50 comments

[ 1.1 ms ] story [ 76.4 ms ] thread
I wasn't expecting such a nice writeup. Worth a read.

The Ruby community has been eating itself alive since almost the beginning, but it is sad to see the short-sighted destruction of trust and connection that this has had.

I've never written a line of Ruby in my life so this is coming from an outsiders perspective, but after this I don't know how anyone ever works with these people again. I would think the entire community would start finding ways to migrate away. Presumably those repos can be forked, and it sounds like a new source of Gems can be hosted. I doubt it would be easy by any stretch of the imagination, but essentially this entire leadership team just showed themselves to be entirely untrustworthy.
I don't know anything about Ruby so forgive my ignorance. As I understand it there were repos required to run the RubyGems Service. This was of interest to major corporate players. Instead of removing the original authors, why didn't they just fork the requirements?

And wouldn't that constitute a violation of ownership? Or did the authors wave that away by joining the respective GitHub org in the first place?

Basically, yes.

It is murkier as the involvement of some of the original creators in Ruby Central is there, so there are claims to being the original copyright holder applicable to some areas by a very small number of individuals, none of which who are the newly added maintainers, or Ruby Central as a whole entity.

> they had a problem with Ruby Central taking control of the RubyGems open source code repositories and gems, which Ruby Central never owned.

I don’t quite get how this happened? Ruby Central can’t just reach into my GitHub and declare they own something. Was it under the Ruby central account? Or an org account that decided they “own” the repo?

It looks like all these Ruby package maintainers decided to, for the sake of convenience perhaps, keep their primary repos under a single 'Ruby Gems' GitHub org. That's what allowed Ruby Central to kick them out and take control of all the repos.
I don't follow this kind of thing so forgive my ignorance. Why was "platforming" DHH bad? Honest question.
Given the recent pwnage of part of the npm ecosystem, a panicked overreaction from Shopify & RubyCentral almost seems inevitable.
Owning a source code project doesn't entitle you to admin in the github organization it belongs to, so I don't get why this article keeps hammering that point. Ownership of rubygems doesn't matter as all that's changing is members of a github organization.
> Sidekiq withdrew its $250,000/year sponsorship for Ruby Central because they platformed DHH at RailsConf 2025.

Honest question: What's the issue with DHH here? What did he do that caused them to pull support because he was platformed at RailsConf?

Sure, they don't like DHH. I never much liked him either (too opinionated for my taste), though Rails is a really good thing and honestly put Ruby on the map, and DHH deserves credit for that. But seriously, pull all their funding because of being platformed at RailsConf (_Rails_Conf, not _Ruby_Conf). Seems over-reactionary, and ultimately hurtful to the Ruby community (making them more dependent on Shopify).

Update: To be fair, I haven't followed DHH/Rails/Ruby community for the past decade (was very involved ~15 yrs ago), so my views may be outdated. Still I think pulling the funding doesn't help Ruby.

Can somebody provide an archive link? Trying to access the site, I get a Cloudflare security page that says my access has been blocked by some security rules.
Why were Samuel Giddins and André Arko singled out to be removed? What was their transgressions and to whom? From the write-up it sounds like Shopify wanted them out, but why?
Related. Others? (most recent first:)

An Update from Ruby Central - https://news.ycombinator.com/item?id=45344448 - Sept 2025 (1 comment)

A board member's perspective of the RubyGems controversy - https://news.ycombinator.com/item?id=45325792 - Sept 2025 (148 comments)

Goodbye, RubyGems - https://news.ycombinator.com/item?id=45306135 - Sept 2025 (1 comment)

Ruby Central's response to the RubyGems situation - https://news.ycombinator.com/item?id=45301949 - Sept 2025 (1 comment)

Ruby Central's Attack on RubyGems [pdf] - https://news.ycombinator.com/item?id=45299170 - Sept 2025 (244 comments)

I get that when drama unfolds like this there is going to be a shake out. It's always valuable, to some degree, to know what happened and why.

I just wish we could get to the part where the community can know and trust that our supply chain is safe and can be trusted.

Part of the long term supply chain question is that you trust who’s in charge. This corporate takeover of Ruby central and now Ruby gems is deeply concerning for the state of the Ruby ecosystem.

Meanwhile the Ruby core team is in Japan, would you like them to report in for work orders to shopify too?

> know and trust that our supply chain is safe and can be trusted.

I'd actually think stuff like that recent npm worm would be a bigger danger than whatever this mess is?

I understand Ruby Central doesn't own the source code, it's open source, and that they own the service, but who owned the GitHub account/repo ? Who created it originally?
The same people who created ruby central write the first versions of rubygems iirc (David Black , Chad Fowlernetc). But that was a long time ago and I'm not sure it matters to the current kerfuffle.
> and I'm not sure it matters to the current kerfuffle

I guess I find it a bit strange that it's so fuzzy who owned the GitHub repo.

So it was owned by a GitHub organization, and someone should have owned that organization no? Maybe the person that created it initially?

You can have more than one person with a role that allows to change ownership of repos owned by an organization, was that the situation here? Did multiple people had that permission and one of them re-owned the repo to themselves without any other knowing?

I say that because, I don't normally consider every code contributor to a repo, or even admin the owner of a repo.

If I create an open source lib, and then create a GitHub repo for it, and contributors come in, to help commit code, do PRs and even manage the repo, and later I decide to revoke everyone else's access, as the owner, like it's fine. Sure maybe some of the admins might wonder what's up, why I don't trust them administering the repo anymore, but it's my repo.

Here I'm struggling to identify whose repo is it? And was the repo owner kicked out of their own repo, so this is a takeover? Or did the owner just kick out others ?

This is my understanding:

1. Ruby Central hosts, maintains, and sponsors Rubygems and Bundler

2. Based on recent events, it was possible that credentials were stolen (https://www.bleepingcomputer.com/news/security/60-malicious-...)

3. They decided to lock everyone out until security issues could be resolved

It makes sense to me from a security standpoint, but their communication has been terrible which has led to a lot of speculation.

(comment deleted)
I dont understand why did Shopify wanted to take control and kick maintenners out?
I’m angry because I thought this was initially heavy handedness on shopify’s part.

Instead it’s people abusing the trust and power they have to try and cancel DHH because they don’t agree with him about some things. Absolutely sickens me to see the cancellation in motion. Completely bigoted and self righteous behaviour.

DHH is part of shopify's board currently apparently.
(comment deleted)
> To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed.

Ridiculously bold to say when what happened here was literally a malicious supply chain attack.

Malicious how? Was malicious code inserted? Serious question.
if it wasn't for DHH, Ruby would be a hobby programming language at best. The community can say what it wants, but it and frankly, most of the web programmers in the world, owe DHH some thanks. If it weren't for him, Yehuda Katz and John Resig, 90% of the web would still be written with Perl, CGI and VBScript.
This is a great account of "what."

I'm still struggling to understand the "why."

(That's not an implicit criticism of the article, which is extremely appreciated because it's neutral and factual)

I've been away from Ruby for a few years but Shopify always seemed like a huge net positive, sponsoring lots of valuable work on both Ruby and Rails. I never followed Ruby community happenings very closely but I'm not aware of negative feelings towards their community role in the past.

shut down Ruby Central, if not, they will make gems and bundler a payed servive.
>Sidekiq withdrew its $250,000/year sponsorship for Ruby Central

Whoa! I'm blown away that Sidekiq has enough money in the bank that one of their sponsorships is $250k/yr!

Sidekiq the company (actually ContribSys) is just one guy: Mike Perham.[0]

I listened to an interview with Mike a few years ago, and he seemed like he had an amazing setup. He was making about $1M/yr with no employees, just him selling code and contributing to open-source. I don't think he even has servers to keep online.

According to this podcast from 2023, he's now making close to $10M/yr in revenue and is still just running the whole thing by himself.[0] Great life for a solo dev founder!

[0] https://ruby.social/@getajobmike

[1] https://www.startupsfortherestofus.com/episodes/episode-661-...

Sidekiq is the dream of the Indie developer. Useful and simple product, highly automated, mints money
I worked with Perham while at Shopify. They are one of his many financial contributors and he made like 250k a year just so we alone could contract him. (I do not know particular numbers.) Was in my experience a very kind and knowledgeable person who would answer all my dumb questions graciously.

Shopify however is a deeply evil company that is literally run by Nazis. Not a metaphor, like, actual Nazis.

I heard Perham pulled his 250k because DHH was invited to Ruby conf 2025 as a speaker. Someone knows why he hates him so much?