I wasn't expecting such a nice writeup. Worth a read.
The Ruby community has been eating itself alive since almost the beginning, but it is sad to see the short-sighted destruction of trust and connection that this has had.
I've never written a line of Ruby in my life so this is coming from an outsiders perspective, but after this I don't know how anyone ever works with these people again. I would think the entire community would start finding ways to migrate away. Presumably those repos can be forked, and it sounds like a new source of Gems can be hosted. I doubt it would be easy by any stretch of the imagination, but essentially this entire leadership team just showed themselves to be entirely untrustworthy.
I don't know anything about Ruby so forgive my ignorance. As I understand it there were repos required to run the RubyGems Service. This was of interest to major corporate players. Instead of removing the original authors, why didn't they just fork the requirements?
And wouldn't that constitute a violation of ownership? Or did the authors wave that away by joining the respective GitHub org in the first place?
It is murkier as the involvement of some of the original creators in Ruby Central is there, so there are claims to being the original copyright holder applicable to some areas by a very small number of individuals, none of which who are the newly added maintainers, or Ruby Central as a whole entity.
> they had a problem with Ruby Central taking control of the RubyGems open source code repositories and gems, which Ruby Central never owned.
I don’t quite get how this happened? Ruby Central can’t just reach into my GitHub and declare they own something. Was it under the Ruby central account? Or an org account that decided they “own” the repo?
It looks like all these Ruby package maintainers decided to, for the sake of convenience perhaps, keep their primary repos under a single 'Ruby Gems' GitHub org. That's what allowed Ruby Central to kick them out and take control of all the repos.
Owning a source code project doesn't entitle you to admin in the github organization it belongs to, so I don't get why this article keeps hammering that point. Ownership of rubygems doesn't matter as all that's changing is members of a github organization.
Sure, they don't like DHH. I never much liked him either (too opinionated for my taste), though Rails is a really good thing and honestly put Ruby on the map, and DHH deserves credit for that. But seriously, pull all their funding because of being platformed at RailsConf (_Rails_Conf, not _Ruby_Conf). Seems over-reactionary, and ultimately hurtful to the Ruby community (making them more dependent on Shopify).
Update: To be fair, I haven't followed DHH/Rails/Ruby community for the past decade (was very involved ~15 yrs ago), so my views may be outdated. Still I think pulling the funding doesn't help Ruby.
Can somebody provide an archive link? Trying to access the site, I get a Cloudflare security page that says my access has been blocked by some security rules.
Why were Samuel Giddins and André Arko singled out to be removed? What was their transgressions and to whom? From the write-up it sounds like Shopify wanted them out, but why?
Part of the long term supply chain question is that you trust who’s in charge. This corporate takeover of Ruby central and now Ruby gems is deeply concerning for the state of the Ruby ecosystem.
Meanwhile the Ruby core team is in Japan, would you like them to report in for work orders to shopify too?
I understand Ruby Central doesn't own the source code, it's open source, and that they own the service, but who owned the GitHub account/repo ? Who created it originally?
The same people who created ruby central write the first versions of rubygems iirc (David Black , Chad Fowlernetc). But that was a long time ago and I'm not sure it matters to the current kerfuffle.
> and I'm not sure it matters to the current kerfuffle
I guess I find it a bit strange that it's so fuzzy who owned the GitHub repo.
So it was owned by a GitHub organization, and someone should have owned that organization no? Maybe the person that created it initially?
You can have more than one person with a role that allows to change ownership of repos owned by an organization, was that the situation here? Did multiple people had that permission and one of them re-owned the repo to themselves without any other knowing?
I say that because, I don't normally consider every code contributor to a repo, or even admin the owner of a repo.
If I create an open source lib, and then create a GitHub repo for it, and contributors come in, to help commit code, do PRs and even manage the repo, and later I decide to revoke everyone else's access, as the owner, like it's fine. Sure maybe some of the admins might wonder what's up, why I don't trust them administering the repo anymore, but it's my repo.
Here I'm struggling to identify whose repo is it? And was the repo owner kicked out of their own repo, so this is a takeover? Or did the owner just kick out others ?
I’m angry because I thought this was initially heavy handedness on shopify’s part.
Instead it’s people abusing the trust and power they have to try and cancel DHH because they don’t agree with him about some things. Absolutely sickens me to see the cancellation in motion. Completely bigoted and self righteous behaviour.
> To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed.
Ridiculously bold to say when what happened here was literally a malicious supply chain attack.
if it wasn't for DHH, Ruby would be a hobby programming language at best. The community can say what it wants, but it and frankly, most of the web programmers in the world, owe DHH some thanks. If it weren't for him, Yehuda Katz and John Resig, 90% of the web would still be written with Perl, CGI and VBScript.
(That's not an implicit criticism of the article, which is extremely appreciated because it's neutral and factual)
I've been away from Ruby for a few years but Shopify always seemed like a huge net positive, sponsoring lots of valuable work on both Ruby and Rails. I never followed Ruby community happenings very closely but I'm not aware of negative feelings towards their community role in the past.
>Sidekiq withdrew its $250,000/year sponsorship for Ruby Central
Whoa! I'm blown away that Sidekiq has enough money in the bank that one of their sponsorships is $250k/yr!
Sidekiq the company (actually ContribSys) is just one guy: Mike Perham.[0]
I listened to an interview with Mike a few years ago, and he seemed like he had an amazing setup. He was making about $1M/yr with no employees, just him selling code and contributing to open-source. I don't think he even has servers to keep online.
According to this podcast from 2023, he's now making close to $10M/yr in revenue and is still just running the whole thing by himself.[0] Great life for a solo dev founder!
I worked with Perham while at Shopify. They are one of his many financial contributors and he made like 250k a year just so we alone could contract him. (I do not know particular numbers.) Was in my experience a very kind and knowledgeable person who would answer all my dumb questions graciously.
Shopify however is a deeply evil company that is literally run by Nazis. Not a metaphor, like, actual Nazis.
50 comments
[ 1.1 ms ] story [ 76.4 ms ] threadThe Ruby community has been eating itself alive since almost the beginning, but it is sad to see the short-sighted destruction of trust and connection that this has had.
And wouldn't that constitute a violation of ownership? Or did the authors wave that away by joining the respective GitHub org in the first place?
It is murkier as the involvement of some of the original creators in Ruby Central is there, so there are claims to being the original copyright holder applicable to some areas by a very small number of individuals, none of which who are the newly added maintainers, or Ruby Central as a whole entity.
I don’t quite get how this happened? Ruby Central can’t just reach into my GitHub and declare they own something. Was it under the Ruby central account? Or an org account that decided they “own” the repo?
Honest question: What's the issue with DHH here? What did he do that caused them to pull support because he was platformed at RailsConf?
Update: To be fair, I haven't followed DHH/Rails/Ruby community for the past decade (was very involved ~15 yrs ago), so my views may be outdated. Still I think pulling the funding doesn't help Ruby.
https://world.hey.com/dhh/the-waning-days-of-dei-s-dominance...
I missed all this drama, it does seem like there is an echo chamber forming over on Bluesky…
Ruby Central's Attack on RubyGems
https://news.ycombinator.com/item?id=45299170
A board member's perspective of the RubyGems controversy
https://news.ycombinator.com/item?id=45325792
An Update from Ruby Central - https://news.ycombinator.com/item?id=45344448 - Sept 2025 (1 comment)
A board member's perspective of the RubyGems controversy - https://news.ycombinator.com/item?id=45325792 - Sept 2025 (148 comments)
Goodbye, RubyGems - https://news.ycombinator.com/item?id=45306135 - Sept 2025 (1 comment)
Ruby Central's response to the RubyGems situation - https://news.ycombinator.com/item?id=45301949 - Sept 2025 (1 comment)
Ruby Central's Attack on RubyGems [pdf] - https://news.ycombinator.com/item?id=45299170 - Sept 2025 (244 comments)
I just wish we could get to the part where the community can know and trust that our supply chain is safe and can be trusted.
Meanwhile the Ruby core team is in Japan, would you like them to report in for work orders to shopify too?
I'd actually think stuff like that recent npm worm would be a bigger danger than whatever this mess is?
I guess I find it a bit strange that it's so fuzzy who owned the GitHub repo.
So it was owned by a GitHub organization, and someone should have owned that organization no? Maybe the person that created it initially?
You can have more than one person with a role that allows to change ownership of repos owned by an organization, was that the situation here? Did multiple people had that permission and one of them re-owned the repo to themselves without any other knowing?
I say that because, I don't normally consider every code contributor to a repo, or even admin the owner of a repo.
If I create an open source lib, and then create a GitHub repo for it, and contributors come in, to help commit code, do PRs and even manage the repo, and later I decide to revoke everyone else's access, as the owner, like it's fine. Sure maybe some of the admins might wonder what's up, why I don't trust them administering the repo anymore, but it's my repo.
Here I'm struggling to identify whose repo is it? And was the repo owner kicked out of their own repo, so this is a takeover? Or did the owner just kick out others ?
1. Ruby Central hosts, maintains, and sponsors Rubygems and Bundler
2. Based on recent events, it was possible that credentials were stolen (https://www.bleepingcomputer.com/news/security/60-malicious-...)
3. They decided to lock everyone out until security issues could be resolved
It makes sense to me from a security standpoint, but their communication has been terrible which has led to a lot of speculation.
Instead it’s people abusing the trust and power they have to try and cancel DHH because they don’t agree with him about some things. Absolutely sickens me to see the cancellation in motion. Completely bigoted and self righteous behaviour.
Ridiculously bold to say when what happened here was literally a malicious supply chain attack.
I'm still struggling to understand the "why."
(That's not an implicit criticism of the article, which is extremely appreciated because it's neutral and factual)
I've been away from Ruby for a few years but Shopify always seemed like a huge net positive, sponsoring lots of valuable work on both Ruby and Rails. I never followed Ruby community happenings very closely but I'm not aware of negative feelings towards their community role in the past.
Whoa! I'm blown away that Sidekiq has enough money in the bank that one of their sponsorships is $250k/yr!
Sidekiq the company (actually ContribSys) is just one guy: Mike Perham.[0]
I listened to an interview with Mike a few years ago, and he seemed like he had an amazing setup. He was making about $1M/yr with no employees, just him selling code and contributing to open-source. I don't think he even has servers to keep online.
According to this podcast from 2023, he's now making close to $10M/yr in revenue and is still just running the whole thing by himself.[0] Great life for a solo dev founder!
[0] https://ruby.social/@getajobmike
[1] https://www.startupsfortherestofus.com/episodes/episode-661-...
Shopify however is a deeply evil company that is literally run by Nazis. Not a metaphor, like, actual Nazis.