AI-assisted analysis surfaced a vulnerability in Nokogiri — and is now scaling Ruby ecosystem defenses. Colby Swandale @oceanicpanda (RubyCentral) on how @AlphaOmegaOSS is expanding its reach. alpha-omega.dev/blog/scaling…

昨年のRubyGems騒動の報告書がRubyCentralから出ている。若干法的な帰属とか曖昧な部分があるような気がするが、かなり誠実かつ詳細に事象を説明しているのではないかと思う。 rubycentral.org/news/rubygem…

Pasó otra Ruby Meetup en La Plata. Gracias a todas las personas que se coparon. Y gracias especiales a @RenzoQuaggia_ y @maxawen por las charlas, y a quienes hicieron posible el encuentro: @github #rubycentral @sinaptia_dev @unagisoftware ¡Nos vemos en la próxima!#rubyonrails

Venite este jueves 27/11 a escuchar a estos dos grosos y pasar un lindo rato con más Rubyistas. 👉eventbrite.com.ar/e/la-plata… @github #rubycentral @sinaptia_dev @unagisoftware @SnapplerAr @RootstrapInc @SomosAero OmbuLabs.ai Tecnom #rubyonrails @RenzoQuaggia_ @maxawen

Este jueves 27/11 nos encontramos en La Plata para una nueva #RubyMeetup. Vení a compartir. Reservá tu ticket: eventbrite.com.ar/e/la-plata… @github #rubycentral @sinaptia_dev @unagi @SnapplerAr @RootstrapInc @SomosAero @OmbuLabs @tecnom #laplata #ruby #rubyonrails

First, the context. In 2024, RubyCentral made decisions about RubyGems that split the community. Some called it overreach. Others said it was necessary. But @GregMolnar sees something deeper, "It's not about who was right or wrong..."

Here’s what I don’t get: If Bundler is moved under the stewardship of RubyCentral or Ruby core, it’s “stealing the maintainers’ code”. If DHH is removed from Ruby on Rails, even though he owns the trademark and is the original author, it’s “reasonable”.

As someone who spent a bunch of time talking before and after this all went down with current and past RubyGems maintainers, RubyCentral employees, gem.coop maintainers and Ruby Core folks: this seems like the best outcome that was actually attainable.

And now he's part of the "founders" of the RG's "alternative" gem hosting service called gem.coop! This is super crazy!!! Nobody with 2 brain cells will use that shit. RC was making the right decisions ALL the time!!! #ruby/#rails #rubyonrails #rubycentral #gems

I was involved in attempts to improve RubyGems governance, mediate between RubyCentral/RubyGems folks and helping the gem-coop folks setup their new governance process. Given recent events, I'm stepping back now that the initial governance work is done: mikemcquaid.com/bootstrappin…

so rubycentral published an incident report and it looks like andre arko tried to lock rubygems out of their aws account?? oh yeah lemme hop on his new community run alternative rq rubycentral.org/news/rubygem…

🎙️ New (Bonus) Episode of Code and the Coding Coders who Code it, with @andrewmcodes and Rachael Wright-Munn podcast.drbragg.dev/episodes… #ruby #Rails #code #coding #coders #podcast #rubycentral #bundler #rubygems

100% So far my impression is that accusations flying on both sides are overblown. Neither side is perfect but also not as bad as the other would have them look. But one thing that is absolutely clear is that RubyCentral did and is doing an awful job communicating.

「乗っ取り」(RubyCentralは何年も前からBundlerとRubyGemsを管理していた)とか「差別的発言で知られるDHH」(DHHは言葉が強いことで知られるが、前提無しで差別的と言われるほどの発言しているかはかなり疑問)とか、かなり悪意のある内容ですね。

monday morning quarterback, here's probably what should have happened: 1. ruby central says internally: we're resetting privileges for everyone to rubygems.org to zero. sign this or walk. here's our new GH org and repo for rubygems.org, which is what we're going to use to deploy to rubygems.org in the future. 2. here's our new rubygems and bundler repos. Ruby core says they're going to pull from these now. To contribute to these repos, sign this or walk. You're free to keep working on the repo you've got, but ruby core isn't going to officially pull from it for new releases any longer. I think they lacked the explicit support from Ruby core to make this happen so it ended up being a night of the long knives type situation. They always had the moral right to do what they did re rubygems.org but not for bundler/rubygems and they chose to steamroll and this the blowback they get as a result. Ultimately I think most people realize they had to take these steps for the sake of securing the supply chain, but the execution could've been done differently. throwing shopify under the bus here is counterproductive. Their demands were not unreasonable. This is how nonprofits work, you're fundamentally owned by your funders. Ruby Central has tried to make individual membership programs work but they failed. We ceded, as a community, that we want our community nonprofit to be funded by big corporations, so it's sour grapes now if you come around when the shit hits the fan and say "shopify's interests don't align with mine". RubyCentral could have done this without burning 100% of their existing maintainer relationships by doing something more like what I said above. Probably some people were always gonna say no. But I think a decent number of them would've responded much better to a clearer plan done on a less crash timeline. Again ultimately I give them a lot of grace because they've been doing the work for us for a long time, even when we weren't paying attention like we are now.

One thing I can't follow here is that he talks about ownership of open-source code. The old maintainers can just for the repos if they want to. Bundler wouldn't work without rubygems.org currently, so even though the code and the service is not the same, they rely on each other. And since the code is open source, the value lies in the service. There are some serious accusations against highly respected people by the way like Aaron Patterson and Ufuk. I would love to see proof of those, because I trust those two more than the side that was initially telling that DHH will be funding RubyCentral from now on. Also, Andre started his own bundler and rubygems alternative months ago. There are so many unclear details.

Here's my stance on the current issues around RubyGems and RubyCentral 😢: mensfeld.pl/2025/09/ruby-cen… #ruby #rubygems #rubycentral

RubyCentral released a video statement. I think every sensible person should be ok with this. If if you work for them pro bono, there should be a contract if you have access to critical infra or data. Otherwise you might not even be identifiable. youtube.com/watch?v=VyCiE3Gj…

Thanks for this. As someone still just getting into Rails. I know of gems of course but didn't realize how they were maintained, etc. I didn't really know how to react to the initial post as it seems like it hit my timeline a bit later so the RubyCentral annoucement followed not far behind. I'm not familiar with the machinations of RubyCentral & bundler updates, etc. But based on your post I can fill in more pieces there.

Greg Molnar ➜ On RubyCentral and Rubygems greg.molnar.io/blog/on-rubyc…