Ruby Core Team Assumes Stewardship of RubyGems and Bundler, Former Maintainers

The Ruby ecosystem is entering a new phase of governance for its core package tools. More than six weeks after Ruby Central abruptly removed maintainers from the RubyGems and Bundler projects, a path toward resolution has emerged with Ruby's creator Yukihiro "Matz" Matsumoto stepping in to assume control of the repositories.

On October 17, Matz announced that the Ruby core team would take stewardship of RubyGems and Bundler from Ruby Central, bringing the essential package management tools under the same organizational umbrella as the Ruby language itself.

"To provide the community with long-term stability and continuity, the Ruby core team, led by Matz, has decided to assume stewardship of these projects from Ruby Central," Matz wrote in an announcement on the ruby-lang.org blog. "We will continue their development in close collaboration with Ruby Central and the broader community."

The announcement emphasized that both projects will remain open source under their current licenses, with no changes to licensing terms or contributor rights.

The decision formalizes what had been years of informal collaboration, bringing the repositories under the Ruby organization while development continues jointly with Ruby Central and community contributors.

Former Maintainers Agree to Transfer Control#

Nine days later, on October 26, the removed maintainers announced they would step back entirely from both projects to support the transition. In a blog post, André Arko and five other former maintainers said they're prepared to transfer all their interests in RubyGems and Bundler to Matz.

"While we know that Ruby Central had no right to act the way they did, it is nevertheless clear to us that the Ruby community will be better off if the codebase, maintenance, and legal rights to RubyGems and Bundler are all together in the same place," Arko wrote. "To bring this about, we are prepared to transfer our interests in RubyGems and Bundler to Matz, end the dispute over the GitHub enterprise account, 2 GitHub organizations, and 70 repositories, and hand over all rights in the Bundler logo and Bundler name, including the trademark applications in the US, EU, and Japan."

The former maintainers said they will step back completely once they enter into a legal agreement to settle claims with Ruby Central and transfer all rights to Matz. They plan to focus their energy on other Ruby ecosystem projects including rv, Ruby Butler, jim, and gem.coop.

Ruby Central did not communicate with any of the removed maintainers before transferring control of the repositories to the Ruby core team, according to the former maintainers.

Ruby Central's Q&A Draws Criticism#

On October 24, Ruby Central published a lengthy Q&A addressing weeks of community questions about the September access changes. However, the response drew sharp criticism from community members who felt it failed to directly answer key questions.

Ruby Central clarified that the access changes were driven by an internal timeline for reviewing system access following personnel departures, not by any sponsor-imposed deadline. "The Board acted independently in their decision based on the internal timeline that was set; there was no sponsor-imposed funding deadline," the organization stated.

The Q&A also addressed concerns about corporate influence, emphasizing that no sponsorship agreements grant operational control or impose conditions on governance.

But many in the community saw the response as evasive corporate language that avoided accountability. On Reddit, one commenter described it as "corporate fluff" that uses "a lot of words to say nothing." On Hacker News, a community member wrote, "They present lists questions and then proceed to answer none of them."

One community member who had submitted questions publicly noted that Ruby Central had "reframe[d] questions into a more sanitized form" and "lump[ed] several specific questions together into generic buckets which then could be responded to with generic answers, diluting things to give the appearance of responsiveness."

Ruby Central acknowledged that communication lagged behind internal actions, "which understandably caused concern." Looking forward, the organization said it is separating technical and non-technical governance to create clearer accountability. Ruby Central is finalizing operator and contributor agreements that will define responsibilities and access to infrastructure and repositories, with a current list of maintainers to be published once agreements are complete.

The transfer to Ruby core drew generally positive reactions from the community, with many expressing relief that Matz was stepping in. However, concerns remain about Ruby Central's continued role in operating rubygems.org, and some still contend that the projects were stolen.

Ruby Central will continue to manage the RubyGems.org infrastructure and service, even as the Ruby core team takes ownership of the client code repositories. This separation of responsibilities, with Ruby Central running the web service while Ruby core maintains the open source tools, represents what some see as the most practical compromise given the circumstances.

Mike McQuaid, a longtime Homebrew maintainer who helped mediate discussions between various parties, described the outcome as "the best outcome that was actually attainable" despite some proposals sounding nicer but being unacceptable to one or more sides.

One of the original RubyGems authors, Rich Kilmer, expressed support for the move, noting that Ruby Central has been the steward of RubyGems since its inception and that placing it with Matz and the Ruby core team "is the right place."

Some community members noted that having multiple package sources like gem.coop could ultimately be beneficial for the ecosystem's resilience and robustness, even as the immediate focus remains on resolving the current governance issues. McQuaid commented that if competition for rubygems.org emerges from projects like gem.coop, "that feels like a good thing for the community overall."

Questions About Corporate Influence Linger After Maintainers Were Removed Without Warning in September#

The crisis began on September 9, when Ruby Central removed maintainers from the RubyGems and Bundler projects without warning. The changes were made against established project policies and without communication with the maintainers' team.

The situation unfolded amid broader tensions in the Ruby community. Shopify, a major Ruby Central sponsor with Ruby on Rails creator DHH on its board, has been a significant financial supporter through the Ruby Shield program, which committed $1 million USD over four years for supply chain security. While Ruby Central emphasized in their Q&A that "sponsors do not direct or approve decisions related to operations, governance, programming or personnel," some community members have questioned the timing and nature of Ruby Central's actions.

Ruby Central initially characterized the changes as "temporary," but more than six weeks later, none of the removed maintainers had been contacted about restoring permissions or offered the operator or contributor agreements that Ruby Central had promised.

The dispute raised fundamental questions about governance of critical open source infrastructure, the rights of long-term maintainers versus organizational control, and concerns about corporate influence over community projects.

With Matz now assuming stewardship and the former maintainers agreeing to transfer their interests, the Ruby community appears to be moving past the governance crisis toward a more stable structure for maintaining the ecosystem's essential package management tools. However, trust in Ruby Central as a steward organization remains damaged, with community members expressing continued skepticism about the organization's transparency and communication practices.

Subscribe to our newsletter

Get notified when we publish new security blog posts!