←back to thread

Ruby Central's Attack on RubyGems [pdf]

(pup-e.com)
659 points jolux | 4 comments | 19 Sep 25 08:09 UTC | HN request time: 0.614s | source
Show context
thomascountz ◴[19 Sep 25 14:09 UTC] No.45301861[source]
An update from Ruby Central: Strengthening the Stewardship of RubyGems and Bundler

https://rubycentral.org/news/strengthening-the-stewardship-o...

replies(13): >>45301914 #>>45301919 #>>45301946 #>>45302039 #>>45302069 #>>45302082 #>>45302089 #>>45302099 #>>45302120 #>>45302227 #>>45302468 #>>45305713 #>>45308969 #
thomascountz ◴[19 Sep 25 14:32 UTC] No.45302120[source]
I think the fear from Ruby Central might have been that, had they communicated openly, a maintainer/community member with admin access could do their own hostile take-over, and that that would expose Ruby Central to some legal liability, if not a complete loss of control.

I'm not in a position where I'd have to make a decision like this, and I don't have all the information, but I like to think that if I had made a decision like this, I'd show some more respect in the aftermath.

Something more akin to: "That was really awful, I'm sorry. We were suddenly faced with the severity of our legal exposure and had to immediately lock everything down. It's not a reflection of trust or anything, it was legally what had to be done. Now that we've taken stock and are now squared away, we have to make a more explicit controls framework, and we hope we can make it up to you, make this right, and have you lead as a maintainer again."

...Then again, maybe this wasn't about legal exposure. Or maybe it was and former contributors/maintainers are getting apologetic emails right now...

replies(1): >>45302228 #
1. loloquwowndueo ◴[19 Sep 25 14:44 UTC] No.45302228[source]
1. You lock everyone out of the org for whichever valid but idiotic reason. 2. The instant you do, you send them all an email explaining the situation.

That’s how you do it in those cases. You don’t blindside them and then wait for them to react, restore their access back (which totally negated and nullified the “I wanted to preempt a takeover attempt” argument) and continue to skulk around instead of being open about it.

replies(2): >>45302276 #>>45302475 #
2. thomascountz ◴[19 Sep 25 14:48 UTC] No.45302276[source]
You're completely right. In a generous interpretation, having so little communication over such a long period is where this went wrong. In any case, having your highly-tenured team dissolve and feeling like things were "hostile," is an indicator that you'll need to do better. Then again, who knows what the goal actually was? Maybe this went perfectly to plan. Given there was nothing approaching an acknowledgement of regret or apology in the press release, maybe this went exactly to plan.
replies(1): >>45303021 #
3. chao- ◴[19 Sep 25 15:07 UTC] No.45302475[source]
Seconding this.

Ruby Central is not a large organization by headcount, but in terms of impact, it is massive. Any person up to the task of leading an organization like this must know that drastic, public action involving long-term contributors will necessarily require an explanation. Inevitably. They must also know that in an information vacuum, people will assume the worst.

This is not difficult to foresee.

I truly hope this is settled without too much collateral damage, and I hope that the people in leadership learn a lesson about communication.

4. ryandrake ◴[19 Sep 25 15:51 UTC] No.45303021[source]
It reads like the confrontation-avoiding Office Space solution: "We fixed the glitch [...] so it will just work itself out naturally."