Hostile Takeover of RubyGems: My Thoughts

I'll keep this post evergreen, as the situation evolves. Also, when you are done reading - [hire me](https://galtzo.com). [rubygems-org]: https://github.com/rubygems/ [draper-security]: https://joel.drapper.me/p/ruby-central-security-measures/ [draper-takeover]: https://joel.drapper.me/p/ruby-central-takeover/ [ellen-takeover]: https://pup-e.com/blog/goodbye-rubygems/ [simi-removed]: https://www.reddit.com/r/ruby/s/gOk42POCaV [martin-removed]: https://bsky.app/profile/martinemde.com/post/3m3occezxxs2q [draper-lies]: https://joel.drapper.me/p/ruby-central-fact-check/ [draper-theft]: https://joel.drapper.me/p/ruby-central/ [reinteractive]: https://reinteractive.com/ruby-on-rails [gem-coop]: https://gem.coop [gem-naming]: https://github.com/gem-coop/gem.coop/issues/12 [martin-ann]: https://martinemde.com/2025/10/05/announcing-gem-coop.html [gem-scopes]: https://github.com/galtzo-floss/bundle-namespace [gem-server]: https://github.com/galtzo-floss/gem-server [reinteractive-podcast]: https://youtu.be/_H4qbtC5qzU?si=BvuBU90R2wAqD2E6 [bundler-maint-policy]: https://github.com/ruby/rubygems/blob/b1ab33a3d52310a84d16b193991af07f5a6a07c0/doc/bundler/playbooks/TEAM_CHANGES.md [rubygems-maint-policy]: https://github.com/ruby/rubygems/blob/b1ab33a3d52310a84d16b193991af07f5a6a07c0/doc/rubygems/POLICIES.md?plain=1#L187-L196 [policy-fail]: https://www.reddit.com/r/ruby/comments/1ove9vp/rubycentral_hates_this_one_fact/ # 👣🔍️ First some background reading 🕵️ - RubyGems (the [GitHub org][rubygems-org], not the website) [suffered][draper-security] a [hostile takeover][ellen-takeover] in September 2025. - Ultimately [4 maintainers][simi-removed] were [hard removed][martin-removed] and a (dubious) reason has been given for only 1 of those, while 2 others resigned in protest. - It is a [complicated story][draper-takeover] which is difficult to [parse quickly][draper-lies]. - Simply put - there was active policy for adding or removing maintainers/owners of [rubygems][rubygems-maint-policy] and [bundler][bundler-maint-policy], and those [policies were not followed][policy-fail]. - I'm adding a note linking to this post to all of my gems because I [don't condone theft][draper-theft] of repositories or gems from their rightful owners. - If a similar theft happened with my repos/gems, I'd hope some would stand up for me. - Disenfranchised former-maintainers have started [gem.coop][gem-coop]. - Once available I will publish there, or to my own server, exclusively; unless RubyCentral & Ruby Core make amends with the community. - The ["Technology for Humans: Joel Draper"][reinteractive-podcast] podcast episode by [reinteractive][reinteractive] is the most cogent summary I'm aware of. - See [here][gem-naming], [here][gem-coop] and [here][martin-ann] for more info on what comes next. [ore]: https://github.com/contriboss/ore-light [setup-ruby-flash]: https://github.com/appraisal-rb/setup-ruby-flash [setup-ruby-flash-blog]: https://dev.to/galtzo/setup-ruby-flash-25lb [appraisal2]: https://github.com/appraisal-rb/appraisal2 [appraisal2-blog]: https://dev.to/galtzo/ann-appraisal2-a-hard-fork-44dh [rv]: https://rv.dev/ [setup-ruby]: https://github.com/ruby/setup-ruby [rubygems-org]: https://github.com/rubygems/ [draper-security]: https://joel.drapper.me/p/ruby-central-security-measures/ [draper-takeover]: https://joel.drapper.me/p/ruby-central-takeover/ [ellen-takeover]: https://pup-e.com/blog/goodbye-rubygems/ [simi-removed]: https://www.reddit.com/r/ruby/s/gOk42POCaV [martin-removed]: https://bsky.app/profile/martinemde.com/post/3m3occezxxs2q [draper-lies]: https://joel.drapper.me/p/ruby-central-fact-check/ [draper-theft]: https://joel.drapper.me/p/ruby-central/ [reinteractive]: https://reinteractive.com/ruby-on-rails [gem-coop]: https://gem.coop [gem-naming]: https://github.com/gem-coop/gem.coop/issues/12 [martin-ann]: https://martinemde.com/2025/10/05/announcing-gem-coop.html [gem-scopes]: https://github.com/galtzo-floss/bundle-namespace [gem-server]: https://github.com/galtzo-floss/gem-server [reinteractive-podcast]: https://youtu.be/_H4qbtC5qzU?si=BvuBU90R2wAqD2E6 [bundler-maint-policy]: https://github.com/ruby/rubygems/blob/b1ab33a3d52310a84d16b193991af07f5a6a07c0/doc/bundler/playbooks/TEAM_CHANGES.md [rubygems-maint-policy]: https://github.com/ruby/rubygems/blob/b1ab33a3d52310a84d16b193991af07f5a6a07c0/doc/rubygems/POLICIES.md?plain=1#L187-L196 [policy-fail]: https://www.reddit.com/r/ruby/comments/1ove9vp/rubycentral_hates_this_one_fact/ # My thoughts 1. I no longer trust Ruby Central. 2. I no longer trust certain members, but primarily HSBT, of the RubyGems core team. 3. I no longer trust certain members, but primarily HSBT and Matz, of the Ruby core team. > Q: In what sense do I _not trust_ them? > A: 📃 **Governance** 📃 To be more specific, I no longer trust that they: 1. Hold people accountable for their actions according to written agreements and documentation around governance policy. 2. Understand the community upset over point 1. 3. Will ever do anything about it. If they are added to your repository, you may wake up to find you have lost access to your own project. I'm not OK with this having already happened to others, and have taken steps to ensure it will not happen to me. Within my open source projects, I will reduce, to the degree possible, my reliance, on any project hosted under the Ruby org on GitHub. Since most of my projects are Ruby projects, I'll never get to complete exclusion, but I will be focusing much more on JRuby and Truffleruby. It has been pointed out to me in other discussions about this that we never had reason to trust them, but we did anyway, implicitly. We normally assume other people live by the same code of ethics that we ourselves live by. I will miss being able to rest on that assumption, but it is probably for the best that it get binned. # What I'm doing about it - [appraisal2][appraisal2] is a hard fork of the old, and nearly-dead, namesake Thoughtbot project, to which I've added many features, including support for: - Bundler's `eval_gemfile` - frozen appraisal lockfiles w/ bundler version switching - all versions of Ruby back to v1.8 - [ore][ore] (see below) - More on the reasons behind the [hard fork][appraisal2-blog] - [ore][ore] installs gems without Ruby, without bundler, and without rubygems. It is a GoLang implementation of (some parts of) Bundler (and adds some features bundler lacks). A project by @seuros - and I'm now on the core team. It is *much* faster than bundler. - [setup-ruby-flash][setup-ruby-flash] is an alternative to the venerable setup-ruby GHA we've all been using for years. `setup-ruby-flash` relies on [rv][rv] and [ore][ore] for Ruby and Gem installs, and it falls back to [setup-ruby][setup-ruby] on unsupported platforms/engines. I wrote more about it [here][setup-ruby-flash-blog]. - A (WIP) proposal for [bundler/gem scopes][gem-scopes] - A (WIP) proposal for a federated [gem server][gem-server]