.png)
1 hour ago
2
Ruby Central recently took over a collection of open source projects from their maintainers without their consent. News of the takeover was first broken by Ellen on 19 September.
I have spoken to about a dozen people directly involved in the events, and seen a recording of a key meeting between Ruby Gems maintainers and Ruby Central, to uncover what went on.
Here’s a quick summary of what I know:
- Ruby Central was struggling for money.
- Sidekiq withdrew its $250,000/year sponsorship for Ruby Central because they platformed DHH at RailsConf 2025.
- Shopify demanded that Ruby Central take full control of the RubyGems GitHub repositories and the bundler and rubygems-update gems, threatening to withdraw funding if Ruby Central did not comply.
- HSBT jumped the gun and implemented the takeover plan adding Marty Haught as an owner and reducing maintainers permissions before Marty had discussed this with the maintainers.
- Marty met with the maintainers after their access was temporarily restored.
- Marty (and by extension, Ruby Central) understood that Ruby Central did not have the right to take over these GitHub repositories or gems from their long established community maintainers.
- Marty presented alternatives such as making a fork of the relevant RubyGems projects and warned Ruby Central of the consequences of doing the takeover.
- The board voted to execute the takeover anyway and Marty executed it immediately.
- A number of board members subsequently misrepresented the takeover to the Ruby community on social media.
- This was premeditated. Shopify had organised an on-call rotation to take over from the previous maintainers, some of which at the time were also operating the RubyGems Service.
- Shopify specifically demanded that at least one of the RubyGems maintainers, André Arko, be excluded from returning to the project. André has been working on RubyGems for over a decade and was also one of the founders of Ruby Together, an organization that merged with Ruby Central.
The Takeover
On 9 September, HSBT (Hiroshi Shibata) — a member of Ruby core and maintainer of RubyGems — renamed the RubyGems GitHub enterprise to “Ruby Central”, added a new owner, Marty Haught, and downgraded the permissions of several other maintainers.
According to one of the maintainers, when HSBT was challenged, he refused to revert these changes claiming he needed permission from Marty. On 15 September, Marty said the changes were a mistake and HSBT reverted some of the changes. However, Marty was not removed as an owner, even though the other maintainers never agreed to him being added.
On 17 September, RubyGems maintainers met with Marty on Zoom.
Marty explained he’s been working on “operational planning” for the RubyGems Service. He was putting together a new Operator Agreement that all the operators of the RubyGems Service would need to sign.
He also mentioned that it had been identified as a risk that there were external individuals with ownership permissions over repositories that are necessary for running the RubyGems Service. He said HSBT prematurely changed the ownership permissions before the operational plan was complete.
During the discussion, the maintainers clarified with Marty the distinction between the RubyGems source code and the RubyGems Service.
RubyGems is a collection of community owned, community maintained repositories of code that are held in commons for everyone in the Ruby community to use.
The RubyGems Service is entirely separate from that. It’s a specific deployment: a domain name and servers that happen to be running RubyGems source code. It is operated by Ruby Central.
This distinction is important. Anyone else could run the RubyGems source code on their own servers with their own domains. And Ruby Central could decide to run different source code on its servers — whether that be a fork of the RubyGems source code or otherwise.
The RubyGems maintainers have been developing this software for decades, predating Ruby Central’s operation of the RubyGems Service. Their contributions represent countless hours of unpaid work, establishing a clear history of community ownership and stewardship.
Ruby Central did contribute financially towards RubyGems maintenance, but these contributions did not confer ownership. Ruby Central’s funding of RubyGems development is no different than if they had contributed to the development of Rails, RSpec, or any other open source project. In no case would such funding grant them ownership rights over the project itself.
Similarly, Ruby Central’s employment of some RubyGems maintainers to operate the RubyGems Service does not transfer ownership of the separate open source projects.
Having personally reviewed a recording of this meeting, I have no doubt that Marty understood this distinction. The RubyGems source code and GitHub organisation was not owned by Ruby Central, even though Ruby Central operated a service with the same name.
On 18 September, the team started losing access again. This time they were removed from the GitHub organisation, their rubygems.org email accounts were disabled and they were removed as owners of the bundler and rubygems-update gems. One maintainer, André Arko, was on-call for the RubyGems Service at the time when his access to GitHub and Fastly was revoked.
The Ruby Central board had voted for Ruby Central to take control of the RubyGems GitHub repositories and gems. And since Marty was now an owner, he was able to execute this order.
Ruby Central becomes mostly dependent on Shopify
When Ruby Central decided to platform DHH at the final RailsConf, they lost $250,000 USD of annual sponsorship from Sidekiq, and this I understand left them almost entirely dependent on Shopify.
An anonymous source told me that during Rails World, members of Ruby Central, Ruby Core, Rails Core and representatives from major companies (Shopify, GitHub) discussed possible funding options.
According to this source, Ruby Central was presented with a proposal for long-term support, but this would only happen if certain RubyGems maintainers were removed.
Another source has confirmed to me that a meeting between Rails Foundation and Ruby Central did take place at Rails World, however they were not able to verify the agenda or who was in attendance.
I do know that the Rails World conference was attended by HSBT, DHH, Aaron Patterson, Amanda Perino, Shan Cureton, Marty Haught, Ufuk Kayserilioglu and Rafael França.
I also know that Shopify specifically put immense financial pressure on Ruby Central to take full control of the RubyGems GitHub organisation and Ruby gems.
Freedom Dumlao, a Ruby Central board member, described the board vote saying “if I had voted the other way, I felt I’d be voting to start the process of shutting down Ruby Central”.
A source familiar with the events told me that Shopify’s pressure was both carrot and stick. Essentially, do what we ask and we’ll reward you with more funding, long-term financial stability. Don’t do this and you’ll never see a dollar of enterprise money again.
This to me strongly suggests that other companies were involved, perhaps through the Rails Foundation. But I have not been able to confirm anything beyond Shopify’s involvement.
The Vote
According to a source familiar with the events, the Ruby Central board was made aware by Marty of the risks and damage this takeover would likely do to the community. Apparently he also highlighted other options besides the takeover, such as forking some of the projects.
Despite this, the board voted in favour of carrying out the takeover and Marty executed it immediately with his new owner privileges.
Shopify had given Ruby Central a hard deadline and it seems that Ruby Central only capitulated at the last moment.
I don’t know if the timing was intentional, but this takeover happened on the second day of the EuRuKo conference in Europe, which meant many outspoken European Rubyists were distracted at the time.
Because this takeover meant locking out most of the RubyGems Service operators including André who was on-call at the time, Shopify had contributed engineers to a new on-call rotation ready to spring into action after the takeover.
Shopify developers had been warming up with their first commits in six years coming in at the same time as the takeover.
The Response
About six hours after Ellen broke the news, Ruby Central published their response: Strengthening the Stewardship of RubyGems and Bundler.
A post that feels like AI-generated corporate speak and bears no signature from anyone at Ruby Central willing to take responsibility.
The response says, “To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed. This includes both our production systems and GitHub repositories. In the near term we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights. This decision was made and approved by the Ruby Central Board as part of our fiduciary responsibility.”
But while Ruby Central has the right to lock down the RubyGems Service infrastructure, it never owned the RubyGems GitHub repositories.
DHH ignored Ellen’s post but instead retweeted the Ruby Central announcement with the caption “Ruby Central is making the right moves to ensure the Ruby supply chain is beyond reproach both technically and organisationally.”
A position that seems to stand in stark contrast to his other opinions. For example, he criticised Apple’s control of the App Store and takes the ownership of his own open source projects seriously.
Ruby Central board member and Shopify employee Ufuk Kayserilioglu misrepresented what happened, responding to Bluesky threads. For example he said, “Ruby Central has been running the rubygems.org system for years now, so this can hardly be considered a supply chain attack. On the contrary, we have a legal obligation to all the users of the system to keep it safe and secure.”
But no one accused Ruby Central of taking over the RubyGems Service and the takeover of the RubyGems GitHub organization and gems was not required to meet Ruby Central’s legal obligations. Remember, Ruby Central was in full control of what source code it deployed to the RubyGems Service which it operated.
He also said “How is limiting access to critical and shared infra & code a supply chain attack?” once again conflating the RubyGems source code with the RubyGems Service.
On 21 September, Freedom Dumlao published A board member’s perspective of the RubyGems controversy in which he claimed “Ruby Central has been responsible for RubyGems and Bundler for a long time. This isn’t a new development, and I’m honestly very confused about the confusion.”
This is a misrepresentation of the real situation where Ruby Central was responsible for operating the RubyGems Service but did not own the RubyGems source code, repositories or gems.
He goes on to talk about supply chain attacks, which I admit is a convenient cover, but I don’t believe is the genuine reason for the takeover.
He then confirms that a deadline loomed. “Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going. With less than 24 hours to go, we were still working on this. Conversations with some maintainers were still happening as far as I know but the cooperation we were hoping for was not emerging.”
He doesn’t mention Shopify, but based on my other sources, I know it was Shopify that applied this pressure.
“It was clear that we weren’t quite ready yet, but in the end we were out of time. A vote had to be cast so we could ensure we did not lose funding necessary to operate RubyGems. What I voted for, was to direct Marty, Ruby Central’s Director of Open Source, to temporarily remove access and lock down the systems, get operator agreements in place with maintainers, and then re-enable access to those folks who needed and wanted it. Marty did exactly what the board asked of him.”
This again highlights the pressure Shopify put on Ruby Central.
Two sources directly involved told me that access specifically would not be re-enabled for André who had been singled out. Sources have also suggested that Shopify had been pressuring Ruby Central to end their relationship with André and remove him from the RubyGems project for some period of time prior to this taking place.
On 23 September, Ruby Central shared a video address by Shan Cureton (Executive Director, Ruby Central) on behalf of Ruby Central’s board and team.
In it she claims that Bundler and RubyGems came under Ruby Central’s responsibility through the merger with Ruby Together. But Ruby Together never owned Bundler or RubyGems.
She mentioned the departure of a “lead maintainer” [André] and transition of security engineer [Samuel Giddins] as raising questions around access to RubyGems, Bundler and the RubyGems Service.
She says sponsors (plural) and companies who depend on Ruby tooling came to them with supply chain concerns. She explained that they couldn’t reach agreement with existing maintainers in the timelines they were facing.
I have seen the meeting with the maintainers and can tell you the conversation was primarily about ownership, not security. None of the maintainers had a problem with Ruby Central restricting access to the RubyGems Service that it operated.
They had a problem with Ruby Central taking control of the RubyGems open source code repositories and gems, which Ruby Central never owned.
She explains that the board voted to remove administrative and commit privileges until agreements could be put in place. She said it was never meant to be permanent.
She said “this is not a shutdown of community contribution and it’s not permanent”. However, my sources tell me this will be permanent for at least André and likely Samuel.
She said on-call coverage remains in place. We know that André was on-call when his access was revoked, so she must be talking about the new on-call rotation which Shopify contributed to.
She said “all of these changes are being made in good faith.” But we know that these changes were made at Shopify’s request to take control of the RubyGems projects and specifically to exclude André (and likely Samuel too).
She also talked about two new agreements: Operator Agreements cover access to production systems for on-call and maintenance responsibilities. Contributor Agreements cover access to Bundler and RubyGem code repositories, covering both paid and volunteer maintainers.
The Operator Agreements make sense, but it is not Ruby Central’s place to run the RubyGems projects including Bundler and the RubyGems.org source code, which are community owned as explained previously.
She said, “in most open source projects where the code is a library or framework, you usually don’t see formal operator agreements. People contribute under contributor license agreements, codes of conduct or decisions made by a steering committee. But RubyGems.org is different. It’s not just code, it’s a production service. It runs critical infrastructure for the Ruby ecosystem, processes billions of downloads, stores sensitive metadata and is relied on by companies that have compliance requirements. Because it’s a service, Ruby Central carries the legal liability, the financial exposure and the operational risk. This is why Operator Agreements are necessary. They ensure access is tied to responsibility and accountability.”
Here she conflates RubyGems.org (the source code) with the RubyGems Service operated by Ruby Central and running on the domain name rubygems.org.
Claiming that Ruby Central owns the RubyGems.org repository because it operates a service that uses the source code is like claiming you own Rails because you have a Rails app and sponsored someone who contributed a PR to the project.
It’s confusing because of how the projects are named, and Ruby Central are taking advantage of that confusion.
The reality is Ruby Central never owned the Ruby Gems source code. They could only take it because Marty was added by HSBT without the consent of other maintainers.
RV
An important piece of context is that André and Samuel started a new cooperative with Kasper Timm Hansen and Sam Stephenson called Spinel.
Spinel is developing a new Ruby management tool called rv. It was introduced on 25 August 2025, right before Rails World.
In his blog post, André says, “For the last ten years or so of working on Bundler, I’ve had a wish rattling around: I want a better dependency manager. It doesn’t just manage your gems, it manages your ruby versions, too. It doesn’t just manage your ruby versions, it installs pre-compiled rubies so you don’t have to wait for ruby to compile from source every time. And more than all of that, it makes it completely trivial to run any script or tool written in ruby, even if that script or tool needs a different ruby than your application does.”
Bluesky threads reveal that Rafael França (Shopify / Rails Core) saw this tool as a threat, saying “some of the “admins” even announced publicly many days ago they were launching a competitor tool [rv] and were funding raising for it. I’d not trust the system to such “admin”.”
He also quoted the rv README which says, “Get rid of rvm, rbenv, chruby, asdf, mise, ruby-build, ruby-install, bundler, and rubygems, all at once”, adding the caption “I’m not so sure I trust them to not sabotage rubygems or bundler.”
What I don’t know
- I don’t know how each member voted or exactly how the information was presented to the board. I was hoping that someone would leak it to me, but so far that has not happened.
- I don’t know if other groups or companies were involved, though circumstantial evidence and hearsay seems to point to this.
If you have any information you can provide, please contact me on Signal.
Conclusion
It is not clear that Ruby Central’s plans include returning control of the RubyGems codebases to their original owners.
I am concerned that Ruby Central seems to be vulnerable to coercion by Shopify.
I am concerned that Ruby Central’s board with full knowledge of the consequences and the alternatives voted to take over a collection of open source projects from their maintainers without consent. Especially when these maintainers were acting in good faith at the time. This is the organisation we are meant to trust to host our Ruby gems.
I am concerned that Rails Core seems to consider rv a “threat” rather than an exciting development, and I wonder if the “threat” is more Spinel than rv. It seems likely that Spinel would be less susceptible to enterprise coercion and could offer a genuine alternative to RubyCentral’s RubyGems Service.
Disclosure
I was employed by Shopify between 2017 and 2022.
Disclaimer
I have put this story together to the best of my ability based on hours of conversations with many different people involved. But I am not a professional journalist and I may have missed something. If I have made a mistake, please let me know.
I am willing to talk to anyone involved to make sure the community has a fair and honest understanding of the events that took place.
