Loading...
Loading...
Former RubyGems and Bundler maintainers accuse Ruby Central of unilaterally seizing control of those projects’ GitHub organizations, sidelining long-time contributors, and refusing transparent governance. The post says Ruby Central privately admitted the move was wrong but publicly doubled down, negotiated a transfer of repos to ruby-core with Matz, threatened legal action, and declined a proposed reconciliation offered by the maintainers four months ago. Ruby Central’s executive director is quo
Ruby Central says it acted to protect RubyGems.org after a breakdown in a working relationship with an individual who had significant access to code and infrastructure. The board reports a completed independent security audit was inconclusive due to missing logs and promises a detailed incident report next week. Ruby Central acknowledges failures in communication and engagement with maintainers, says it did not initiate litigation, and pledges governance, transparency, and broader stewardship reforms to avoid single points of failure. The statement commits to expanding community participation and publishing concrete steps to strengthen RubyGems’ stability and security for millions of developers.
RubyGems/Bundler currently lacks a "cooldown" feature — a configurable waiting period before new package versions are eligible for installation — that many package managers recently adopted to reduce supply-chain attacks. Hiroshi Shibata (hsbt), a RubyGems/Bundler maintainer, argues for adding cooldown as an opt-in option, noting Dependabot, Renovate, pnpm, npm, Bun, Deno, pip and others each implemented similar protections with varied config names. He highlights trade-offs: cooldowns can block rapid exploitation (many past attacks had short windows) but risk becoming ineffective if universally adopted, can delay urgent security fixes, and may give a false sense of safety. Shibata concludes cooldowns are worthwhile as opt-in but insufficient by themselves for supply-chain security.
Former long-term maintainers of RubyGems and Bundler accuse Ruby Central of reversing decades of community governance by unilaterally claiming ownership of the projects, seizing GitHub repositories, excluding volunteer maintainers, and threatening legal action. Ruby Central privately admitted the takeover was a mistake but has not publicly corrected course; instead it reportedly struck a deal with Matz for ruby-core to assume the repos and released new governance documents that still centralize control. Maintainainers say Ruby Central removed teams without explanation, ignored offers to restore collaborative governance, and undermined the community-driven model that sustained Ruby tooling for 22 years. The dispute matters because it affects stability, trust, and stewardship of core Ruby infrastructure used widely across the ecosystem.
Former RubyGems and Bundler maintainers accuse Ruby Central of unilaterally seizing control of those projects’ GitHub organizations, sidelining long-time contributors, and refusing transparent governance. The post says Ruby Central privately admitted the move was wrong but publicly doubled down, negotiated a transfer of repos to ruby-core with Matz, threatened legal action, and declined a proposed reconciliation offered by the maintainers four months ago. Ruby Central’s executive director is quoted defending the takeover, while new governance documents are criticized as insufficient and duplicative. The dispute matters because it affects governance, contributor trust, and stability for core Ruby package infrastructure used widely across the ecosystem.