Complicated

Strengthening the Stewardship of RubyGems and Bundler

                September 19, 2025

            Complicated

            Today's Skill Issue contains no whimsy. Sorry.
When I started writing it, the discourse (I hate using that phrase) was focused on DHH's latest round of really bad opinions and the reactions to them. David's whitewashing of Charlie Kirk, defense of a transphobe, and support for white supremacists is disgusting. That kind of thing has no place in the Ruby community.
Unfortunately, while I was preparing my thoughts on all that, the situation changed. I woke up to claims that Ruby Central had seized control of RubyGems. My first reaction was, "aren't they the ones operating RubyGems in the first place?" They are, but the situation is complicated. I'll do my best to summarize what's going on based on both private and public conversations I've had today.
Ellen is a human who has previously been paid to work on RubyGems. They worked consistently on the project until May of this year¹. Starting in June, Ruby Central pulled back, but claimed it was only temporary².
This month, a RubyGems maintainer made a number of changes documented here by Ellen. Ruby Central renamed the GitHub enterprise, removed admins not currently employed by Ruby Central, and added a non-maintainer, Marty Haught as owner. The maintainer refused to revert these changes, claiming they would need permission from Marty.
After conversations, Marty restored the permissions, claiming this was a mistake and should not have happened.
In response to these events, the RubyGems team began putting together a governance policy inspired by Homebrew's policy. Mike McQuaid was even involved. Marty engaged with the effort.
Yesterday, Marty revoked the membership for all the admins on the RubyGems, Bundler, and RubyGems.org maintainer teams. No explanation was given.
Most of the community learned of all this from Ellen's document this morning. Besides conversations on X/Bluesky/Mastodon, you'll also find conversations about this on Hacker News and Reddit.
Not long after, Ruby Central responded with this, a press release titled Strengthening the Stewardship of RubyGems and Bundler. In it, they characterize their actions as "proactive steps to safeguard the Ruby gem ecosystem end-to-end".
Supply chain security is very important. Important pieces of infrastructure like RubyGems should be administered carefully, including who has access to them. I don't think anyone is disputing that.
I don't know exactly whose memberships were removed, what their roles were, or whether they all needed the access levels they had. At least some people who were working on the project can no longer do their maintenance work, like Samuel Giddins. 
It's clear that these changes were poorly communicated (or not communicated at all) to folks affected by them. Additionally, revoking people's memberships while engaging with the governance proposal is confusing at best. I'm left struggling to understand why it all played out like this.
Unfortunately, here is where DHH reenters the story. Mike Perham (of Sidekiq fame) posted this:

The unstated reason for this change was that many of the existing Rubygems maintainers have recently quit (including their only full-time engineer) due to RC's continued relationship with DHH.
Since most of the team has walked away, RC has decided to accept a sponsorship guarantee from DHH so they can hire a new team and this is the PR spin of that decision.
[...]

I don't know where Mike is getting this, so I can't speak to the existence of the "sponsorship guarantee" that he's referencing. Regardless, it's a very concerning report.
David is the creator of Rails, but he espouses views that I consider antithetical to the spirit of the Ruby community. I do not want to see him gain more power over the Ruby ecosystem outside of the Rails sphere.
I'm still waiting to learn more about this situation, but as it stands, here's what I'd like to see happen next:

It's clear that Ellen and likely other maintainers are owed at least an apology.
Ruby Central needs to address claims that this was motivated by a promise of funding from DHH. I suspect the situation is more complicated, but I'd like to know what role David and the Rails Foundation are currently playing in Ruby Central.⁵
Ruby Central needs to work with the maintainers to sort out the governance model for RubyGems. Valerie has already suggested this will be a next step here.
Finally, Ruby Central should take real steps to improving its level of transparency and how it communicates with the community and collaborators.

There have also been calls for Ruby Central to adopt a more democratic structure, like the Python Software Foundation. (That's what's trimmed from Mike's quote above.) I really like this idea, but don't know how realistic it is. It would require some serious political will and lots of leg work.
I hope I have all the facts straight. If you see anything wrong here, give me a shout. I will do my best to fix it. I'm writing this on September 19th, so if you're reading this in the future, it may have fallen out of date as more info emerges.
Finally, I encourage everyone to remember that everyone involved in this is human. I've made mistakes that have upset people in my role as an open source maintainer too. It happens. Calls to action and pressure are okay; harassment is not. Make sure to stay on the right side of that. MINASWAN and all that. Ellen is already explicitly³ asking people not to target Marty, who was acting on the behalf of the Ruby Central board⁴.
I'll leave y'all with these words from Ellen:

The Ruby community is extremely vulnerable right now.

Heads up that I'm not sure what's happening with next week's episode of Dead Code. We've had an issue with our (now former) recording platform that's resulted in them more or less holding the recordings of our last episode hostage.

Normally, I like to keep my music recommendations within a certain set of bounds, but it's been a weird week. I listen to some pretty abrasive music that I assume that 99% of you won't enjoy. Let's explore the deep end this week.
Despite the album art, I gave Nuclear Dudes' latest release, Truth Paste a listen. And then another listen. And then a couple more. I'm not really sure what to call it. Nuclear Dudes is a novelty band and they own that. You'll find elements of grind and powerviolence mixed with industrial metal and lots of synthesizers. It's noisy, loud, weird, and (most of all) fun.
If you have twenty-three minutes and six seconds to spare and your ear drums haven't yet caved in, this album can fix that for you.

 NUCLEAR DUDESTruth Paste 

Ellen says this on Bluesky here. ↩

Ellen says this on Bluesky here. ↩

Ellen mentions this here. ↩

Valerie, the president of the Ruby Central board, confirms this on Bluesky here. ↩

Valerie stated that Ruby Central has not taken any money from DHH/Basecamp here. This doesn't address his involvement via his role on the board of Shopify, one of their main sponsors or whether the Rails Foundation, which he chairs, is involved. ↩

Don't miss what's next. Subscribe to Skill Issue: