The Rubygems.org takeover
2 days ago
- #RubyGems
- #OpenSource-Governance
- #SupplyChain-Security
- Ruby Central, a nonprofit, took control of RubyGems and Bundler GitHub repositories in September, removing long-time maintainers without warning.
- The takeover was justified by Ruby Central as necessary for supply-chain security, but many in the Ruby community view it as a hostile action influenced by corporate sponsors, particularly Shopify.
- Former maintainers, including André Arko, were locked out of repositories and gem publishing access, leading to accusations of unethical behavior and lack of transparency from Ruby Central.
- Ruby Central's funding struggles, including the loss of a major sponsor (Sidekiq) due to controversies involving Rails creator DHH, may have motivated the takeover.
- In response, former maintainers launched gem.coop, an alternative service, while Ruby Central handed over repository ownership to the Ruby core team in October.
- Public statements from Ruby Central have been criticized as insufficient, with claims of corporate interference and poor governance decisions.
- The conflict highlights broader issues of open-source project governance, funding dependencies, and corporate influence in community-driven projects.