When Responsibility and Power Collide: Lessons from the RubyGems Crisis
a day ago
- #RubyGems
- #Supply Chain Security
- #Community Governance
- Ruby Central forcibly took control of RubyGems GitHub organization in September 2025, removing long-standing maintainers without warning.
- The author, involved in RubyGems security, understands the business necessities but is disappointed by the execution.
- Supply chain security is critical, with attacks on npm, PyPI, and RubyGems being active, ongoing threats.
- Ruby Central's actions aimed to secure infrastructure and establish legal frameworks, but the execution lacked communication and trust.
- Maintainers were removed without warning, learning about it through GitHub notifications, not from Ruby Central.
- Ruby Central's absence from the daily community work created a disconnect, leading to decisions without understanding the human cost.
- The RubyGems GitHub organization contains more than just Ruby Central-funded projects, raising concerns about overreach.
- The removal of experienced maintainers has led to a loss of domain knowledge and damaged the collaborative culture.
- Governance and control can coexist with clear agreements, transparent processes, and mutual respect.
- The author decides to continue working on RubyGems security, emphasizing the importance of continuity and stability.
- The Ruby community has lost valuable contributors, and rebuilding trust and expertise will be challenging.
- Critical infrastructure needs formal governance, but it must be implemented with care to preserve human relationships and expertise.