Ruby Central's Attack on RubyGems [pdf]

An update from Ruby Central: Strengthening the Stewardship of RubyGems and Bundler

https://rubycentral.org/news/strengthening-the-stewardship-o...

So uh… “compliance reasons”? That sounds rather concerning.

Totally reads like post-facto CYA. they could have communicated this to the maintainers internally beforehand instead of blindsiding them.

It might have been a good idea to do that communication BEFORE creating all that drama.

If they're trying to strengthen security, this feels like an odd way to go about it.

Making unplanned unexpected changes to GitHub ownership and removing people with lots of experience and institutional knowledge with little notice (based on the original story) and presumably no great hand-over, feels risky and not a great way to improve people's trust in their governance.

So essentially they randomly cut off a bunch of long time maintainers for some vague legal and/or security reasons. If there was real reason to do that in a hurry, that's what we need to see, not a corporate PR message.

It reads like lawyers and auditors took over RubyCentral.

> We want to express our deep gratitude to the many cohorts of maintainers who have contributed to Bundler and RubyGems over the past two decades. Ruby tooling would not be what it is today without their dedication and leadership. Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of *openness and collaboration*

- The bolded part doesn’t track with locking out the entire team without notice or explanation.

- “Thanks for the hard work, the adults will take it from here” rarely works out.

that’s a lot of words to write “we did a hostile takeover”

I think the fear from Ruby Central might have been that, had they communicated openly, a maintainer/community member with admin access could do their own hostile take-over, and that that would expose Ruby Central to some legal liability, if not a complete loss of control.

I'm not in a position where I'd have to make a decision like this, and I don't have all the information, but I like to think that if I had made a decision like this, I'd show some more respect in the aftermath.

Something more akin to: "That was really awful, I'm sorry. We were suddenly faced with the severity of our legal exposure and had to immediately lock everything down. It's not a reflection of trust or anything, it was legally what had to be done. Now that we've taken stock and are now squared away, we have to make a more explicit controls framework, and we hope we can make it up to you, make this right, and have you lead as a maintainer again."

...Then again, maybe this wasn't about legal exposure. Or maybe it was and former contributors/maintainers are getting apologetic emails right now...

Aren’t supply chain attacks caused by package maintainer accounts being compromised? I suppose too many people with keys to the package repository itself is also liability, but those accounts being compromised just hasn’t been what is happening.

1. You lock everyone out of the org for whichever valid but idiotic reason. 2. The instant you do, you send them all an email explaining the situation.

That’s how you do it in those cases. You don’t blindside them and then wait for them to react, restore their access back (which totally negated and nullified the “I wanted to preempt a takeover attempt” argument) and continue to skulk around instead of being open about it.

* Get appointed as paid managers of a non-profit * Get advice from legal * Legal suggests removing long-term maintainers without liability contract the same way people get fired: immediately and instantly, and screw the consequences. "Open-source? Never heard of it. Protect your entity legally" * Instantly follow the advice of the lawyers to the letter.

Well done, well done.

You're completely right. In a generous interpretation, having so little communication over such a long period is where this went wrong. In any case, having your highly-tenured team dissolve and feeling like things were "hostile," is an indicator that you'll need to do better. Then again, who knows what the goal actually was? Maybe this went perfectly to plan. Given there was nothing approaching an acknowledgement of regret or apology in the press release, maybe this went exactly to plan.

> We thank the maintainers and respect their legacy.

After removing them without explanation, cutting them off projects they have maintained over a decade and ignoring them when they asked for restoration or dialogue. I feel sad for the maintainers. This is not how they deserve to be treated.

Seconding this.

Ruby Central is not a large organization by headcount, but in terms of impact, it is massive. Any person up to the task of leading an organization like this must know that drastic, public action involving long-term contributors will necessarily require an explanation. Inevitably. They must also know that in an information vacuum, people will assume the worst.

This is not difficult to foresee.

I truly hope this is settled without too much collateral damage, and I hope that the people in leadership learn a lesson about communication.

Your last sentence reads like a weird swipe: as best I can tell, there's no cultural war dimension to this whatsoever?

It reads like the confrontation-avoiding Office Space solution: "We fixed the glitch [...] so it will just work itself out naturally."

The NPM breach was an email that stated the dev needed to update their MFA by the next day in order to keep their access.

If you're arguing that is what ruby central should have done, that's a social engineering attack.

it's the professional management class at it again

see: mozilla, nominet (recovered, thankfully)

It's been a while but if memory serves me correctly the controversy at that time was actually about him unilaterally deciding that people at basecamp shouldn't be talking about politics in off-topic slack channels after people started trying to organize support for something he didn't agree with. IIRC something like 1/3 of the company quit at that time

I’m not seeing how this is related to the subject of the thread. But also, I think DHH’s politics are manifestly controversial: downplaying that doesn’t make for a good argument.

It’s entirely possible to distinguish between legit internal communication and a phishing email. (It gets harder and harder every day but ultimately still possible)

Specifically, it was in a meeting called by Jason Fried to address people who were concerned about the ongoing existence of an internal list of "funny customer names" (which by all accounts was extremely racist), in which Ryan Singer (who had reportedly previously posted a fair bit of politically right-wing content on internal forums -- those were all deleted when the "no politics at work" policy was rolled out) repeatedly asserted that white supremacy/privilege did not exist (he then resigned).

In the aftermath, DHH dug through old chat logs to find a time in the past when one of the people complaining about the list participated in a discussion about same without complaint, and posted it in a way that was visible to everyone saying that their prior participation meant that their current complaint was invalid.

Then they rolled out the no-politics-at-work policy in this post dated April 26 2021 -- I would encourage anyone interested in the specifics to read through the various versions and edits of this post made in the week following, all without noting that it was being actively changed: https://world.hey.com/jason/changes-at-basecamp-7f32afc5

100%. I assumed this was inspired by the supply chain attack, but what a horrible way to address this. Reverting it back before revoking it a second time is even more bizarre. Severely mixed messages from leadership, perhaps?

“No politics at work” except for Dave who spends company time posting political blog entries on his company built platform.

FWIW I captured a timeline of events in this post but a lot of the Twitter links are dead now. https://schneems.com/2021/05/12/the-room-where-it-happens-ho...

Am I the only one who feels like discussing politics at work is inappropriate? While I'm not apolitical, I appreciate having a space where the constant bombardment of politics is momentarily absent. It's refreshing to focus on work without the need for political discourse.

> Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service.

Several of the people removed are employees or contractors of Ruby Central. This doesn't pass the smell test. Not to mention it's post-facto in that they did all of this before notifying anyone.

> Several of the people removed are employees or contractors of Ruby Central.

Who?

> Not to mention it's post-facto in that they did all of this before notifying anyone.

Isn't that pretty much the number one rule when restricting accesses? First remove accesses, then communicate?

Yes, the argument was: You shouldn't freeze the bank accounts of people (trucker or not) just because you disagree with them. I don't see how this can be seen as controversial. The relation to the subject of the thread is Ruby Central. Here's the relation: https://www.mermaidchart.com/play#pako:eNqrVkrOT0lVslJKL0osy...

It’s not clear to me - did they entirely cut them off, or did they reduce their role as admin of the GitHub org?

If so, I'm not defending it, and I could understand why someone would feel insulted by that - but also get why an org doesn't want too many with elevated privileges.

At least Ellen Dash. The author of the pdf the post links to.

According to the author's PR where she removed herself as a maintainer, she lost commit access.

https://github.com/rubygems/rubygems/pull/8987

They haven't been contracted by Ruby Central since May by their own account: https://bsky.app/profile/duckinator.bsky.social/post/3lz7lec...

The other people I know who had their accesses removed have resigned from RC a while ago, and the one I still see with access on https://rubygems.org/gems/bundler are people I know are currently employed or contractors.

As far as I can tell, this part of the Ruby Central statement seems to check out. Now you can of course debate whether commit rights should be limited to employees, but have have no indication that they lied here.

How would a heads up email look like a phishing email? Blindsiding the maintainers like this is just cruel.

No, you're not the only one. I think work should be a politics-free zone. We are there to get stuff done, not argue and hate each other.

Aim it right at my foot?

Are you sure?!

Well, ok, I'm not a lawyer, but... ok, fine, let's do it!

Mozilla is toast. It basically exists as a tax writeoff for Google at this point, and serves no recognizable purpose beyond that, and maybe nostalgia.

How MBAs aren't synonymous with leeches by this point is the most amazing ongoing PR campaign in history. They do nothing but suck and suck and suck, and they keep sucking, and they will never stop sucking until their host dies, and then they just move on.

This is just RubyCenteral trying to get ahead of the news and save face before they end up looking like complete @$$ bags.

The problem is that everything is political: if politics don't impact you, you are living a very privileged life.

On the one hand, I do agree that endless debating over relatively minor ideological differences is pointless, and only going to lead to time-wasting and resentment. I certainly have the same desire for some peace and quiet, and being able to focus solely on my work.

On the other hand, we live in a society where questions like "am I allowed to use the office bathroom" have been made political, and where your coworkers are genuinely worried about whether they'll get arrested and deported from the country for no reason whatsoever during next week's sprint planning. Their issues are real and by definition require the business as an entity to respond to political developments.

You might have the luxury of putting your head in the sand and pretending they don't exist, but that's not going to magically solve your coworkers' problems. Unless the company wants to restrict its hiring to the absolutely minuscule group of people who will never be impacted by politics, it'll have to engage in some level of political discussion.

Widespread recognition of what you said about MBAs is synonymous with class consciousness, which won't happen.