Jan Lehnardt 

[Update: it was a hostile takeover: https://narrativ.es/@janl/115258495596221725]

What the fuck is going on with Ruby? For the moment we have to consider all gems compromised: https://pup-e.com/goodbye-rubygems.pdf

Ah, oof: https://indieweb.social/@sstephenson/115231391147943333

And even more context (bad): https://bsky.app/profile/mikemcquaid.com/post/3lz7klsyue22f

Sep 19, 2025 at 10:57amWeb
Show threadoisinSep 19, 2025
@janl wtaf!
Show threadJames JefferiesSep 19, 2025
@janl arrrghhhh!
Show threadacidSep 19, 2025

@janl oh boy, I still can remember the idea of a central place to finance Ruby open source projects and Rubycentral introduced a year or two later. I never would have guessed that something like this would come out of that.

Although the writing may be up the walls for a long time, I remember hearing a few years later that rubycentral doesn't get that well along with Rubygems or Bundler... 🤔

Show threadChris [list of emoji]Sep 19, 2025

@janl

It wouldn't be hard to just pull the gems from git directly, then put the commit IDs into a checked-in lock file the way mruby does it. From there, you could automate pushing the clones to your own repos if you need them.

Show threadLibertyBetaSep 19, 2025
@janl Ruby, why you gotta add stress to my life again.
Show threadOwl EyesSep 19, 2025
@janl there's a ton of #Jekyll sites out there which are also #Ruby-based.
Show threadGarbage Data 🦝Sep 19, 2025
@janl I know this is about the programming language and presumably gems are a type of library or package, but for a second I thought "oh shit, are there any other langs named after gems like Ruby and Perl that are compromised"
Show threadAaron HSep 19, 2025
@janl https://ruby.social/@armahillo/115231368194119145
Aaron (@[email protected])

@[email protected] @[email protected] This is a "community health" matter and not a "security" matter. The org that forcibly seized unilateral control has been an influential maintainer / contributor to a long time. It's not cool HOW they did this and I do want to see it reverted, but they aren't strangers, at least.

Ruby.social
Show threadJocelynephiliac Sep 19, 2025
@janl they looked at npm and said “Hold my beer”
Show threadrolandSep 19, 2025
broken ruby gems social scene or something :-) #SorryBrokenSocialScene #RubyIsMyFavouriteProgrammingLanguageButItIsNotImmuneToTheFollyOfHumans :-)
Show threadjacobianSep 19, 2025

@janl ok so yes this looks really really bad but:

""we were offered millions of dollars from a hostile donor in exchange for control of the RubyGems infrastructure” <-- that's a HELL of an accusation to make, and I can't see any evidence of that whatsoever. Is there something I'm missing?

Because otherwise until we learn more this really seems like a "never attribute to malice what you can attribute to incompetence" sort of situation - right?

Show threadJan Lehnardt Sep 19, 2025
@jacob yes but <insert things I can’t share here>. And at some point willful incompetence and its distinction to malice become irrelevant.
Show threadSam StephensonSep 19, 2025
@jacob @janl see https://ruby.social/@getajobmike/115231677684734669
Mike Perham :sidekiq: (@[email protected])

The unstated reason for this change was that many of the existing Rubygems maintainers have recently quit (including their only full-time engineer) due to RC's continued relationship with DHH. Since most of the team has walked away, RC has decided to accept a sponsorship guarantee from DHH so they can hire a new team and this is the PR spin of that decision. I don't see how Ruby Central can be trusted anymore until its Board is publicly elected. https://ruby.social/@rubycentral/115231365858771329

Ruby.social
Show threadRootWyrm 🇺🇦Sep 19, 2025
@janl you mean besides the person who controls all of it being a very proud Nazi?
Show threadJan Lehnardt Sep 19, 2025
@rootwyrm no besides about it.
Show threadendrift 🏳️‍⚧️Sep 19, 2025
@janl @cr1901 @sstephenson are we doing a freenode again?
Show threadJan Lehnardt Sep 19, 2025
@endrift @cr1901 @sstephenson yeah, freenode meets Wordpress.