I still find it rather baffling that they just removed David Rodríguez outright without trying to work this out in advance. He did most of the work in recent times. Seems like max damage approach.
"Unlike open-source projects that are simply distributed “as-is” with no warranties, but similar to other infrastructure projects, these codebases underpin a service operated by Ruby Central, and its canonical clients, relied on by millions of developers every day to securely download and publish gems. "
Are they offering warranties?
What new privacy laws demand them signing some handcrafted legal document?
Is what they did legal?
Couldn't they fork to provide a secure version.
That one guy maintaining so many rubygems is the same guy who is offering a competing software solution that could reduce their profit stream is that the real reason?
I love how this isn’t even posted to their socials, cause they don’t want the dragging to link their official accounts. Like the last BlueSky post is still cancelling (“postponing” is only the right verb if you end up actually doing it) the Q&A 7 days ago…
Seems to boil down to "we don't trust Andre[0] and btw Shopify totally didn't make us do this[1]".
I still don't understand the mistrust of Andre though. Also, the second point seems a bit disingenuous when their own board member speaks about a specific deadline[2]. He says it's something they agreed to, so it's necessarily external. That and the teams of reports of other people saying they've heard it's Shopify putting pressure for this specific point makes me look for a higher standard of rebuttal than "dude trust me". Explain why it was urgent. Explain what the deadline was.
[0] A recent access review had revealed that many systems were under the control of a single individual, which we determined presented a risk to the security and operational sustainability of those systems.
[1] The Board acted independently, and financial support was NOT conditioned on taking these steps.
Damn, if I ever needed a reason to stay away from that whole ecosystem this is it.
Sounds like it’s either some enterprise, or a bunch of volunteers that see an opportunity to be little tyrants.
Love how they simultaneously decided that this had been going on for years, that nothing bad had happened, and that they had to act now without any prior consultation.
Look I'm just a web developer, but in my experience when the security team notices that there's a single point of failure for a lot of key projects they don't swoop in and make an insane mess.
This is a really poorly written update. Yes, we get that there is a need for security of the infrastructure services. That’s a given. But it’s overexplained here, while the actual mechanisms of what they are doing are never justified.
But worse, there’s just some random things thrown in that make no sense. Like “the README says rubygems code is managed by RubyCentral”. “Managed” does not mean owned. And how it should be managed ought to be up to the community, not board members acting in secret.
And this shows just remarkably poor editing: “some maintainers had long periods of inactivity (Least Privileged Access), changed the timeline.” Is that parenthetical a reminder to the original drafter to expand on that topic? Because it makes no sense in context.
Then there’s this line: “We could have communicated earlier and in more detail. And we won’t stop apologizing for the confusion that caused.”
That’s the closest they ever get to admitting they did anything wrong, and although they say “we won’t stop apologizing”, I’ll note that they never do apologize.
But, absolutely everything they’ve done since this started has been wrong, and ultra defensive. Just own up to your mistakes and start from scratch.
I find this post pretty unsatisfying: it sticks very closely to factual claims that aren’t particularly controversial (see: access control) while avoiding the elephant in the room, which is that the Ruby community sees any legitimate security concerns as pretextual for a sponsor-backed takeover.
I think it’s pretty hard to avoid acknowledging this, which gives the distinct impression that the post (and by extension Ruby Central’s current leadership) are not particularly committed to transparency on the issue. I’d love to be wrong about that.
My god this is badly written and confusing. At least an actual person signed it this time?
I'm not sure if this was LLM-written because I don't think an LLM would write a missive almost entirely in bullet points - but it has many of the hallmarks. Like, these sentences almost sound reasonable, but don't actually make sense or represent a coherent train of thought:
A recent access review had revealed that many systems were under the control of a single individual, which we determined presented a risk to the security and operational sustainability of those systems. We had intended to resolve this over time. However, the departure of key maintainers and contribution data showing that some maintainers had long periods of inactivity (Least Privileged Access), changed the timeline.
> In practice, we focused first on contacting the team members directly affected and left our broader communication for business hours.
Is this contradictory to what others involved have said? It also implies the first set of actions were taken outside of business hours which seems odd.
One possible trigger for this fiasco is that André Arko and the Spinel Coop are working on rv, a Rust-based replacement four the Rubygems client. If it is as successful as uv has been for Python, it could disintermediate rubygems.
Joel Draper says as much (see the penultimate section of https://joel.drapper.me/p/rubygems-takeover/) although that would be more of a motivation for RubyCentral than for Shopify.
17 comments
[ 3.5 ms ] story [ 30.3 ms ] threadAre they offering warranties?
What new privacy laws demand them signing some handcrafted legal document?
Is what they did legal?
Couldn't they fork to provide a secure version.
That one guy maintaining so many rubygems is the same guy who is offering a competing software solution that could reduce their profit stream is that the real reason?
This is poor, even by corporatese standards.
I still don't understand the mistrust of Andre though. Also, the second point seems a bit disingenuous when their own board member speaks about a specific deadline[2]. He says it's something they agreed to, so it's necessarily external. That and the teams of reports of other people saying they've heard it's Shopify putting pressure for this specific point makes me look for a higher standard of rebuttal than "dude trust me". Explain why it was urgent. Explain what the deadline was.
[0] A recent access review had revealed that many systems were under the control of a single individual, which we determined presented a risk to the security and operational sustainability of those systems.
[1] The Board acted independently, and financial support was NOT conditioned on taking these steps.
[2] https://apiguy.substack.com/p/a-board-members-perspective-of...
Sounds like it’s either some enterprise, or a bunch of volunteers that see an opportunity to be little tyrants.
Love how they simultaneously decided that this had been going on for years, that nothing bad had happened, and that they had to act now without any prior consultation.
But worse, there’s just some random things thrown in that make no sense. Like “the README says rubygems code is managed by RubyCentral”. “Managed” does not mean owned. And how it should be managed ought to be up to the community, not board members acting in secret.
And this shows just remarkably poor editing: “some maintainers had long periods of inactivity (Least Privileged Access), changed the timeline.” Is that parenthetical a reminder to the original drafter to expand on that topic? Because it makes no sense in context.
Then there’s this line: “We could have communicated earlier and in more detail. And we won’t stop apologizing for the confusion that caused.”
That’s the closest they ever get to admitting they did anything wrong, and although they say “we won’t stop apologizing”, I’ll note that they never do apologize.
But, absolutely everything they’ve done since this started has been wrong, and ultra defensive. Just own up to your mistakes and start from scratch.
I think it’s pretty hard to avoid acknowledging this, which gives the distinct impression that the post (and by extension Ruby Central’s current leadership) are not particularly committed to transparency on the issue. I’d love to be wrong about that.
I'm not sure if this was LLM-written because I don't think an LLM would write a missive almost entirely in bullet points - but it has many of the hallmarks. Like, these sentences almost sound reasonable, but don't actually make sense or represent a coherent train of thought:
Is this contradictory to what others involved have said? It also implies the first set of actions were taken outside of business hours which seems odd.
Joel Draper says as much (see the penultimate section of https://joel.drapper.me/p/rubygems-takeover/) although that would be more of a motivation for RubyCentral than for Shopify.
They should stop whatever it is they're doing, and work with the other Community members to resolve _the actual problem_ constructively.
Otherwise they'll probably just cause an alternative to Ruby Central to emerge and/or be adopted widely.