One of the primary justifications given for the takeover was to secure the gems service and offer trustworthy stewardship. Reading this, I don't really get the sense that the new maintainers are really prepared to deliver on either.
That said, I really don't like the hand waving of the HTTP log thing in this post. Yeah sure, company names aren't as sensitive/radioactive as an SSN or an email, but selling usage data isn't exactly a noble endeavor.
I don't think anyone comes out of this looking good. Some are worse than others, sure, but this is just a mess from top to bottom.
In a comment under the submission for Ruby Central's post, I said Arko changing the AWS password was an inexcusable ethical violation.
This context does slightly soften my view, especially the part about multiple 1Password accounts being in play. However there is a big thing still missing to me... Why would Arko not immediately notify RC that he had changed the password due to these concerns?
If it was really a noble good faith action by the assigned on-call, giving a heads up to the remaining stakeholders would be the obligatory next step, no?
According to RC's timeline, the password reset happened on September 19, but Arko did not disclose the issue to RC until September 30. From what I can tell, he has not refuted that timeline or explained the gap.
I think the biggest missing piece in the opposing accounts of this incident is how exactly the production-access removal was communicated. There's a huge gap between how the two posts are framing the clarity of the communications that happened on Sept 18:
> September 18 2025 18:40 UTC: Ruby Central notifies Mr. Arko, via email, of the board’s decision to remove his RubyGems.org production access, and the termination of his on-call services.
> Marty Haught sent an email to the team within minutes, at 12:47pm PDT [19:47 UTC?], saying he was (direct quote) “terribly sorry” and “I messed up”. [...] the complete silence from Shan and the board, made it impossible to tell exactly who had been authorized to take what actions. As this situation occurred, I was the primary on-call.
André also mentioned that he disclosed further remaining production access a few days ago, on Oct 5. Looking forward to Ruby Central's followup post-incident review for this subsequent incident, which they failed to address or mention at all in their initial publication.
While I can't imagine how sad, stressful and confusing this all is for the people directly involved, it's also been hard to watch from the outside. For the past few years (decade, really) the community has been Ruby's biggest asset and seeing it torn apart like this is tragic.
Reading the tea leaves, I think this incident may have more to do with politics than it being a real incident per se.
For the past 10 years the Ruby community had been co-opted by political activists. Things like COC's and the Contributor Covenant etc. started in the Ruby community. The activists went after many top contributors in the community because of personal political beliefs etc, instead of behavior in the community itself. Some even called for ejecting DHH, the creator of rails, and Matz, the creator of the language, from the community.
When the Overton window finally stopped shifting to the left and started to move right, a lot of people who had remained quiet due to real threats of loss of business, work etc. finally started to speak up. DHH was one of them and has been very outspoken with his beliefs that open source software should be a-political and open to all instead of the political purity tests the activists were pushing.
From what I observed, when I was in involved in the Ruby community, Arko appeared to be a political activist. While there may have been an actual security concern here, my guess is that this had more to do with a desire to not have someone who may have been involved in trying to eject the top creators in the community being a point of failure for key infrastructure for the Ruby ecosystem.
> I took action as the primary on-call engineer to lock down the AWS account and prevent any actions by possible attackers.
So he suspected an attack, but did not contact his employer about it or other team members. No action taken to mitigate the attack or to identify what was going on. Just changed the AWS root account password and nothing else.
Even assuming the very best intentions, I don’t think it unreasonable that Ruby Central found that a little bit suspicious.
Andre Arko seems to be trying to reframe this by concern trolling and appealing to people's sense of community.
Here's the thing: when a corporation terminates you, no matter the situation, you delete all your credentials, apps, everything, wash your hands of everything and never attempt access again. It's nice to say that the corporation should be better at rotating passwords but legally, you need to simply delete everything and move on.
Hence the letter from RC's lawyer to Arko. And a good chance he'll be prosecuted.
If you consider the timing of this, there were supply chain attacks happened in other ecosystems and changing the root password seems to be the right approach and it feels justified to me.
11 comments
[ 2.4 ms ] story [ 34.3 ms ] threadRubygems.org AWS Root Access Event – September 2025
https://news.ycombinator.com/item?id=45530832
That said, I really don't like the hand waving of the HTTP log thing in this post. Yeah sure, company names aren't as sensitive/radioactive as an SSN or an email, but selling usage data isn't exactly a noble endeavor.
I don't think anyone comes out of this looking good. Some are worse than others, sure, but this is just a mess from top to bottom.
This context does slightly soften my view, especially the part about multiple 1Password accounts being in play. However there is a big thing still missing to me... Why would Arko not immediately notify RC that he had changed the password due to these concerns?
If it was really a noble good faith action by the assigned on-call, giving a heads up to the remaining stakeholders would be the obligatory next step, no?
According to RC's timeline, the password reset happened on September 19, but Arko did not disclose the issue to RC until September 30. From what I can tell, he has not refuted that timeline or explained the gap.
> September 18 2025 18:40 UTC: Ruby Central notifies Mr. Arko, via email, of the board’s decision to remove his RubyGems.org production access, and the termination of his on-call services.
> Marty Haught sent an email to the team within minutes, at 12:47pm PDT [19:47 UTC?], saying he was (direct quote) “terribly sorry” and “I messed up”. [...] the complete silence from Shan and the board, made it impossible to tell exactly who had been authorized to take what actions. As this situation occurred, I was the primary on-call.
André also mentioned that he disclosed further remaining production access a few days ago, on Oct 5. Looking forward to Ruby Central's followup post-incident review for this subsequent incident, which they failed to address or mention at all in their initial publication.
For the past 10 years the Ruby community had been co-opted by political activists. Things like COC's and the Contributor Covenant etc. started in the Ruby community. The activists went after many top contributors in the community because of personal political beliefs etc, instead of behavior in the community itself. Some even called for ejecting DHH, the creator of rails, and Matz, the creator of the language, from the community.
When the Overton window finally stopped shifting to the left and started to move right, a lot of people who had remained quiet due to real threats of loss of business, work etc. finally started to speak up. DHH was one of them and has been very outspoken with his beliefs that open source software should be a-political and open to all instead of the political purity tests the activists were pushing.
From what I observed, when I was in involved in the Ruby community, Arko appeared to be a political activist. While there may have been an actual security concern here, my guess is that this had more to do with a desire to not have someone who may have been involved in trying to eject the top creators in the community being a point of failure for key infrastructure for the Ruby ecosystem.
So he suspected an attack, but did not contact his employer about it or other team members. No action taken to mitigate the attack or to identify what was going on. Just changed the AWS root account password and nothing else.
Even assuming the very best intentions, I don’t think it unreasonable that Ruby Central found that a little bit suspicious.
Here's the thing: when a corporation terminates you, no matter the situation, you delete all your credentials, apps, everything, wash your hands of everything and never attempt access again. It's nice to say that the corporation should be better at rotating passwords but legally, you need to simply delete everything and move on.
Hence the letter from RC's lawyer to Arko. And a good chance he'll be prosecuted.