Removing existing maintainers from the project isn't good - and hopefully it's a temporary oversight as Ruby Central gets things set up in the new org. Either bad communication from Ruby Central - or they really did made a bad mistake here (maybe even with the best intentions, given recent NPM issues).
Edit: It seems like there's a lot more to the story here. Many volunteer RubyGems/Bundler maintainers have left because they disagree with decisions that Ruby Central (the nonprofit organization) has made and it seems like all of this is fallout related to that.
I'll wait for RubyCentral's side on this, but on the face of what's written, these actions do not seem to be transparent or in good faith. Is there something posted from RubyCentral's side?
I wish the Ruby community strength, and a transition over to a community-owned org, one way or another.
(With NPM, WordPress, now this - seems like package repositories are becoming a flashpoint of corporate takeovers..)
Seriously... wtf.
[1]: https://old.reddit.com/r/ruby/comments/1nkzszc/ruby_centrals...
https://rubycentral.org/news/strengthening-the-stewardship-o...
This was not a misunderstanding. It was a hostile takeover of key infrastructure, undermining both the long-standing maintainers and the broader community that relies on RubyGems and Bundler every day.
The Ruby ecosystem thrives on collaboration, openness, and mutual respect. What we've witnessed over the past week violates those principles. Ruby Central's actions - unilateral access revocations, exclusion of experienced volunteers, and refusal to engage in transparent dialogue - are not just organizational missteps. They're a threat to the decentralized and community-driven spirit that has sustained Ruby for decades.
I oppose this power grab.
Even more concerning is the idea that contributor access could become contingent on employment status or ideological alignment. Whether someone is employed by Ruby Central - or holds left-leaning, right-leaning, or apolitical views - should have no bearing on their ability to contribute to open source. Merit, dedication, and community trust must remain the foundation.
If Ruby Central is serious about supporting the Ruby community, they must:
- Immediately restore access to all maintainers removed during this incident.
- Publicly commit to a transparent, community-driven governance model, similar to what the RubyGems team had begun drafting.
- Respect the autonomy of open source maintainers, regardless of whether they are employed by Ruby Central.
- Acknowledge the harm caused by these actions and engage in meaningful dialogue to rebuild trust.
The Ruby community has always been about people - diverse, passionate, and united by a love for a beautiful language. It's time we demand that the institutions claiming to represent us act accordingly.
And if Ruby Central does not do this we must pressure sponsors to stop funding Ruby Central and ultimately; if all else fails, we must build and maintain our own infrastructure unencumbered by these shenanigans. Also, in order to re-establish trust in the community; the people responsible for causing this ruckus should be fired.
Ruby-Level Sponsors (Top Tier): Alpha Omega, Shopify, Sidekiq
Gold-Level Sponsor Flagrant
Silver-Level Sponsors: Cedarcode, DNSimple, Fastly, Gusto, Honeybadger, Sentry
I'm just reposting it though. I haven't followed any of this myself.
This is not what I had in mind and now I'm embarrassed that I helped make it possible.
At the least this looks like a very destructive and poorly communicated move.
What almost surprises me the most, is that such a mature ecosystem still doesn't have a formalized governance structure after all this time. How common is this among large and widely-used open source projects?
## Ruby Central’s Attack on RubyGems
Hi! I’m Ellen, but you probably know me as duckinator or puppy.
I really wish I didn’t have to write this, but I feel the Ruby community needs to know it.
I have been part of the Ruby community since I was 13, and one of the RubyGems maintainers for the last decade.
This community has helped me through very hard times, and you mean the world to me.
One of the most important lessons I learned from y’all is this:
> A person’s character is determined not only by their actions,
> but also the actions they stay silent while witnessing.
## This Month Has Been A Fuck Of A Year
This is what unfolded between September 9 2025 and September 19 2025, as I understand it.
On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
renamed the “RubyGems” GitHub enterprise to “Ruby Central”, added non-maintainer Marty Haught of Ruby Central, and removed every other maintainer of the RubyGems project.
He refused to revert these changes, saying he would need permission from Marty to do so.
On September 15th, this maintainer said he restored the previous permissions after talking with Marty. Marty stated the deletion was a “mistake” and “should never have happened”.
The “restoration” kept a notable change: Marty was now an owner of the GitHub enterprise.
The RubyGems team responded by immediately began putting in place an overdue official governance policy, inspired by Homebrew’s.
On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams.
By doing this, he took control for himself and other full-time employees of Ruby Central.
Later that day, after refusing to restore GitHub permissions, Ruby Central further revoked access to the bundler and rubygems-update gems on RubyGems.org
I will not mince words here: This was a hostile takeover.
## My Stance On This
I consider Ruby Central’s behavior a threat to the Ruby community as a whole.
The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action. Ruby Central crossed a line by doing this.
When called out, these changes were mostly reverted. Then, it was done again.
By crossing that line a second time after being called out for it, Ruby Central has made it extremely clear to me that they are not engaging in good faith.
Ruby Central’s behavior has forced my hand. I refuse to watch this without speaking up.
I am resigning from my position at Ruby Central, effective immediately.
To remove any doubt: Ruby Central unilaterally, with no explanation, revoked all access to RubyGems against both my wishes and the wishes of the entire RubyGems team.
Ellen Dash (@duckinator)
September 19, 2025
Sorry for all the maintainers, that must suck.
- The bolded part doesn’t track with locking out the entire team without notice or explanation.
- “Thanks for the hard work, the adults will take it from here” rarely works out.
After removing them without explanation, cutting them off projects they have maintained over a decade and ignoring them when they asked for restoration or dialogue. I feel sad for the maintainers. This is not how they deserve to be treated.
Making unplanned unexpected changes to GitHub ownership and removing people with lots of experience and institutional knowledge with little notice (based on the original story) and presumably no great hand-over, feels risky and not a great way to improve people's trust in their governance.
I would GitHub would be quite well-positioned to set up infrastructure around a fork of RubyGems if things fall apart.
I'm not involved beyond just caring a lot about Ruby.
"Ruby Central has been the RubyGems maintainer and operator since the beginning. They paid people to work on it (including this now disgruntled former contractor).
They're improving their practices and protocols. This is good."
Several of the people removed are employees or contractors of Ruby Central. This doesn't pass the smell test. Not to mention it's post-facto in that they did all of this before notifying anyone.
Is there any evidence of this? It's not in the PDF.
Also, this comment is clearly AI and more importantly, it affects the quality. Ex: "It's time we demand that the institutions claiming to represent us act accordingly." It seems "the institutions" have been representing them fine until now, why "it's time"? "This was not a misunderstanding. It was a hostile takeover"..."This was a hostile takeover" (or "is", it's still ongoing). "The recent actions taken by Ruby Central - [list]...Ruby Central's actions - [different list]"...the comment tries to explain what Ruby Central has done and what the maintainers demand, but it's vague and disorganized; the linked PDF is better.
But, none of these are a good idea. Any level of centralization leads to disappointment eventually.
As mentioned in a sibling comment, there's a Q&A with him and other members of Ruby Central on Tue. Here's a link to the signup: https://news.ycombinator.com/item?id=45302629
I was banned from the RubyGems project by simply saying "no satisfactory resolution from the development team".
Now woke people are walking away from RubyGems because Ruby Central wants to align with DHH. I say good riddance.
Software should be about technical merit, not ideological agendas.
I'm not sure how anyone familiar with open-source communities would fail to predict the backlash though. They really should have forked the repository and switched the deployments over to their downstream fork (if I'm right about the root cause here).
(I'm mostly thinking in terms of supply-chain attacks, like this one: https://blog.rubygems.org/2025/08/25/rubygems-security-respo...)
Has nothing specifically to do with Homebrew.
I'm sure NPM as a company has some form of decision hierarchy and RubyCentral does as well, but it seems like Ruby Gems doesn't (or didn't). I learned the hard way that writing this down is one of the first thing you should do in any kind of group formation process.
I get that organically grown tech projects don't have that from the start (and that they might not immediately recognize that they're a group at all), but I'd reckoned that an organization of the size of Ruby Gems, with such an importance, would have taken care of that a while ago and I think it's quite irresponsible that they didn't.
TL;DR: I've been given a lot of private nuance from both sides here but, even just based how the two sides have treated me personally, it's very hard not to put the blame primarily on RubyCentral. I've been a maintainer on Homebrew for 16 years: it's a hard job. If in doubt: I'll side with maintainers.
As André Arko’s employer at his day job at the time, I was tangential to it, so I don’t know all the details, and my memory is imperfect.
But as I understand it, DHH either organized or was part of a group of prominent rubyists who wrote a letter to the Board of Directors of the trade guild (or some other similar unusual non-profit structure) that André had organized to help get funding to support the open source work he and some others did for Ruby infrastructure like Bundler and/or Rubygems. I don’t know the exact terms of the sanctions they sought, but in the end it resulted in his orgs work getting folded into RubyCentral, iirc.
For some reason it seems they disapproved of how André had found a way to get paid for working on open source. He was managing to pay himself and some other people a good wage for part-time open source work. He was even managing to get a bit more diversity involved in it than a lot of Ruby open source infra work typically has (employing a black trans woman SE as part of this). Whatever their actual motivations they disapproved of André founding his own org and running it as he did.
The irony of their most prominent signatory getting rich off open source, via a different less direct avenue of monetization seemed entirely lost on them.
Anyway, I think it blew up in their face and things got settled out into what the status quo of rubygems maintenance was since then.
Now, I’ve heard rumors that perhaps this is actually related. RubyCentral has had a rough few years and DHH has more than a little pull with at least one of their largest funders.
It’d be incredibly petty to do something like dangling funding in front of RC if they’d finish icing out maintainers that he didn’t see eye to eye with. But it would certainly fit the way the events happened. I don’t know anything directly enough to swear by this and wouldn’t want to implicate anyone even if I did.
But I guess look at the known character of the people involved and draw your own conclusions. Does this seem in character to prior behaviors?
If so, I'm not defending it, and I could understand why someone would feel insulted by that - but also get why an org doesn't want too many with elevated privileges.
If you're arguing that is what ruby central should have done, that's a social engineering attack.
Who?
> Not to mention it's post-facto in that they did all of this before notifying anyone.
Isn't that pretty much the number one rule when restricting accesses? First remove accesses, then communicate?
Well done, well done.
> "Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of openness and collaboration."
what do they mean by openness, it doesn't even say who wrote this
Who is "we"? And what did they witness?
All we got right now is one side of the story.
It is indeed surprising such change wouldn't be immediately followed by a public announcement, but they've been founding and managing RubyGems for a very long time now, so it's not even clear to me how this can be a "takeover".
I'll happily join with my pitchfork if it turns out this is indeed a malevolent move, but until I've read their side of the story, I'd rather wait and see.
Edit: 35 minutes later, here we go: https://rubycentral.org/news/strengthening-the-stewardship-o...
What's with the "contingent on employment status or ideological alignment" bit about? That's not been mentioned anywhere else so far.
Were those parts (or indeed your entire comment) written with the help of an LLM?
Can someone expand on what this means? Is it a continued relationship between Ruby Central and DHH, or the maintainers and DHH? Why does the other party have a problem with that?
EDIT: It seems the post was clarified since I copy/pasted this, and it's RC and DHH. Why do the maintainers have a problem with this? I though the stated reason was about RC removing everyone's access with no warning.
But it seems that they have nothing to do with the ruby-lang.org site where the Ruby binaries itself are distributed. Instead, their own site appears to primarily list them as responsible for organizing an annual conference?
And who owned the RubyGems infrastructure before this takeover? The website (and domain that the client actually calls to get the gems, presumably) seem to have already been part of Ruby Central, so what exactly changed here ownership wise, beyond just kicking the maintainers?
(unrelated -- seeing a mention of DHH here reminded me that I haven't seen anything of the Matt/WP drama in a long time on HN -- time to go Google whatever the resolution of that was)
The Rails Foundation will start its own central gem registry and set of forked tools.
Then, RailsCentral will lose its sponsors and fade into irrelevance.
The project is an objective public-good. It's sad that a former employee is attempting to burn it all down. I guess they thought it was all about them and not the millions of DAU's the platform has served without fail since inception. Contractors will come and go.
What are the OPs contributions even? I don't see a single commit from her handle on the 24 month view (below). Correct me if I'm wrong.
https://github.com/rubygems/rubygems.org/graphs/contributors...
Well, we have all of Ruby Centrals actions including their action to not be more public during these actions. Their actions are their story. If their actions don't communicate their intent, that is on them to handle that in a professional way to not be in this situation.
Now I just have to hope the fallout from this includes a less centralized replacement for the tools I'm used to - I haven't found anything solid yet, but I imagine andre will be examining this problem space with rv now.
That's because Ruby Central chooses not to communicate. I'm not going to reserve judgment against intentionally mute hostile actors.
Clearly, that was because this information directly supports readers following through on the call to action: “And if Ruby Central does not do this we must pressure sponsors to stop funding Ruby Central”. That’s obvious.
> What's with the "contingent on employment status or ideological alignment" bit about? That's not been mentioned anywhere else so far.
Yes, both the original pdf and the RubyCentral statement edplicitly refer to admin status being made contingent on being full-time employee of RubyCentral. If you just mean no one has explicitly brought upthe ideological angle, well, that’s a fairly easy concer to reach wrih something being contingent on employment at a particular nonprofit, so it would be weird to interogate like this even if you had clearly focussed on kn just that point.
The paragraph immediately preceding the list begins with a sentence mentioning the sponsors. How did you not see this?
> What's with the "contingent on employment status or ideological alignment" bit about? That's not been mentioned anywhere else so far.
“not been mentioned anywhere else” is false. If you click on the PDF linked to in this very post it mentions that only full time employees of RubyCentral maintained access to their GitHub account.
I find it ironic that you’re so quick to question whether something is LLM-authored given that you write so much about using LLMs.
Read the post more clearly before accusing someone of LLM usage. And even if it is, they are still valid points to be discussed, as opposed to trying to bury it with an LLM accusation.
Ehh, what?! Basically 0 developers in the US have quit as a protest against literal totalitarianism, major and obvious corruption, the end of vaccines (will kill countless) and the end of USAID (already killed.. how many kids?).
But, sure, DHH.. that's where we draw the line!
FFS
Edit: maybe I misunderstood why they quit, quite confused. Still..
Edit 2: Unclear if this has anything to do with DHH? And it turns out I also disagree with some of his views. But, it still stands, he's writing a blog, not literally killing kids. Where's the mass quittings for those people?
In other words: that argument is interesting, but it feels strained to me :-) -- I don't think RubyGems or Ruby Central is actually legally liable in this way (or if they are, it suggests a failure of clarity in their EULA/TOS).
Are you sure?!
Well, ok, I'm not a lawyer, but... ok, fine, let's do it!
A few years ago, RubyCentral lost power when the Rails Foundation was created (most of the Ruby world revolves around Rails). The Rails Foundation organizes its own yearly conference, and RubyCentral stopped hosting theirs.
However, RubyCentral still controls the package management tools and the package registry.
https://github.com/rubygems/rubygems/pulls?q=is%3Apr+author%...
... so I decided to destroy it, because I cannot abide things I do not understand.
The (mostly PR) explanation they produced seems to express roughly the same thing I was guessing though: https://rubycentral.org/news/strengthening-the-stewardship-o...
and I doubt you could ever get negligence to stick, given you are downloading code from some website and running it, on your own accord, entirely unprompted
(but IANAL)
see: mozilla, nominet (recovered, thankfully)
I don't mind if it's LLM-assisted text if everything in it is a reviewed and accurate representation of the point the author is trying to make.
But if the LLM throws in extra junk tha distracts from the conversation and the author fails to catch that in review, that's bad.
I think it's likely I was mistaken here - that the author either didn't use an LLM or used it for minor style tweaks but ensured that it was making the points they wanted to make.
If that's what happened then it's bad because it leaves people who read the comment confused - hence my questions asking about those.
If the author confirms that those pieces I asked about serve an intentional purpose then I don't care if they used an LLM or not.
My problem isn't with using LLMs to help write comments - there are plenty of reasonable reasons for doing that (like English as a second language). My problem is letting an LLM invent content that doesn't accurately represent the situation or reflect the LLM user's own position.
(The author could also say "I didn't use an LLM", which notably they haven't done elsewhere on this thread yet.)
> Why do the maintainers have a problem with this? I thought the stated reason was about RC removing everyone's access with no warning.
I seem to remember some of DHH's controversy due to banning politics at basecamp or something. Is it related to that?
It was welcoming.
Then 2016 happened. Then some Rubyists began spewing hate and distrust at people just because of their religion.
It wasn't political until certain groups made it political.
…
That said both the person this time and people before who allegedly signed onto DHH’s nonsense I’m incredibly disappointed in. Most of them I considered at the least collegial acquaintances and some of them friends. So I felt like I knew them at least well enough to say they were above his sort of divisive rhetoric. But people frequently disappoint.
Maybe I have it all wrong and André, REDACTED, and REDACTED* have done something awful or something…. but from what I know of their characters I seriously doubt it.
Of course, IDK what the DHH crowd is actually thinking, if any of this is true, since in that case they don’t exactly discuss this openly, purely dealing in backroom shenanigans that one could almost think verged on collusion and that leads some groups like RC to possibly violate contract and employment law (at the very least copyright if you check who actually has the copyright on some of the stuff they distribute…). That is if any of the things people are saying is true.
But hey, Rubyists are all “nice” right? Nobody says ethical or kind was a requirement.
* There’s at least two people that I kno- err that is that I strongly suspect, have been tarred by mere association with André. I have a theory it’s more than just them. Apparently he’s insidious about leaking liberal labor thoughts like people should get paid enough to support their families in expensive tech hubs, even if they are working on open source. But apparently “professional open source maintainer” is anathema to some people’s vision and they’d prefer everything to depend on volunteer labor only. Which is a position multi-millionaires who successfully monetized that volunteer labor could take, sure. But it’d make them hypocrites, in the worst of ways. Especially since their alleged actions are leading to some of said maintainers losing work doing so, but they supposedly seem okay with funding others. At that point it stops being a logical, if unethical platform, and more personal spite?
The other people I know who had their accesses removed have resigned from RC a while ago, and the one I still see with access on https://rubygems.org/gems/bundler are people I know are currently employed or contractors.
As far as I can tell, this part of the Ruby Central statement seems to check out. Now you can of course debate whether commit rights should be limited to employees, but have have no indication that they lied here.
The cancellation of DHH's keynote was purely political. At that time, RubyCentral's response was similarly uncommunicative and their explanation was BS.
This is not the first strike.
The Ruby Central that dropped him is not the same people running Ruby Central today.
How MBAs aren't synonymous with leeches by this point is the most amazing ongoing PR campaign in history. They do nothing but suck and suck and suck, and they keep sucking, and they will never stop sucking until their host dies, and then they just move on.
I wouldn't be surprised. The presence of this quote in the linked document:
> A person’s character is determined not only by their actions, but also the actions they stay silent while witnessing.
Suggests that the person who wrote it is deeply obsessed with political activism.
(Personally I'd still like to see the author clarify if they used an LLM or not, but that's more for my own personal curiosity at this point, to check if my radar needs adjusting.)
It just reads like thinly veiled racism.
Deleted my post, which I published before Ruby central released their blog explaining things.
It’s ultimately not my place to say or speculate about what’s going on.
It’s obviously a disastrously bad roll out or whatever is happening and I hope they are able to make things right w the community.
Thinly veiled? What veil - it's completely naked, one can clearly see all the constituent parts, including the repugnant bits.
> How can they remove maintainers from their own projects? If my project is yawaramin/foobar...
The official RubyGems projects in question were under a GitHub organizational account, not a single user's account. A subset of the maintainers had the "owner" flag on the org. One of those folks basically initiated the takeover. See [2] for a more detailed recounting.
[1]: Shopify, pulling strings at Ruby Central, forces Bundler and RubyGems takeover - https://news.ycombinator.com/item?id=45348390 - September 2025 (107+ comments)
[2]: https://joel.drapper.me/p/rubygems-takeover/#the-takeover
Claiming otherwise is just a roundabout way of saying "you must actively support my agenda at all times, otherwise I will consider you my enemy, even if you take a neutral stance" that political activists love to use to pressure normal people into supporting them.
I think this is what we are discussing. Please share your viewpoint on this.
Under which of these categories would you classify the following assertion:
> As much as I've learned about subject X, I still feel that neither I — nor most people who are already acting, for that matter — truly have enough information to take an informed stance here, as the waters are being actively clouded by propaganda campaigns, censorship, and false-flag operations by one or both sides; and I believe that acting without true knowledge can only play into someone's hand in a way that may damage what turns out to be an innocent party I would highly regret damaging, when this all shakes out a decade down the line. I find myself too knowingly ignorant to conscientiously act... yet I also do not highly prioritize gaining any more information about the situation, as I have seemingly passed the threshold where acquiring additional verifiable and objective information on the conflict is cheap enough to be worth it; gaining any further knowledge to inform my stance is too costly for someone like me, who is neither an investigative journalist, nor a historiographer, nor enmeshed in the conflict myself. So I fear I must opt out of the conflict altogether.
I find myself increasingly arriving at exactly this stance on so many subjects that other people seem to readily take stances (and allow themselves to be spurred to action) on.
I suppose I may differ from the average person in at least one way — that being that, if I were tricked into harming innocent parties, I would hold myself to account for allowing myself to be tricked, rather than externalizing blame to the party responsible for tricking me. After all, only by my learning a lesson in avoiding being manipulated, do I actually lessen the likelihood of the next innocent party coming to harm. Which is a lot more important to me, in a rule-utilitarian sense, than is avoiding social approbation for not taking a stance.
If someone doesn't know enough about an issue to care and also doesn't know the things that would motivate them to find out more about the issue that would make them care, that is true ignorance.
If someone doesn't know about an issue and deliberately avoids exposing themselves to things that would care, then it's a deliberate choice.
You acknowledge your ignorance and then refuse to remedy that.
This is an act. Perfectly acceptable and understandable. But what is more important it's deliberate and you accept responsibility for any and all consequences.
> I suppose I may differ from the average person in at least one way — that being that, if I were tricked into harming innocent parties, I would hold myself to account for allowing myself to be tricked, rather than externalizing blame to the party responsible for tricking me.
Very commendable. I wish more people held themselves to this standard. It is one of the foundations of learning after all.
They did not say this. They said they would not highly prioritize it. Which is, of course, reasonable: given two topics, I have little metric to prioritize learning about one over the other. I have no way to know that I am prioritizing my research adequately.
I would like to put the emphasis on doing this consciously. This is the important point. Too many people just do not think or know what introspection is.