| blog | https://joel.drapper.me |
| github | https://github.com/joeldrapper/ |
| [email protected] | |
| bluesky | https://bsky.app/profile/joel.drapper.me |
Meeting between Ruby Central and RubyGems maintainers right before Ruby Central seized control.
@joeldrapper @Schneems Former ShipIt maintainer here. This is indeed how it works.
Unless RC’s ShipIt wrapper overrides this, org membership isn’t the access gate. It was designed to handle Shopify’s needs. They have SOC2 and PCI compliance to think about and org-level access controls wouldn’t survive an audit of either one.
@Schneems source for my claim that Ruby Central was not even set up to automatically deploy the OSS code. https://bsky.app/profile/martinemde.com/post/3lztd7r7tqc2s
I also verified this with other people familiar with operating the RubyGems dot org service.
Yep, access to shipit (deployed) was controlled by GitHub auth and a GitHub team. Change the team (to say rubycentral/rubygems-deploy) and access is completely revoked. Without access, no code goes to prod. Staging was automatic, but Production required a manual button press.
RE: https://ruby.social/@Schneems/116214870460984841
Richard would have us believe if we set up a production system to automatically deploy someone’s open source code then that would be sufficient justification to take over that person’s open source project.
Why publish now? I watched this video months ago but didn’t feel it was my place to publish it in full.
However, someone else published it today so I decided to publish it to YouTube where it’s accessible to everyone and easily shared.
Putting this out there again: if you have any information on Ruby Central, the RubyGems takeover, sponsor involvement, the board votes, the trademark battle or the FBI reports, please contact me on Signal so I can write about it while protecting your anonymity.
My username is joeldrapper.01
Jamie Gaskins