RubyGems Threatens to Split

Ruby Central, a non-profit organisation of the Ruby community, seized control of the GitHub repositories and some important gems of the RubyGems and Bundler package ecosystems without warning in mid-September. Long-time maintainers speak of a "hostile takeover" and some have resigned in protest.

Ruby Central justifies its actions with the need to strengthen supply chain security in the Ruby ecosystem. Behind the scenes, however, funding issues and the influence of Shopify (a major Ruby sponsor) play a major role. The incident raises fundamental questions about the governance of open source projects: Who owns community code, and how much influence are funders allowed to have over open source infrastructure?

Ruby Central, RubyGems and Bundler – Who is who?

RubyGems (abbreviated to Gems) is the official package system for the Ruby programming language. Gems are published and installed via the central directory RubyGems.org. Bundler, in turn, is a dependency management tool integrated into Ruby that ensures that all required gems are available in the correct versions in a project. RubyGems.org has always been run by Ruby Central, a non-profit organization that hosts the annual Ruby conferences (e.g. RubyConf and RailsConf) and takes care of important community infrastructure.

In the past, Ruby Central also funded developers working on RubyGems and Bundler, but did not formally have ownership of their source code. Rather, RubyGems and Bundler were maintained and further developed as open source projects by community maintainers over the years.

David Heinemeier Hansson (DHH) is a prominent figure in this context: as the creator of the web framework Ruby on Rails and co-founder of the company Basecamp, he enjoys cult status on the one hand, but on the other he is increasingly causing controversy with his controversial political statements. In the Ruby community, there has recently been outrage over blog posts by Hansson in which he complained, for example, that London is "no longer full of native Brits" and showed sympathy for right-wing activist Tommy Robinson. Community members described such statements as "toxic" and called for a new leadership structure for Rails or a fork. Hansson's polarizing demeanor has led to his participation in community events – like the last RailsConf in Philadelphia – is controversially discussed.

Shopify, a Canadian e-commerce giant, is one of the biggest users of Ruby on Rails. The company employs numerous Rails developers and invests heavily in the Ruby ecosystem. Shopify CEO Tobias Lütke is also a supporter of DHH (Hansson even sits on Shopify's board of directors). In recent years, Shopify has been one of the main sponsors of Ruby Central and therefore has considerable influence – both financially and in terms of personnel (some Ruby Central board members are Shopify employees).

Funding crisis: DHH controversy leads to loss of sponsors

The roots of the current crisis lie partly in a funding shortfall. Ruby Central lost an important sponsor (USD 250,000 per year) in Sidekiq (a background job framework widely used in the Ruby world) at the beginning of 2025 after DHH was invited to speak at RailsConf 2025 (incidentally, it was the final RailsConf). Mike Perham from Sidekiq was annoyed that Ruby Central gave Hansson a stage despite his controversial views. This cancellation tore a big hole in the budget – Ruby Central was therefore practically financially dependent on Shopify.

Shopify, in turn, is said to have used the opportunity to impose conditions. According to individual, but unsubstantiated, reports from the community, Shopify formulated an ultimatum: Ruby Central was to gain complete control of RubyGems by a certain deadline – both via the code repositories on GitHub and via essential gems (namely the rubygems and bundler projects as well as the bundler and rubygems-update gems) – otherwise Shopify would discontinue its support. This demand was justified about supply chain security, but at the same time was clearly linked to continued financial support – a "clearly outlined ultimatum deal".

It is important to realise that such a demand from Shopify could be well-intentioned. There are not many companies that are as dependent on a functioning Ruby ecosystem as Shopify. But well-intentioned is not always well done.

Ruby Central came under massive pressure as a result. Internally, it was apparently clear that if Shopify's demands were ignored, the existence of the organisation would be at stake. Freedom Dumlao, a member of the Ruby Central board, later put it in a nutshell: if he had voted against the takeover, he would have effectively "started the process of shutting down Ruby Central". The majority of the board therefore decided – despite all reservations – in favour of following Shopify's conditions so as not to jeopardise the financial future and operation of RubyGems.org.

Takeover process: from zero communication to a complete reset

In the second week of September 2025, Ruby Central officials abruptly put the plan into action. Without prior notice or consultation with the previous maintainer teams, they made drastic changes within just a few days:

• 9 September 2025: a RubyGems maintainer (Hiroshi SHIBATA, GitHub alias HSBT) arbitrarily renamed the GitHub organisation "RubyGems" to "Ruby Central", added Ruby Central director Marty Haught as the new owner and revoked the admin rights of all other maintainers. When perplexed community members lodged a protest, HSBT initially refused to reverse these changes – He claimed that he needed Marty's permission first.
• September 15, 2025: After several days of unrest, Marty Haught told the RubyGems team that the previous permission changes were a "mistake" and "should never have happened". HSBT then restored some old permissions. However, Marty himself remained registered as the owner of the GitHub orga – although the maintainer team had never granted it this right. The community maintainers took advantage of the breathing space and immediately began drafting a formal governance guideline for RubyGems to avoid future disputes over competences. (This was modelled on the package manager Homebrew, which had already established such structures.)
• 18 September 2025: Without further explanation, Marty Haught took the step of removing all remaining admin members of the GitHub organisation in the RubyGems, Bundler and RubyGems.org teams. Virtually overnight, all long-time maintainers lost access to their projects. On the same day, Ruby Central also deactivated the authorisations of these people on the RubyGems hosting platform itself – Specifically, the bundler and rubygems-update gems on RubyGems.org were placed under the control of Ruby Central. With this move, the previous maintainers were completely disempowered and the RubyGems ecosystem was now in the hands of Ruby Central (or their staff).

Ellen Dash, a RubyGems maintainer for over ten years, commented bluntly: "This was a hostile takeover". The "forcible removal of those who had nurtured RubyGems and Bundler for over a decade" could not be described in any other way. Dash resigned from her role at Ruby Central shortly afterward. She had made the events, beginning on September 9th, public in a detailed PDF report titled "Ruby Central's Attack on RubyGems".

Other maintainers and community members also reacted with shock. The sudden takeover had happened without any warning or community consultation. Several of those removed emphasized that Ruby Central had taken over projects that did not even belong to the organization –. The code of RubyGems, Bundler and the RubyGems.org web application is the common property of the community, not the property of Ruby Central.

Even people close to Ruby Central admitted that Marty Haught and the board knew that they had no right to these repositories. In a meeting on 17 September, Marty is even said to have suggested a fork of the codebases in question as an alternative and warned of the foreseeable consequences of a forced takeover. Nevertheless, the decision was made in favour of a crackdown.