Gem.Coop – Community-Run Alternative to Rubygems.org, Led by Former Maintainers

The team of former RubyGems maintainers has launched The Gem Cooperative (gem.coop), a new community-run mirror of RubyGems.org built by the developers who previously maintained the Ruby ecosystem’s core package infrastructure. The launch follows ongoing tensions with Ruby Central, which recently consolidated access to the rubygems and rubygems.org repositories and asserted exclusive stewardship over the RubyGems service.

André Arko, longtime Bundler maintainer and one of the organizers behind the new effort, told Socket, “Since Ruby Central has informed us they will never allow us to continue working on the projects they now claim they own, that we successfully maintained and operated for the last ten years, the former RubyGems team is launching gem.coop today.”

In addition to Arko, the launch team includes longtime Ruby infrastructure maintainers Martin Emde, David Rodríguez, Ellen Dash, Samuel Giddins, and Josef Šimánek.

It’s also worth noting that some maintainers involved in The Gem Cooperative are also contributors to Spinel.coop’s rv project, which aims to unify Ruby version and dependency management and isolated tool execution into a single fast Rust-based tool inspired by Python’s uv. These contributors are long-time, highly active maintainers with deep Ruby tooling expertise.

Arko described The Gem Cooperative as an open, community-driven project modeled on Homebrew’s governance structure, developed with guidance from Homebrew project lead Mike McQuaid.

“It’s created by the team that has been running rubygems.org successfully for the last decade,” he said. “It’s an open community project, inviting anyone who uses Ruby to participate, and we're implementing clear governance policies based on Homebrew.”

All gems published to RubyGems.org are available via the Gem Cooperative. For now, gem.coop functions as a live mirror of RubyGems.org. “It exists today and you can start using it immediately, without disrupting your work, while we build support for more features,” Arko said. The cooperative expects to secure infrastructure sponsorship soon, though none has yet been finalized.

Mirroring RubyGems.org is technically straightforward, since RubyGems itself includes a built-in gem mirror command to facilitate local or partial mirrors.

According to project maintainer Martin Emde, gem.coop is already live and fully operational, with edge caching in place to ensure fast, reliable access. All gems published to RubyGems.org are made available on gem.coop in real time.

While developers can’t yet publish gems directly to gem.coop, Emde says supporting this functionality is a top priority. Enabling two independent public gem servers presents some technical complexity, but the team is actively working toward a solution.

Governance Tensions Continue as Ruby Central Formalizes Stewardship#

The launch of The Gem Cooperative follows weeks of governance turmoil. On September 30, Ruby Central Executive Director Shan Cureton published a post titled “Our Stewardship: Where We Are, What’s Changing and How We’ll Engage,” explaining that the organization had implemented a “temporary, procedural change” to privileged access across core repositories and production systems. The move, Ruby Central said, was intended to align “privileged access and operational decisions under a single, accountable stewardship model” and to enforce least-privilege access, multi-factor authentication, and audit logging.

Ruby Central acknowledged that its communication “created the impression of sponsor-driven action,” apologized for the confusion, and promised to publish weekly Friday updates. In its October 3 update, the organization said RubyGems.org service remains stable and that operator agreements are on track, with a governance framework now in draft. A new Corporate Stewardship Program has also been launched to invite in-kind engineering and security support from companies.

Despite those assurances, maintainers say they remain excluded from the new agreements. “Ruby Central is excluding me from the plan to create operator agreements,” Arko said. “They have not regranted permission to any maintainer who was removed in their takeover.”

Arko had previously registered the Bundler trademark in response to Ruby Central’s claims of ownership, saying the project “belongs to the Ruby community” and pledging to transfer the mark to “a Ruby organization that is accountable to the maintainers, and accountable to the community” once one exists.

Arko told Socket, “I have requested Ruby Central stop claiming to own or create ‘bundler’, although they are welcome to modify the source code and share it under some other name. Ruby Central has replied only to ask for time to review my request with their legal counsel.”

The emergence of gem.coop was a direct response to Ruby Central's handling of the RubyGems.org transition. Ruby Central’s reforms align with modern supply chain security principles (least privilege, auditability, and formal accountability), but the abrupt permission changes irrevocably fractured community trust and left contributors seeking new structures outside the organization.

For now, Ruby Central continues its weekly updates as it finalizes operator and contributor agreements. Meanwhile, The Gem Cooperative is inviting contributors and sponsors as it evolves from a mirror into a fully community-governed platform.

“We’re very excited about the possibilities these new projects and energy open up for the Ruby community to work together and move forward," Arko said.

Subscribe to our newsletter

Get notified when we publish new security blog posts!