By christine September 23, 2025, edited and updated September 24, 2025
And Why We Should Care
Based on some solid reporting by Joel Drapper and Ellen’s breaking details
So, the Ruby community just went through something wild, and I think we need to talk about it. On September 9th, Ruby Central basically took over the RubyGems GitHub repos and gem ownership without asking the people who’ve been maintaining them for years. It’s… not great.
The Story (As Best I Can Tell)
Joel Drapper did some really impressive investigative work here, and here’s what seems to have happened:
- The Money Problem: Ruby Central lost $250k a year from Sidekiq after they had DHH speak at RailsConf 2025. That left them pretty much dependent on Shopify for funding.
- The Pressure: Shopify apparently said “take control of RubyGems or we’re pulling our funding.” That’s… a pretty clear ultimatum.
- The Messy Execution: HSBT went ahead and added Marty Haught as an owner and changed permissions before anyone really talked about it. When people complained, Marty said it was a mistake and some changes got reverted, but Marty stayed as owner.
- The Board Vote: Even though Marty warned them about the consequences and suggested alternatives (like forking), the Ruby Central board voted to do the takeover anyway. And Marty went ahead and did it.
Here’s What Really Bugs Me
The whole thing comes down to this: Ruby Central is confusing two completely different things:
- RubyGems (the open source code): This belongs to the community. People have been working on this for decades, unpaid, because they care about Ruby.
- RubyGems Service (the website and servers): This is Ruby Central’s thing. They run the actual rubygems.org site.
Just because Ruby Central pays some people to work on the service doesn’t mean they own the open source code. That’s like saying you own Rails because you sponsored someone who made a PR to Rails. It doesn’t work that way.
The Communication Has Been Terrible
Honestly, this is what’s been most disappointing. Ruby Central’s response felt like corporate speak with no one willing to put their name on it. Board members keep saying things like “Ruby Central has been responsible for RubyGems for a long time” when that’s just not true—they’ve been responsible for running the service, not owning the code.
So… What Now?
How do we protect community projects?
When corporate money is involved, how do we make sure the community still owns what it built?
What about transparency?
How do we prevent stuff like this from happening again? And when hard decisions need to be made, how do we make sure everyone’s actually talking to each other?
Corporate influence is tricky.
We need corporate support to keep things running, but how do we draw the line between “helping” and “taking over”?
Trust is broken.
Can we still trust Ruby Central to look after our infrastructure when they’ve shown they’ll take over community projects if a big company tells them to?
Look, I get that running infrastructure is hard and expensive. But this wasn’t about infrastructure—this was about taking control of open source code that belongs to the community. And doing it under the guise of “supply chain security” when it was really about corporate pressure just makes it worse. The Ruby community deserves better than this.
What Adarsh adds to the picture
From Adarsh’s as a former Ruby Central director: Mastodon thread
- He talks about the very real operational and funding pressures Ruby Central faces.
- Underscores the importance of clarity between running critical infrastructure (operator responsibilities, access, accountability) and stewarding community code (governance, consent, legitimacy).
- And points toward constructive next steps: explicit agreements, transparent governance, and rebuilding trust with maintainers rather than asserting ownership through access.
The through‑line is pragmatic: secure the service, but do it in a way that respects community ownership and doesn’t burn the social capital the ecosystem relies on.
Sources: Joel Drapper's deep dive, Ellen's initial report, Adarsh (former Ruby Central director), Mastodon thread
Top comments (2)
This is the strange part for me. Why did the RubyGems service need that level of permission? Giving a service permission to change the owner is invasive, like giving someone the key to your house. And why didn't people find it strange the service required this permission?
I'm not a Ruby developer but I have experience with PHP and Javascript package managers. And I checked the permissions. I don't see them wanting permission that allows them to take over a project.
If they wanted security they could add a system that filters the gems.
Yea, that is really hard for me to understand too. They say they were trying to secure the ecosystem, but by removing the maintainers with the years of knowledge, and leaving all those gaps, it seems less secure. Plus this is not the RubyGems service (which they already controlled, and how you actually upload/download the gems aka
https://rubygems.org) but the RubyGems GitHub, just where the open source code was maintained.