The RubyGems "Security Incident"
12 hours ago
- #RubyGems
- #Ruby Central
- #Security Incident
- Ruby Central posted an 'Incident Response Timeline' with exaggerated or misleading claims about a security incident involving RubyGems.org.
- André Arko, a primary operator of RubyGems.org for over ten years, defends his actions as careful and aimed at protecting RubyGems.org from potential threats.
- Ruby Central revoked and restored GitHub permissions multiple times, causing confusion among the team, including paid developers.
- Marty Haught, from Ruby Central, admitted fault in communication but later contradicted his statements, leading to further confusion.
- Arko, as the primary on-call engineer, locked down the AWS account to prevent unauthorized actions, leaving accounts under Ruby Central's control.
- Ruby Central failed to properly secure AWS credentials and other operational accounts, leaving vulnerabilities even after Arko disclosed them.
- Ruby Central accused Arko of hacking their AWS account, while he claims his actions were in line with his contractual responsibilities.
- The incident raises questions about Ruby Central's commitment to transparent and responsible stewardship of RubyGems infrastructure.