sebiwRuby core team takes ownership of RubyGems and Bundler
https://www.ruby-lang.org/en/news/2025/10/17/rubygems-repository-transition/
In the long run, having multiple sources like gem.coop is probably a safer and more robust solution. But for RubyGems specifically, the trust was fully lost, through several layers - maintainers, community members, sponsors, etc. There's still open questions that probably need to be resolved like the funding and data privacy stuff, but I think most folks in ruby land will be supportive of this.
Any summary of what exaclty unfolded please (if you don't mind)? Sorry haven't been following the Ruby news for sometime.
The broad-strokes story is:
* DHH said some things on his blog that some people believe to be deeply racist / fascist (not going to unpack whether they were or not because answering that question is irrelevant to the fact pattern; consult other threads for that debate).
* A Ruby conference run by Ruby Central was asked to deplatform him. Since he's the creator of Rails, they declined.
* In response to their decision, a major sponsor (Sidekiq) pulled out of supporting the conference and Ruby Central in general, to the tune of $250k a year.
* This created a "blood in the water" situation where Shopify hit Ruby Central with an ultimatum: they would back-fill the lost sponsorship for oversight control of Ruby Central (and the gem repository they maintain, rubygems.org). And if Ruby Central didn't take the deal, Shopify was going to pull their funding also, leaving them in dire straits (this, BTW, is a fairly common corporate tactic when multiple partners share support of a service that doesn't independently generate revenue. Look for it in your own business, startup company, and nonprofit dealings!).
* Shopify now de-facto controls rubygems.org and people immediately started backing towards the exits because corporate takeover tends to be a harbinger of enshittification. As if to prove the point, Shopify's folks immediately ham-fisted the access controls, yanking several gem creators from the admin roles of the gems they created. They claim this was a mistake; several in the community do not want to give them a benefit of the doubt they are not believed to have earned.
* Community members are standing up gem.coop as an alternative gem repository.
This is missing an important part of the story that makes the Ruby Central side look relatively better, which is that one of the existing maintainers offered to help fill the funding gap in exchange for being allowed to monetize the server logs. https://rubycentral.org/news/rubygems-org-aws-root-access-ev...
Rubygems.org AWS Root Access Event – September 2025
As part of standard incident-response practice, Ruby Central is publishing the following post-incident review to the public. This document summarizes the September 2025 AWS root-access event, what occurred, what we verified, and the actions we’ve taken to strengthen our security processes.
Your addition also misses an important part where the only reason he was able to do that was because the servers were forcibly taken from the previous owners for the ostensible purpose of security, but the new regime forgot to change the passwords as part of that.
At this point, it's probable that any attempt to just list the pertinent events isn't going to end up being as neutral as one might hope because even the choice of what context to include or exclude is itself editorial. This is the same lesson people might learn in a high school history class, just applied to something much more recent.
Wait, you think the former maintainer breaking into Ruby Central's AWS account and changing its root password makes the former maintainers look better?
that's the one thing I've heard them not address yet is the changing of the passwords.
Arko kind of did address it in his most recent blog post. He claims he was doing what was in Ruby Central's best interest.
Unfortunately for him he basically admitted to a crime because it came after he was terminated. He tried appealing to community and whatnot but anyone who's ever worked for a corporation knows that once you're terminated, it doesn't matter if HR forgot to take away your credentials or not, you simply don't attempt to access anything ever again. Having keys to something doesn't make you the owner.
He stated that he didn't know he had been terminated. RC admitted that no harm had been done. Yes, he should have communicated changing the password.
That's the narrative from the new Ruby Central, which feels like a wild distortion of the actual situation.
You’re likely aware, though it’s worth mentioning, that the new owners ousted all existing maintainers without any explanation[1]. This follows a prior incident where access was revoked and later restored, with assurances that it was a mistake. This situation can only be viewed as a malicious attack, in which only the new owners had a full understanding of what transpired. Changing the password was a reasonable and appropriate response that any competent person in a similar position would've considered.
I’m shocked that we seem to be experiencing a Freenode 2.0 situation, but with some supporting the usurpers instead of the longstanding maintainers. It’s only been four years since the Freenode debacle, yet certain types of people seem to have grown bolder since then. A "win" for freedom of expression, huh?
Did he or did he not log in to the AWS root account after losing his own credentials and change the root password? I don't need paragraphs of explication following that. Seems simple!
You take issue with me using 148 words in my comment? Just 8 hours before you wrote that, you spent more words than I did downplaying problems with AI powered mass surveillance cameras. Are rules something you live by or something that you arbitrarily impose on others?
It’s telling that you can write multiple paragraphs claiming the moon is made of cheese while expecting others to communicate only in brief, misleading soundbites.
The term you're looking for is a loaded question.
https://en.wikipedia.org/wiki/Loaded_question
Changing passwords was the responsible course of action to protect Ruby users in light of the attack. Maintainers should act in the interest of the Ruby community, not in favor of usurpers with a vendetta.
I love that you had to link to the Wikipedia question for "loaded question" for this. So you're saying, the answer is "yes": he logged into the root account, after he lost access to his own account, and changed the root password. OK then!
Here's what I think: people are starting from a sympathetic principle (independent community-minded maintainers are better that corporations) and working their way back to what they've decided must have happened. The person we're talking about here tried to (quietly!) monetize the server logs for RubyGems. Don't even try to play the "that's what RubyCentral says" card --- they published the email.
The world doesn't always line up with the most sympathetic principles.
The world doesn't line up with lies and spins of the most transparently corrupt actors either.
Shopify stole RubyGems from the maintainers, do you deny it? They tried to do so in secret, keeping the maintainers and the larger Ruby community in the dark. Their claim that the access revocations were a mistake was a blatant lie. Moreover, they spun even more conspicuous falsehoods in response to the public backlash.
When you twist protective measures against ongoing theft or shitty proposals that went nowhere into a nefarious conspiracy to justify the theft of critical Ruby infrastructure, it’s time to take a hard look in the mirror.
And hey, since you imply that loaded questions aren't fallacious, tell me: have you stopped beating your wife? It's a "simple question," just answer yes or no.
The premise of "have you stopped beating your wife" is that you made up the idea that I might have done it; simply asking the question is a form of slander. But that's not at all the case with Andre Arko and RubyGems. From everything we know: he really did (1) lose his personal access, (2) log in with a stale AWS root credential, and (3) change the password on the root account. We also know that (4) he attempted to quietly monetize the server logs from RubyGems.
These aren't insinuations; they're direct factual claims. They're well-founded and they're either true or they're not. No, you can't just jazz-hands your way through this.
I'll repeat:
When you twist protective measures against ongoing theft or shitty proposals that went nowhere into a nefarious conspiracy to justify the theft of critical Ruby infrastructure, it’s time to take a hard look in the mirror.
What are you trying to achieve here, bringing up debunked insinuations over and over and over again? And haha no, going over every cherry-picked fact and half-truth you explicitly stated doesn’t prove you aren’t making insinuations.
> insinuate: to impart or suggest in an artful or indirect way
https://www.merriam-webster.com/dictionary/insinuated
Note the word "indirect."
Which of these insinuations have been "debunked"? Did they happen or not? If they happened, but you're OK with the reason they happened, they weren't "debunked"; they were, to you, "mitigated".
Arko explained why he changed the password. Yes, he should have communicated the change, and that's on him. I still can't understand why RC preferred to publish a hit piece on him instead of... calling him to ask if he had changed the password? Bonkers.
Now, are you using that to justify the hostile takeover of critical infrastructure to the entire Ruby community? I'm baffled. RC did a *hostile takeover*. How many times do I have to repeat this?
Here you are, saying out loud that RC would have needed to call Arko to ask if Arko had changed the password. There are one too many "if"'s in that sentence!
I'm questioning why they didn't call him. Why?
And why are you ignoring that RC did a hostile takeover of the repos? Again, RC stole the repos. What do you think of that?
Why in the everloving cosmic fuck did he not tell them? In a great many circumstances what he did is a crime. Nobody's coming after him on this but if this was me I would paper the everloving fuck out of what I did so there wasn't even a possibility that the owner of the account had any uncertainty as to what happened.
I don't know what happened with "the repos", is why I haven't offered an opinion about it. I have a professional interest in stories about people gaining unauthorized access to accounts. I assure you, the law doesn't weigh one party's transgression against the other the way you suggest it should.
I find your obsession over Andre's fault and disdain towards the stealing of the repos by RC amusing.
And you know what? I think you're right! What Andre did could constitute a crime. Any serious organization would lawyer up and go after him... right? RIGHT?
> We also know that (4) he attempted to quietly monetize the server logs from RubyGems.
What sort of monetisation?
Asking because there's a huge potential range of options there, from pretty innocuous stuff through to downright evil. :(