why’s identity reveal had nothing to do with the Ruby community. A random bad actor posted his personal details in a blog post.

The Ruby community respected his pseudonymity. Some of us already knew his name.

I don't like talking about a heterogeneous group of people in a generally negative way. I try to stick to the people I perceive as sharing the same values that are important to me. And there are many such people in the Ruby community.

> Remember why the lucky stiff?

I remember _why and I definitely don't remember him as toxic.

Surprised to hear this, have been a Rubyist for many years and never felt this way about community as a whole. Come to Ruby Kaigi in Japan sometime!

[flagged]

I think that viewpoint says more about you than it does the Ruby community.

I think it's pretty obvious to see the difference between being nice and jumping off a bridge? Curious why this cute phrase bothers you so much.

Is being nice equivalent to jumping off a bridge? I think it's relatively simple to comprehend and also harmless. The guy who built this thing is nice, let's try to continue that tradition so that our community doesn't turn to shit.

> Why would I proxy my own decisions based on any mindless slogan?

Exactly, why would you? But ignoring a hypothetical communal bridge jumping situation, do you have a problem with Matz having stewardship over RubyGems? Use your own thinking. If you're okay with it, then... is it because Matz is nice?

Matz wouldn’t say jump from a bridge because he is nice.

It's a reminder to us all.

I don't think I've ever seen Matz be rude to anyone on the Ruby bug tracker. I've actually witnessed him deal with controversial topics firmly yet gracefully, making decisions that avoid turmoil in the community and that leave no room for escalation into flamewars. Other projects weren't so lucky.

I wrote some Ruby in my teenage years and his conduct certainly made an impression on me. I try to remember this guy whenever I get too angry about stuff. We should all try to be more like him.

That's what the phrase is saying, by the way. It's an encouragement to follow in his footsteps.

It affirms that being nice is a role model / thing we want to do in the Ruby community

I know what you mean about mindless aspirational slogans. "No child left behind" is logically the same as "no child gets ahead". But trying to convince the Ruby community to be nice, by the example of their founder, isn't in that category. And if Matz told me to jump off of a bridge, he has enough stored up credibility that I'd at least consider it.

> If matz were to say "jump from the bridge", people would do it, because matz is nice?

As always, there's a relevant xkcd: https://xkcd.com/1170/

...but seriously, what on earth do you think you're saying here?

This is missing an important part of the story that makes the Ruby Central side look relatively better, which is that one of the existing maintainers offered to help fill the funding gap in exchange for being allowed to monetize the server logs. https://rubycentral.org/news/rubygems-org-aws-root-access-ev...

But Ruby Core is not the same thing as Ruby Central, apparently? This blog post says, "To provide the community with long-term stability and continuity, the Ruby core team, led by Matz, has decided to assume stewardship of these projects from Ruby Central. We will continue their development in close collaboration with Ruby Central and the broader community." What, if anything, is the relationshp between Ruby Core and gem.coop?

If only the drama stopped there:

* DHH is not only considered racist / fascist due to some blog posts, but also for making Hyprland the default DE in Omarchy, developed by someone who goes by the name Vaxry Vaxerski, who is also considered fascist and racist, and thus banned from contributing to freedesktop projects due to supposed breach of CoC:

https://blog.vaxry.net/articles/2024-fdo-and-redhat

* Hyprland and all its contributors are now also considered fascist from taking sponsorship money from 37signals, DHH's company, due to it being an important part of Omarchy.

https://account.hypr.land/sponsors

* Due to the fact that both DHH and Vaxry are both considered fascist / racist, Framework and its CEO (yes, that Framework) are now considered to be supporters of fascism, because Framework is sponsoring and supporting both Omarchy and Hyprland.

https://account.hypr.land/sponsors

* Cloudflare (yes, that Cloudflare) is considered to support fascism because they support Omarchy and the Ladybird webbrowser (which is a project also run by someone considered to be a fascist)

https://blog.cloudflare.com/supporting-the-future-of-the-ope...

* Last but not least, Tobi (Shopify CEO) and thus Shopify are also considered by many to be supporters of fascism when this drama started to unroll for standing by DHH no matter what when activists wanted to deplatform and ban DHH from his own creation (Ruby on Rails). Which makes the Ruby Central drama due to the involvement of Shopify even more interesting:

https://xcancel.com/tobi/status/1970944464303923687

Me? I want to hop in a time machine back to the 90s/early 00s before all this crap started and everybody was just generally nice to each other.

This is not 100% correct though; I mean, your summary is good, don't get me wrong so I upvoted it. But it conflates a few issues that are not 100% related.

For instance, DHH and his fancy blog, are not 100% related or relatable to RubyCentral ousting long-term developers. There may be some connection (DHH on shopify's board, tons of ruby developers being paid by shopify and still writing "my opinion is totally unbiased" like byroot did), but there is no 1:1 overlap. For instance, I could not care what DHH writes on his blog any less. rubygems.org changing policies though - that affects me. And if shopify is in part responsible, and DHH sits on shopify and makes decisions, then yes, something changed here. But there are also people who have a vendetta against DHH and they leak into other spaces too. I am not among those people and they shouldn't try to hijack other communities either.

By the way, the Shopify ultimatum also does not explain why all other ruby devs were ousted. Ruby Central lost the narrative here. And, since they accuse Arko as the ultimate bad boy - why haven't they sued him? Why do they continue to refuse to do so? (Because they know their case would be rubbish nonsense and they would have to open up ALL emails, which may make many more people suddenly ... very funky.)

Thanks, that was a superb summary! Appreciate it.

It's news to me that the RubyCentral event had anything to do with DHH at least directly.

You are alleging that Shopify was retaliating. Do you have any reliable context that Shopify was acting in a retaliatory manner?

I disagree. The actions are orthogonal to your claim - they eliminated everyone else from there. How is that not hostile? Duckinator has been 100% right here.

> we gave stewardship of RubyGems

I didn't sign anything.

I also remember the original creators of rubygems. How old is Ruby Central? 10 years? 15 years? There were several years before that.

It goes without saying that Ruby Central doesn't think Ruby Central has ever lost any trust to begin with.

Apparently so. That shouldn't be a surprise; Amazon Web Services turned out to be hostile to WikiLeaks, CDDB's hosting turned out to be hostile to the community that built CDDB, coal mining company towns were hostile to miners' unions, and, in the final analysis, turkey farmers are hostile to the turkeys.

Imagine if you opened up your laptop to discover Microsoft windows has locked you out of a your entire machine, because you were writing a novel in RTF and it could be opened in Microsoft Word. Microsoft's executives started posting they "took control of the your machine/the novel to maintain security".

- Corporate entity doesn't have copyright over your creative output. Just because word can open and view ("run") your novel does not give them ownership.

- Locking your access completely on your resources would be akin to a ransomware attack or account compromise

Would you label those actions hostile? Or just accept it as right because "maintain security"?

If you would label the above hypothetical actions as hostile (if not outrageous overreach, something akin to theft?); what is fundamentally different to what Ruby Central did by taking over the source code of a GitHub repository?

The entity that just fired all the people who maintained it

Read his account of it (https://andre.arko.net/2025/10/09/the-rubygems-security-inci...) and you might change your mind (again).

Oh I can assure you, it will be a thing.

Ruby Central has been the entity responsible for the infrastructure hosting rubygems.org the entire time. Literally since the beginning of rubygems.org. Any hosting bills, contracts, or agreements are in the name of the Ruby Central corporation and always have been, as far as I know. Any "previous maintainers" were working as contractors or employees of Ruby Central, if they were working on infrastructure.

The (open source) source code for rubygems and bundler, the libraries that rubyists use in their apps to manage gem dependencies, are potentially another story.

But the infrastructure, to have passwords to it, for rubygems.org, has been Ruby Central since the beginning of rubygems.org without any break. I don't know why people receiving checks from Ruby Central as contractors would think they had a personal right above Ruby Central to the infrastructure that Ruby Central has been running since long before they received those checks. Them thinking they did is sketchy.

Again, the open source source code, I agree, is another matter with other considerations. It has had many maintainers and contributors over time, including periods where development was not coordinated by Ruby Central. And all the code is owned by it's authors, and licensed MIT-style. But you're talking about passwords to infrastructure...

Genuine question: how do you take something which you have already been paying for?

They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager and logged in a few hours later and changed the root password to lock the legal owners out. Most of the community has turned on the maintainer who did that, it was extremely childish behaviour.

Afaik many of the people who were on board to help start gem.coop have stepped back after the recent controversies with Andre Arko, at this point I don’t think it will ever be anything more than a ruby gems mirror

Ericsson is drama free?

Or Europeans choose to work for US corporations. What am I missing? I know Europeans who only want to work for American companies.

my coffee hadn't hit—that was my intention, the "cannot"

As best I've been able to understand it, a dislike of DHH led to the opportunity for those with a dislike of André to do all the stuff under discussion. I doubt we'll ever know the whole story, but in the absence of any of the additional context that some people claim exists (but haven't made public), this seems to be the most coherent explanation for what happened.

Which only had weight because Sidekiq pulled funding because Ruby Central wouldn't deplatform DHH.

I don't understand why the move wasn't undone. This is essentially kicking the can down the road.

Loved the... argument?

Decentralization is not the answer to that though.

Can Gems be served from OCI Container/Artifact registries, which (also) already support signatures?

From https://news.ycombinator.com/item?id=44991636 :

> Native Containers are bare-metal host images as OCI Images which can be stored in OCI Container Registries (or Artifact registries because packages too). GitHub, GitLab, Gitea, GCP, and AWS all host OCI Container/Artifact Registries

So, packages there too would simplify.

Re: "RPM 6.0 Released with OpenPGP Improvements and Signature Checking by Default" (2025) and Sigstore and PyPI and SLSA.dev and key revocation transparency: https://news.ycombinator.com/item?id=45354568

Nerdctl supports various snapshot, lazy start, and distributed cloud storage container stores: https://news.ycombinator.com/item?id=45270468

Ruby has:

  gem cert --build your@email.com 
  gem install gemname -P HighSecurity

sigstore-ruby: https://github.com/sigstore/sigstore-ruby

guides.rubygems.org/trusted-publishing: https://guides.rubygems.org/trusted-publishing/ :

> Trusted publishing is a mechanism for uploading gems to RubyGems.org without using long-lived secret credentials. [..]

> Trusted Publishing is a term for using OpenID Connect (OIDC) to exchange short-lived identity tokens between a trusted third-party service and RubyGems.org. This allows obtaining short-lived API tokens in an automated environment (such as CI) without having to store long-lived API tokens or username/password credentials.

If it’s PKI and there’s verification on each stage, maybe. Just different sort of centralization. If keys are self-issued, it’s still a problem. Say, you add a new dependency from a repository XXX. A new version is released signed by another key, which appears to be legitimate. What are you going to do? Run full KYC on new credentials? Distrust the new dependency version and fork the library? Just ignore assuming that repo has verified it?

With central repo you may expect that they operate under increasingly stronger security standards and even if you missed malicious update, there’s higher chance that it was taken down by someone else. In decentralized environment your risks are higher and attention surface bigger.

Go's one weakness is that the package source is baked into the package data in a not-automatically-fungible way. And if pkg.go.dev ever becomes a threat vector, we're gonna have a bad time.

dselect solved this ages ago with its mirrors, but at some point it seems every major package manager decided that was unnecessary complexity ("why bother? It's not like a package repo just goes down") and left it out when they built their alternatives.

So, from time to time, when a domain in the Internet goes sour it's a huge problem (whereas were a Debian mirror to go sour I'd add like one line to a config file and never notice the issue again, assuming dpkg doesn't automatically identify the problem and route around it).

go is comically un-distributed in practice:

- almost every package is hosted on GitHub and that url is baked in to consumers of those packages

- the go proxy: https://flak.tedunangst.com/post/what-the-go-proxy-has-been-...

Isn't this the same as ruby gems, then? You can use alternative sources in your Gemfile pretty easily.

>Go has decentralized package hosting and it works reasonably well.

All go package imports are proxied via Google.

https://drewdevault.com/2022/05/25/Google-has-been-DDoSing-s...

The Deno people recently released jsr.io, "a modern package registry for JavaScript and TypeScript."

I'm not familiar with the technical details, but at first glance it appears pretty centralised.

I did say that those aspects of Ruby would start to be painful at that scale, not that it was totally unusable. Clearly it's usable, and there's certainly less scale-able things than Ruby on Rails out there serving big production traffic today. But I wouldn't recommend switching an app that big in some other language over to Ruby, and at least as many companies have moved off of Rails monoliths when they outgrew them, like AirBnB for example.

But would they still build with Ruby if they had to rewrite it today? It seems other commenters are saying they wouldn't. I wanted to see if it offered anything more than my python and Go preference.

Leftists. It's a Trotsky quote.

No, I agree. That said, I think a lot of that particular shift is down to a) increased individualism b) an emphasis on the healing power of personal boundaries and c) the rejection of unity as an overriding good.

People are far more happy to cling to the tribe they choose, and the tribe that has their back, over the tribe they were born to. Then, there are those who see that trend as dangerous to society (where, in many cases, society is really just a proxy for their own power or social status - ironically as viewed through their own chosen tribes more than the tribe they were born to)

That is to say, I don't think it's the political views that are splitting the families. Individuals have decided that care for each other should come secondary to those political views. I feel like there used to be a certain amount of care in the "sweeping under the rug" - it was the tribe against the world, it was protecting the family image as much as it was protecting the individual from society. These days, being a thing "in private" means being a thing alone, and that's no longer a compelling thought when external tribes are willing to embrace you.

Which probably applies to software tribes just as much as family ones.

>A few decades ago, people could have political views without ostracizing roughly 50% of the global population

This is ahistorical.

Not only was it the norm forever to ostracize entire sections of your society (protestant vs catholic and lots of other religions, black vs white, any form of non-hetero behavior, the Roma people and any form of outsider)

It often was the law

Americans shot their family members over whether we should own black people or not.

My french and white ancestors were expelled to Louisiana, intermarried with black people, and then when the US bought the french land, they introduced laws that made such families illegal.

Reagan made a hobby of publicly claiming his coworkers were communist. Thought that maybe we should be allowed to form unions? 100 years ago that was enough to get you investigated by the senate. Americans voted for him so hard the Democratic party is still floundering to have support. "We should allow unions" or "we should regulate companies" is still half-verbotten.

Do you know how many kids are still kicked out of their homes for the crime of being born gay?

This idea of "You used to be able to hold diverse opinions in public" is outright wrong. This past never existed.

Weird Christians in the US have tried to cancel things like Harry Potter and halloween for gods sake. They took a teacher to trial for teaching evolution. They made playing pen and paper RPGs a sin! When preachers molested kids, they shunned the kids

Being too chummy with another guy in public was a scandal! Being a woman who wanted an education was a scandal! Getting pregnant out of wedlock was a scandal that would tear apart families. Getting divorced was verbotten. Expressing support for social policy could get you fired, or murdered

Bush Jr literally said "You're either with us or against us" about supporting a criminal war and America pitched a globally public fit when other countries did not pledge allegiance.

The rubygems treasurer who is on the board said funding was conditional on doing this[0][1].

One interesting thing is that Ruby Central then said "Board decisions are independent and not contingent on funding."[2].

Doesn't inspire a lot of trust when there is a statement from a board member saying "we did this because of funding".

I'm more inclined to believe Joel's account.

[0] A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.

[1] https://apiguy.substack.com/p/a-board-members-perspective-of...

[2] https://rubycentral.org/news/our-stewardship-where-we-are-wh...

Ruby Central is making legal threats to its critics, so I hope you can see why people don’t feel safe to come forward on the record.

I can tell you that two people with direct knowledge of the situation told me that Shopify demanded that Ruby Central take full control of the RubyGems GitHub organisation and packages.

You can believe that I am lying if you want. But I can’t directly cite my sources in this case.

Almost exactly my thoughts when I heard about it[0].

[0] https://news.ycombinator.com/item?id=45303239

That is the point though, his hand was forced. He was very politically attacked in a very public manner and has spoken out nonstop ever since.

> When you are the public face of a company (and framework) and you are publishing your political opinions using your companies platform, you are now bringing politics to work.

So Tim Cook would be "bringing politics to work" by posting politics on Twitter from an iPhone? Plenty of prominent Python community members, including core devs, have politics on their blogs and also use Python-powered technology (dedicated SSGs like Nikola, but also even Sphinx which is really meant for documentation) to generate and publish pages; is that "bringing politics to work"?

right, that's exactly what he did. "politics for me but not for thee"

He was brought back for the last RailsConf since DHH started RailsWorld after he was removed as a speaker for previous conferences.

https://news.ycombinator.com/item?id=45622861

> I more or less agree with the "no politics at work" stance

> but you've omitted

I'm not that poster, but it was objectively correct to omit that, because it was as an objective matter of fact not "at work".

It does. Not. Matter. In this context what his beliefs are, or how they look to you through your lens.

In exactly the same way that, for example, the political views of GNOME and Xorg developers are not relevant to the development of those projects, and only become relevant when they get discussed in development spaces. (Or, you know, when they become the motivation for explicit interference in XLibre development.)

That's not quite accurate. Quoting chatGPT, since it may have more credible neutrality than my own opinion:

""" Does Tommy Robinson call himself a "fascist" or "white nationalist"?

No — Tommy Robinson (real name Stephen Yaxley-Lennon) does not call himself a fascist or white nationalist. He consistently rejects those labels, describing himself instead as a patriot, free-speech activist, or anti-Islamist campaigner. To summarize the record:

* Public statements:

Robinson has said things like “I’m not a racist, I’m not a fascist — I’m a working-class lad from Luton who’s standing up for my country.” In interviews (e.g., BBC Panorama, ITV, and various YouTube appearances), he has explicitly denied being a fascist or white nationalist.

* Affiliations:

He co-founded the English Defence League (EDL), which has been widely described by journalists and researchers as far-right and anti-Muslim.

However, he left the EDL in 2013 saying it had become associated with racism and extremist elements he could no longer control. """

Maybe TR is a fascist or white nationalist, but he isn't a self-proclaimed one.

(political opinion incoming)

Other than his mention of Tommy Robinson, it is not radical or unacceptable to say "Wow, my city has changed radically in the past 20 years and is losing its identity".

If the center and the left completely reject the validity of national identity and the expectation of immigrant integration to British identity, then you leave people with those sentiments running into the only open arms left: the far-right and the rest of their agenda.

As a liberal, even a progressive in my own mind, I still recognize that completely open borders are a problem and that we should expect all people coming to a country to want to learn the language and integrate with the native community and customs. This concept is compatible with respecting cultural diversity and immigrant populations and their civil rights.

And the UK really seems to have a free speech problem. Support Palestine too much? Jail. Support immigration controls too much? Believe or not, jail.

FINALLY - I don't see how this kind of hard-fork-over-politics maneuver helps change minds in the long run. It only generates bitterness.

I don't think that's fair, I mostly thought that until I read his recent blog post[0] where he wished for fewer non-white people in London and praises a far-right fascist figure in England (Tommy Robinson, he was a member of the BNP[1] for while before he started the EDL which was more extreme).

When you're advocating for ethno-nationalism and praising fascists, I don't think you can get mad at people thinking maybe you're a little bit fascist, or can claim to be in the centre politically.

[0] https://world.hey.com/dhh/as-i-remember-london-e7d38e64

[1] https://en.wikipedia.org/wiki/British_National_Party

The label is meaningless now because it's been so over used. At this point a facist is anyone to the right of anarcho-communism. People still trying to use the term are labeling themselves more than anybody else.

I totally understand and agree that it was handled very poorly.

I was one of the originating authors of RubyGems along with Jim (RIP), Chad, David and Paul. I hosted RubyGems from my home for the entire community for many years. We never asked nor received anything for that. We wrote RubyGems for the Ruby community. Matz and the Ruby Core team is the right place for RubyGems. This is great news.

> So it’s okay for Matz to get HSBT to steal people’s open source projects?

Where is the theft? The projects were open source, they are still open source.

Have we got any sources for Matz getting HSBT to steal it? I mean, I get that they're both members of ruby core, but that's a bit of a claim.

it paints all the stuff like is one person fault. omits to tell like stuff like

- gem.coop -> the person behind have a new tool rv that want to sell it

- they want to sell the rubygems logs to corporatins

- change the root pass at aws once they where remove from the project

small details like this.