The Rubygems.org takeover

原文

Welcome to LWN.net

The following subscription-only content has been made available to you by an LWN subscriber. Thousands of subscribers depend on LWN for the best news from the Linux and free software communities. If you enjoy this article, please consider subscribing to LWN. Thank you for visiting LWN.net!

By Joe Brockmeier
October 20, 2025

In September, a group of long-time maintainers of Ruby packaging tools projects had their GitHub privileges revoked by nonprofit corporation Ruby Central in what many people are calling a hostile takeover. Ruby Central and its board members have issued several public statements that have, so far, failed to satisfy many in the Ruby community. In response, some of the former contributors to RubyGems are working on an alternative service called gem.coop. On October 17, ownership of the RubyGems and Bundler repositories was handed over to the Ruby core team, even though those projects had never been part of core Ruby previously. The takeover and subsequent events have raised a number of questions in the Ruby community.

Ruby Central is a nonprofit that was formed by David Alan Black and Chad Fowler in 2001 to organize events for the Ruby community. It soon began supporting other initiatives, such as RubyForge, which shut down in 2014, and has helped pay for RubyGems.org hosting since its inception. However, Ruby Central has always been primarily an organization to put on conferences—it has not been actively involved in maintenance or operations until its merger with Ruby Together. The work to maintain and operate RubyGems.org, the Ruby community's hosting service for Ruby gem packages, has been undertaken primarily by volunteers for most of its existence. LWN covered this in more detail in the article "A brief history of RubyGems.org".

Takeover

Development of RubyGems, Bundler, and software for RubyGems.org has been maintained in repositories under the RubyGems GitHub organization for many years. Organizations are used to manage shared accounts for multiple repositories; organization administrators can configure the roles and permissions granted to users for one or more repositories under the organization. Note that GitHub roles are only visible to members of an organization with push access to a repository; it is not possible to verify a person's role in a repository without that access, which makes it impossible for outsiders to audit these changes.

On September 9, a RubyGems maintainer renamed the GitHub organization from "RubyGems" to "Ruby Central", added Ruby Central's director of open source Marty Haught as a maintainer, and removed everyone else. This is according to a document provided by Ellen Dash, who said that the takeover happened "with no warning or communication" to the other maintainers of these projects. Joel Drapper named Hiroshi Shibata as the maintainer who handed control of the organization to Haught in his timeline of the events.

Dash said that Shibata refused to revert the changes unless Haught gave permission to do so. Drapper's report indicates that Haught met with some of the maintainers on Zoom and explained that he had been working on operational planning. He was putting together an agreement that operators of the RubyGems.org service would be required to sign. Shibata had jumped the gun.

Martin Emde, one of the maintainers who had been locked out, submitted a pull request to the RubyGems RFC repository with a proposal for RubyGems organizational governance on September 14. The proposal was based on the Homebrew project's governance policy. Mike McQuaid, who helped create Homebrew's policy, offered his help in refining the policy for RubyGems. A fair amount of discussion took place between RubyGems maintainers about the policy over a few days.

On September 15, Dash said, access was restored after Haught gave Shibata permission. I emailed Emde about the events; he said that when the maintainers' access was restored "all of us were asked 'not to seek revenge' even though any one of us could have removed" Haught and Shibata. On September 18, Haught replied to the governance pull request discussion and said:

I've taken a first pass on this and this is a great start. I'll dig into specifics as I have more time. I'm committed to find the right governance model that works for us all. More to come.

To date, Haught has not replied to the discussion again. That day, Dash said, Haught once again "revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams" with no explanation. She added that Ruby Central refused to restore GitHub permissions and also revoked access to the bundler and rubygems-update gems on RubyGems.org. "I will not mince words here: This was a hostile takeover." (Emphasis in the original.)

Emde said Haught had claimed the original changes were a mistake, "but then broke that truce in the middle of formalizing a clearer governance". He also said that Haught did not believe Ruby Central was right to take the repositories. "He knows that they were taken from us unfairly."

Takeover becomes public

All of this had happened more or less quietly until Dash spoke out about it on September 19, and published her timeline of the events. Dash, who had been a RubyGems maintainer for many years and had acted as a contractor for Ruby Central on a part-time basis since it absorbed Ruby Together, said she was resigning from her position "effective immediately".

Valerie Woolard, president of Ruby Central's board, said that the changes were "part of an effort to harden our supply chain security posture and will be followed by discussions as how to develop a sustainable governance model going forward". She also referred people to a post by Ruby Central called "Strengthening the Stewardship of RubyGems and Bundler". It said, in part:

Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service.

In addition, with the recent increase of software supply chain attacks, we are taking proactive steps to safeguard the Ruby gem ecosystem end-to-end. To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed. This includes both our production systems and GitHub repositories. In the near term we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights. This decision was made and approved by the Ruby Central Board as part of our fiduciary responsibility. In the interim, we have a strong on-call rotation in place to ensure continuity and reliability while we advance this work

According to Drapper's timeline, the on-call rotation mentioned in the post was provided by Shopify employees.

Ruby Central promised a community Q&A session with Haught, members of the Ruby Central board, and its executive director, Shan Cureton, on September 23. The post was updated on September 25 to say the Q&A had been postponed because it was scheduled "on a major holiday in addition to it being an inconvenient time for our global community", it being the start of Rosh Hashanah.

In the place of the Q&A, Cureton provided a video update that said, "sponsor questions about supply-chain risk made one thing clear: we needed to close governance and access gaps quickly". She also indicated that there were recent departures which made the changes "urgent", though she did not name the people involved. Drapper did, however, in a blog post about the insufficiency of Ruby Central's security measures published on September 30. He identified RubyGems lead maintainer André Arko and security engineer Samuel Giddins as the people who had departed.

I emailed Arko with questions about these events. He said that he and Giddins had "clearly stated we were continuing as project maintainers". He also said that Haught confirmed that he still considered Arko the team lead for the RubyGems and Bundler projects at that time.

Arko had, however, announced a "new kind of Ruby management tool" on August 25 that could someday replace RubyGems and Bundler. The tool, rv, is a Rust-based Ruby "language manager" patterned after the uv package-management tool for Python. The end goal for rv is "a completely new kind of management tool" that would handle everything from installing Ruby to managing gems and more. The team working on rv includes Giddins and Sam Stephenson, creator of the rbenv Ruby version-manager tool. Arko said that he had learned "some people think working on two related open source projects at once is an impossible conflict of interest".

Conflicting stories

Ruby Central's public communications have claimed that the takeover was about supply-chain risk and a need to live up to its responsibilities related to RubyGems.org infrastructure and open-source projects on GitHub. There is no question that Ruby Central does have a reasonable claim to "ownership" over the operation of RubyGems.org infrastructure. The nonprofit has helped to pay for hosting since the beginning, and the merger with Ruby Together made Ruby Central the sole funding source for paid operations of RubyGems.org.

However, there is no indication that the open-source maintainers ever agreed to hand over any authority to Ruby Central for the RubyGems and Bundler open-source projects. The merger agreement between Ruby Together and Ruby Central does not convey control of those projects. It is left to Ruby Central to decide "whether to start, continue, or terminate fundraising and programming efforts" as a continuation of work that Ruby Together had done, but that does not imply ownership of those projects. It does mention an open-source committee that is supposed to propose development work budgets to the board.

Ruby Central apparently formed such a committee in August 2023, but did not announce it until November 2024. None of the RubyGems or Bundler contributors or Ruby Central's "Open Source Team" were involved in this committee, except Haught. A blog post promised that Ruby Central would "discuss the details of how the committee works" in the future. If a post explaining the committee and its work was ever published, I cannot find it.

Before the takeover, the development of these projects carried on as it had for years: with some paid work being funded by a nonprofit, but most of it was still being done on a volunteer basis and governed by lightweight contributor policies. See the RubyGems POLICIES.md and Bundler POLICIES.md for more. The policies are not as comprehensive as one might hope, but they were in place and maintainers had every reason to believe that they would be followed.

Supply chain

The claim that this was urgently necessary due to supply-chain issues has also been questioned. The prevailing counter-theory seems to be that Ruby Central moved when and how it did due to funding problems and influence from a major sponsor: Shopify.

Ruby Central had recently dealt with what it called supply-chain issues. In August, an application-security company, Socket, published its research on what it called "a long-running supply chain attack in the RubyGems ecosystem".

Since March 2023, a threat actor had published dozens of malicious gems that were advertised as automation tools for Instagram, Telegram, TikTok, WordPress, and others. While the gems did provide the promised functionality, they also sent user credentials to "threat-actor controlled infrastructure".

Haught published a blog post about the attack on August 25. He credited RubyGems maintainer Maciej Mensfeld with initial detection of the attack and Josef Šimánek for his assistance in removing malicious gems. At the time, Haught said that the incident "shows our security systems working as intended: threats were detected, removed, and contained before they could cause widespread harm".

Socket and Ruby Central have positioned this as a "supply-chain attack", but it did not fit the profile of one. Publishing gems that are malicious from the get-go is not really a supply-chain attack; it's simply a threat actor publishing malicious software through RubyGems.org and enticing people to use it. The problem is one of inadequate review of gems before publishing, not a matter of subverted infrastructure or smuggling a malicious payload into a popular project. Nothing that Ruby Central has done regarding removing maintainer account access seems to address the problem of malicious gems at all.

Funding

Ruby Central was struggling with funding problems, though. In a talk given at the Baltic Ruby conference on June 13, Haught talked about the RubyGems.org budget and funding. The budget for 2024 was $1.2 million, and $1.4 million for 2025; however, he said, "we haven't quite raised enough money to cover the budget for this year", which was something that he had to deal with. The video is available on YouTube.

Before the pandemic, Haught said, Ruby Central had made a lot of its money from conferences, "and so that funded all this work previously" but that was no longer the case. "So now the open-source program has to figure out how to fund itself". That had prompted Ruby Central to spin up a corporate sponsorship program in 2024.

The nonprofit had received a lot of grant funding in the past two years, he said, but that money was running out. "So, now I'm in the position of figuring out how to replace grant money when it's no longer available to us." According to a graph he showed during the talk, about 62% of funding was from grants, about 15% was in the form of donated services, and about 23% came from individual membership or corporate sponsorships.

Note that a large percentage of Ruby Central's budget would be allocated to salaries for Haught and Cureton. Both were hired after the 2023 tax year, which is the last filing publicly available; however, the executive director position was advertised with a range between $120,000 and $150,000. Emde speculated that Haught would have a higher salary than Cureton, but he was unsure.

Loss of Sidekiq

One reason for the budget shortfall, aside from the post-pandemic malaise, is the loss of a major corporate sponsor: Sidekiq. The organization withdrew its $250,000 sponsorship after Ruby Central announced that Ruby on Rails creator David Heinemeier Hansson (often referred to simply as "DHH") would keynote the final RailsConf event in July. Sidekiq creator Mike Perham said that he rescinded the grant because: "We cannot tolerate hateful people as leaders in our communities." David Celis wrote a blog post on September 19 that gives one perspective on some of the Ruby community's grievances with Hansson.

Hansson had keynoted or had been interviewed at RailsConf from 2006 through 2021, with a break in 2016 due to a scheduling conflict. But, in 2022, Hansson was essentially uninvited following a controversial "no politics" policy at 37signals (a company Hansson co-founded) that prompted about a third of employees to leave and drew a lot of negative attention to Hansson and 37signals.

No doubt, Hansson was not pleased at being uninvited from a conference about a technology he created. That led to the creation of the Rails Foundation and Rails World conference. Having a competing Rails event seems to have also contributed to the decline in Ruby Central's conference income, and its decision to end RailsConf after this year.

The purpose here is not to get deeply into those controversies, but to acknowledge the fact that Hansson has publicly and regularly taken positions on topics outside of Ruby that alienate quite a few people. That, in turn, put Ruby Central in a bit of a bind; some people (and sponsors) would be upset if Hansson was at RailsConf, others would be upset if he was not. There was no option that would please everyone, so it was a matter of choosing who to upset.

The first time around, Ruby Central chose to distance itself from Hansson. This year, it chose to give him the stage, and that cost the organization a significant chunk of its $1.4 million budget. Many people have also taken note of the fact that Hansson joined the Shopify board of directors last year.

Shopify and Ruby Central

Drapper said that he was told by "an anonymous source" that Ruby Central was presented with a long-term funding proposal at the Rails World 2025 conference, held September 4 through September 5, "but this would only happen if certain RubyGems maintainers were removed". Dash said that the maintainer to be removed was Arko. Drapper also claims that "Shopify specifically put immense financial pressure on Ruby Central to take full control of the RubyGems GitHub organisation and Ruby gems".

Freedom Dumlao, a member of the Ruby Central board, did not identify any sponsor specifically but seems to confirm that the board was reacting to a demand related to funding and had to decide quickly:

A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going.

Dumlao said that conversations were ongoing with maintainers, but that the board had a deadline that was less than 24 hours away. In Arko's response to me on October 19, he said that he had been told directly that Ruby Central had been required to force him out of the projects as a condition of receiving corporate sponsorships. He said that he was aware some companies had been unhappy with his ideas to raise money for maintainer work, and for deprioritizing their feature requests. No amount of unhappiness, though, "justifies Ruby Central stealing the project repo" to kick him out.

The community responds

Ruby Central's statements about the takeover did not seem to satisfy many people in the Ruby community. Drapper called it "AI-generated corporate speak and bears no signature from anyone at Ruby Central willing to take responsibility". Šimánek, who was a part-time contractor for Ruby Central as well as one of the maintainers, said that the organization was using supply-chain security as an excuse to remove people from projects "they never owned [...] and now claim ownership themselves".

McQuaid said that he had met with people on both sides to try to mediate the dispute. His take was that Ruby Central managed things poorly, "including removing literally the most active member of the RubyGems organisation by mistake who has declined to return." That would appear to be former RubyGems and Bundler maintainer David Rodríguez, who updated his GitHub profile to say that he had been kicked out. "I was informed that they would unilaterally remove fellow maintainers from the project in order to keep funds from Shopify."

Ruby community member Justin Searls, however, said he was not rushing to take sides. He did not have a clear picture, he said, but "I don't believe this is a cut-and-dry case of altruistic open-source maintainers being persecuted by oppressive corporate interests". He also provided a timeline of actions by Arko to provide "broader historical context", such as a comment that suggests Heroku should fund Ruby Together if it expects Arko to continue backporting fixes to an old version of Bundler, and adding a post-install message to Bundler asking users to support Ruby Together. Searls urged others "not to rush to judgment about who's at fault in the current conflict".

Former Shopify employee Jean Boussier has defended Shopify. He was employed by the company from November 2013 to August 2025, but left "mainly because of my constant friction with the CEO". Despite that, Boussier said that he is unconvinced that Shopify threatened to pull funding or that the takeover was orchestrated by the company. He also noted that he has contacted two former coworkers who assured him, "Shopify never threatened to pull Ruby Central's funding, nor threatened not to renew it".

Ruby Central responds

Ruby Central published an update on September 30, signed by Cureton, that apologized for the confusion caused by failing to communicate "earlier and in more detail". It denied that what had happened constituted a takeover and said: "We accept responsibility for how our initial communications created the impression of sponsor-driven action."

Cureton denied that sponsors had directed Ruby Central's actions. "The Board acted independently, and financial support was NOT conditioned on taking these steps." It said that the organization would publish regular updates on Fridays, with an update on the status of the repositories "soon". A brief weekly update was published on October 3; it noted that "discovery work related to supply-chain security and governance concerns" was ongoing and would be shared "as soon as we're able".

On October 9, Cureton published a "post-incident review" of an "AWS root-access event". It said that Drapper's blog post on September 30, which demonstrated Ruby Central had failed to revoke Arko's access as part of its supply-chain cleanup, "raised concerns that a former maintainer continued to have access to the RubyGems.org production environment". It includes a detailed analysis of events of Arko accessing the RubyGems.org AWS account to demonstrate that Ruby Central had not, in fact, done a thorough job of their stated goal of improving security. In one of Emde's replies, he said that Ruby Central "never previously had, and I would argue still doesn't have the capacity to maintain this service independently" of the long-time maintainers they locked out:

We were responsible for protecting billion dollar companies and every Ruby developer in the world, from being hacked. The US government has previously coordinated drills with package repository maintainers. It's hard to overstate how big a responsibility it was and this has always been handled outside of Ruby Central. [Cureton] and Marty are not qualified nor is it least privilege, to hold such access just for the purpose of being able to take it away at their discretion.

Ruby Central's post casts Arko in a sinister light but concludes that there was no evidence that the "security incident" actually compromised anything.

Ruby Central also shared an exchange with Arko from early August, to "provide additional context to the community about our decision to formalize production access". It said that Ruby Central had been reviewing its contractor budget and planned to stop working with Arko's consultancy, "which had been receiving approximately $50,000 per year for providing the secondary on-call service". It included an email from Arko sent on August 3 that offered to provide secondary on-call services at no charge "in exchange for access to production HTTP access logs, containing IP addresses and other personally identifiable information (PII)".

The board and leadership team, Cureton said, "determined that this proposal crossed important ethical and legal boundaries", which set in motion Ruby Central's actions to revoke access from maintainers. It was selectively sharing communications with Arko "to be transparent about what occurred, what we have learned, and what we are doing to prevent it" in the future.

Arko responded the same day. About two weeks after Ruby Central took over the GitHub organization and stated it was performing a security audit, Arko said that "someone asked if I still had access", and he found that he did.

I discovered (to my great alarm), that Ruby Central's "security audit" had failed. Ruby Central also had not removed me as an "owner" of the Ruby Central GitHub Organization. They also had not rotated any of the credentials shared across the operational team using the RubyGems 1Password account.

Arko indicates that he wrote to Haught on September 30, to disclose that the organization had not terminated all of his access. He said Haught responded three days later, asking him to confirm whether he had any production data, server logs, access logs, or PII. Arko replied that he did not; he also noted in the blog that he has no interest in any PII "commercially or otherwise", but confirms that he was interested in acquiring "company-level information with no information about individuals included in any way". He also argued that his actions "were taken in defense of the service that Ruby Central was paying me to support and defend".

Ruby Central published another update on October 10. This included an email from Haught on September 18 that informed Arko that Ruby Central was "pausing" on-call rotations and directed him to send a pro-rated invoice. It said that there had been no live Q&A "yet" due to a risk of "spreading incomplete information" and excluding contributors who could not participate in real time.

Additionally, it said that a lawyer had sent Ruby Central a cease-and-desist letter on Arko's behalf with a claim that he owns the Bundler trademark, "along with various other demands". Cureton said that Ruby Central did not expect to make further public comments until those issues were resolved.

On October 10, Perham wrote that Ruby Central is "smearing Andre in public so they can justify their hostile takeover of the rubygems/rubygems repo after the fact". Arko told me that it was "wildly hypocritical" that the nonprofit published an idea he asked them about, while "keeping their own critical decisions completely secret". He also said that Ruby Central's actions were unneeded:

The "Fork" button has been there the whole time, and Ruby Central could have used it at any point to have as much security and control as they could possibly want. Ruby Central's unelected board violated the written policies of the projects they now claim to own in order to take them from their maintainers of over ten years. Their claims they had to steal the projects for legal reasons are now obviously false, since they have already passed off the stolen projects to a different outside party.

The pass-off that Arko is referring to is the announcement on October 17 by Ruby creator Yukihiro Matsumoto (a.k.a. "Matz") that the core Ruby team will be assuming stewardship of RubyGems and Bundler. The repository ownership will change in order "to ensure long-term stability and alignment with the broader Ruby ecosystem".

According to Arko, however, none of the locked-out maintainers of RubyGems or Bundler were contacted about this transition ahead of time. Emde and Rodriguez also confirmed they were not consulted in email replies to me. Emde also said he believed that if Matz knew the details "he would make the right decision". Ruby Central "took the repositories from us. They know it. We know they know it." The project was healthy, well-maintained, and actively developed, he said. So well, in fact, that this situation is the first time that many people have thought about RubyGems and how much work goes into the project. He also emphasized that there were six maintainers affected by the takeover, not just Arko:

The smearing of André reveals Ruby Central's focus more than it explains the situation. I think it's convenient for them to have a scape goat but it distracts from the others that were harmed by this.

gem.coop and transition

Since there is little indication that Ruby Central is going to reverse course, it seemed inevitable that there would be a fork or alternative effort from the community. That happened in early October when Martin Emde announced gem.coop. The goal for that project is to, eventually, be a new server for the gems ecosystem.

The site lists Arko, Dash, Emde, Giddins, Rodríguez, and Šimánek as the "cooperative" behind the initiative. The service currently caches gems published to RubyGems.org; it is not possible to publish gems directly to it—at least not yet. According to the site, its governance will be modeled after Homebrew. The governance documents are on GitHub.

There has been no public activity in the gem.coop code repository since October 12. Arko told me that this is due to a focus on finishing the project's governance. "Once project leadership is elected, we expect to resume work on gem server features."

Despite the length, this is a much-abbreviated overview of what's known publicly about the RubyGems.org takeover so far. No doubt, there is even more yet to be uncovered and more to come. It is always disappointing to see this type of drama in open-source communities; and should serve as yet-another warning to other open-source projects to get their governance in order before experiencing a similar scenario.