.png)
2 hours ago
1
A decade-long RubyGems maintainer, Ellen Davis (also known as duckinator), has resigned from Ruby Central following what she described as a "hostile takeover" of the open source project.
RubyGems is the standard package manager for Ruby and is sponsored by Ruby Central, a nonprofit that runs events including RubyConf and the discontinued RailsConf, and sponsors critical tools. These tools include RubyGems and Bundler, the latter being a dependency manager that ensures the gems (ruby packages) required by an application are installed with the correct versions.
Davis posted [PDF] about a sequence of events beginning on September 9 when the RubyGems GitHub enterprise was renamed to Ruby Central, the company's director of open source Marty Haught added as maintainer of RubyGems, and every other maintainer removed.
Six days later, the changes were mostly undone, which Haught described as a mistake, but he remained as owner of the GitHub enterprise. Then on September 18, Haught removed all admins on the RubyGems and Bundler teams from the GitHub organization, and revoked access to the bundler and rubygems-update packages.
Davis said that "the forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action," and resigned from her position at Ruby Central.
Late last week, an official Ruby Central post said the company was making changes to secure the Ruby supply chain. Specifically, "in consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems. Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service."
In addition, the post states that administrative access to the key GitHub repositories is temporarily held by the company while it finalizes "new policies that limit commit and organization access rights."
Plans include shifting toward formal arrangements that nevertheless reflect the collaborative nature of open source, the post adds.
Mike McQuaid, project leader for the macOS package manager Homebrew (which is written in Ruby), offered to mediate between Ruby Central and the RubyGems maintainers but without success. He posted on Bluesky that "Ruby Central have managed this exceptionally poorly … including removing literally the most active member of the RubyGems organization by mistake who has declined to return."
He said that Ruby Central's citing of supply chain issues was "unnecessary FUD."
Among the frustrations of RubyGems maintainers is that they had initiated a proposal for RubyGems organizational governance. Maintainer Martin Emde posted a draft RFC and, following some suggested amendments, posted that "I would immediately accept many of these if I still had commit rights on this repo."
- Cloudflare DDoSed itself with React useEffect hook blunder
- Strong Java LTS arrives with the release of 25
- Rust-style safety model for C++ 'rejected' as profiles take priority
- 'Powerful but dangerous' full MCP support beta for ChatGPT arrives
Shopify is a major user of Ruby on Rails (the dominant Ruby application framework) and a sponsor of Ruby Central. Jacques Chester, formerly a senior developer at Shopify, posted: "I was the person who first proposed that we needed to stump up $$$ for RubyGems (and only by implication Ruby Central). This is not what I had in mind and now I'm embarrassed that I helped make it possible." He no longer works for Shopify and added that this was a personal view.
Rails creator David Heinemeier Hansson (who is also on the Shopify board) posted on X: "Ruby Central is making the moves to ensure the Ruby supply chain is beyond reproach both technically and organizationally." Rather than seizing control from the maintainers, he said: "Ruby Central is the maintainer. They've been paying people to do the maintenance and development work."
These remarks are unlikely to calm the Ruby community, since Hansson himself is a divisive figure. Hansson recently complained that London was "no longer full of native Brits" and expressed his support for right-wing activist Tommy Robinson, which has prompted others to state that "Rails needs new governance."
Another Ruby on Rails developer, Tekin Süleyman, said that "the Ruby community has a DHH problem" and "as a non-white British citizen born and raised in London, I can't explain just how painful it is to hear this sort of toxic rhetoric being promoted by one of the most prominent and visible leaders of the Ruby community."
McQuaid, who is well informed about the RubyGems dispute, acknowledged that it is "unclear in this whole process" where the money is going, and how and why responsibilities are changing. Whatever the reasoning, he said, "this is a bad day and a bad look for the entire Ruby ecosystem." ®
