’s Attack on RubyGems

Hi! I’m Ellen, but you probably know me as duckinator or puppy.

I really wish I didn’t have to write this, but I feel the Ruby community needs to know it.

I have been part of the Ruby community since I was 13, and one of the RubyGems maintainers for the last decade.

This community has helped me through very hard times, and you mean the world to me.

One of the most important lessons I learned from y’all is this:

> A person’s character is determined not only by their actions,

> but also the actions they stay silent while witnessing.

## This Month Has Been A Fuck Of A Year

This is what unfolded between September 9 2025 and September 19 2025, as I understand it.

On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:

renamed the “RubyGems” GitHub enterprise to “Ruby Central”, added non-maintainer Marty Haught of Ruby Central, and removed every other maintainer of the RubyGems project.

He refused to revert these changes, saying he would need permission from Marty to do so.

On September 15th, this maintainer said he restored the previous permissions after talking with Marty. Marty stated the deletion was a “mistake” and “should never have happened”.

The “restoration” kept a notable change: Marty was now an owner of the GitHub enterprise.

The RubyGems team responded by immediately began putting in place an overdue official governance policy, inspired by Homebrew’s.

On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams.

By doing this, he took control for himself and other full-time employees of Ruby Central.

Later that day, after refusing to restore GitHub permissions, Ruby Central further revoked access to the bundler and rubygems-update gems on RubyGems.org

I will not mince words here: This was a hostile takeover.

## My Stance On This

I consider Ruby Central’s behavior a threat to the Ruby community as a whole.

The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action. Ruby Central crossed a line by doing this.

When called out, these changes were mostly reverted. Then, it was done again.

By crossing that line a second time after being called out for it, Ruby Central has made it extremely clear to me that they are not engaging in good faith.

Ruby Central’s behavior has forced my hand. I refuse to watch this without speaking up.

I am resigning from my position at Ruby Central, effective immediately.

To remove any doubt: Ruby Central unilaterally, with no explanation, revoked all access to RubyGems against both my wishes and the wishes of the entire RubyGems team.

Ellen Dash (@duckinator)

September 19, 2025

Ruby Central's whole thing is they maintain, develop, and secure bundler and ruby gems. Marty was previously a lead at Ruby Central and recently came back to RC as their Open Source Lead. It sounds like there was a clusterfuck getting the repo switched over but I'm not seeing how this is an attack on Ruby gems. Am I missing something?
Could someone with more insight as to the decision-making at Ruby Central weigh in on what's going on here? Between this and drama with the conferences over the years I'm just confused. They've been busy launching podcasts and doing fundraising, email campaigns and all that. Has there been a change in leadership?
I know its against the content policy on HN but I really wish I could reply with that gif from Veep where she's nervously laughing while mouthing "what the fuck".

Seriously... wtf.

The recent actions taken by Ruby Central - removing long-time RubyGems and Bundler maintainers without warning, seizing administrative access, and consolidating control under a small, centralized group - represent a serious breach of trust within the Ruby ecosystem.

This was not a misunderstanding. It was a hostile takeover of key infrastructure, undermining both the long-standing maintainers and the broader community that relies on RubyGems and Bundler every day.

The Ruby ecosystem thrives on collaboration, openness, and mutual respect. What we've witnessed over the past week violates those principles. Ruby Central's actions - unilateral access revocations, exclusion of experienced volunteers, and refusal to engage in transparent dialogue - are not just organizational missteps. They're a threat to the decentralized and community-driven spirit that has sustained Ruby for decades.

I oppose this power grab.

Even more concerning is the idea that contributor access could become contingent on employment status or ideological alignment. Whether someone is employed by Ruby Central - or holds left-leaning, right-leaning, or apolitical views - should have no bearing on their ability to contribute to open source. Merit, dedication, and community trust must remain the foundation.

If Ruby Central is serious about supporting the Ruby community, they must:

- Immediately restore access to all maintainers removed during this incident.

- Publicly commit to a transparent, community-driven governance model, similar to what the RubyGems team had begun drafting.

- Respect the autonomy of open source maintainers, regardless of whether they are employed by Ruby Central.

- Acknowledge the harm caused by these actions and engage in meaningful dialogue to rebuild trust.

The Ruby community has always been about people - diverse, passionate, and united by a love for a beautiful language. It's time we demand that the institutions claiming to represent us act accordingly.

And if Ruby Central does not do this we must pressure sponsors to stop funding Ruby Central and ultimately; if all else fails, we must build and maintain our own infrastructure unencumbered by these shenanigans. Also, in order to re-establish trust in the community; the people responsible for causing this ruckus should be fired.

Ruby-Level Sponsors (Top Tier): Alpha Omega, Shopify, Sidekiq

Gold-Level Sponsor Flagrant

Silver-Level Sponsors: Cedarcode, DNSimple, Fastly, Gusto, Honeybadger, Sentry

Feel bad for the RubyGems community, sending my gratitude and empathy. Ruby was a leap in my career, and i have a soft spot for the language and community

I'll wait for RubyCentral's side on this, but on the face of what's written, these actions do not seem to be transparent or in good faith. Is there something posted from RubyCentral's side?

I wish the Ruby community strength, and a transition over to a community-owned org, one way or another.

(With NPM, WordPress, now this - seems like package repositories are becoming a flashpoint of corporate takeovers..)

[flagged]
Hasn't Ruby Central always 'owned' RubyGems.org, Bundler, and all related infra?

Removing existing maintainers from the project isn't good - and hopefully it's a temporary oversight as Ruby Central gets things set up in the new org. Either bad communication from Ruby Central - or they really did made a bad mistake here (maybe even with the best intentions, given recent NPM issues).

Edit: It seems like there's a lot more to the story here. Many volunteer RubyGems/Bundler maintainers have left because they disagree with decisions that Ruby Central (the nonprofit organization) has made and it seems like all of this is fallout related to that.

Jesus, this is the absolute antithesis of MINASWAN.
At Shopify I was the person who first proposed that we needed to stump up $$$ for RubyGems (and only by implication Ruby Central).

This is not what I had in mind and now I'm embarrassed that I helped make it possible.

There is some more context on a post[1] in /r/ruby, including the fact that the maintainers and others had been working on a proposal[2] for a formalized organizational governance structure as recently as yesterday. The latter also adds some context into Mike McQuaid's involvement: the proposal was influenced by the structure put in place by the Homebrew project.

[1]: https://old.reddit.com/r/ruby/comments/1nkzszc/ruby_centrals...

[2]: https://github.com/rubygems/rfcs/pull/61

I took comfort in the fact that the ruby community seemed miraculously immune from these petty disputes and takeovers from the benevolent entity running the service. Seems like that’s not the case anymore :(

Sorry for all the maintainers, that must suck.

Welp, so there goes another ecosystem I considered exploring.

What almost surprises me the most, is that such a mature ecosystem still doesn't have a formalized governance structure after all this time. How common is this among large and widely-used open source projects?

For those like me who are not Ruby users/devs, it might be good to explain who exactly Ruby Central is? I assumed they were analogous to Python Soft Foundation or Linux Foundation etc. as the entity of maintainers/owners/whatever of Ruby.

But it seems that they have nothing to do with the ruby-lang.org site where the Ruby binaries itself are distributed. Instead, their own site appears to primarily list them as responsible for organizing an annual conference?

And who owned the RubyGems infrastructure before this takeover? The website (and domain that the client actually calls to get the gems, presumably) seem to have already been part of Ruby Central, so what exactly changed here ownership wise, beyond just kicking the maintainers?

(unrelated -- seeing a mention of DHH here reminded me that I haven't seen anything of the Matt/WP drama in a long time on HN -- time to go Google whatever the resolution of that was)