←back to thread

Ruby Central's Attack on RubyGems [pdf]

(pup-e.com)
659 points jolux | 1 comments | 19 Sep 25 08:09 UTC | HN request time: 0s | source
Show context
drbragg ◴[19 Sep 25 12:34 UTC] No.45300936[source]
Ruby Central's whole thing is they maintain, develop, and secure bundler and ruby gems. Marty was previously a lead at Ruby Central and recently came back to RC as their Open Source Lead. It sounds like there was a clusterfuck getting the repo switched over but I'm not seeing how this is an attack on Ruby gems. Am I missing something?
replies(2): >>45300982 #>>45301089 #
woodruffw ◴[19 Sep 25 12:48 UTC] No.45301089[source]
I think the missing piece here is that almost every person publicly involved with RubyGems’ development has left the project in recent weeks. I don’t have any special insight here, but from an outsider’s perspective it seems as through Ruby Central is trying to turn a former “host” relationship into a “control” relationship.
replies(2): >>45301469 #>>45302506 #
nevinera ◴[19 Sep 25 13:29 UTC] No.45301469[source]
I think you're right, but I suspect the root here is one of legal liability - if rubycentral is operating as a nonprofit that hosts _a recurring attack vector on other companies_, they'll have legal obligations to secure that service against those attacks. I assume they are continuously deploying out of that repository, and took the simplest route to controlling the attack vectors?

I'm not sure how anyone familiar with open-source communities would fail to predict the backlash though. They really should have forked the repository and switched the deployments over to their downstream fork (if I'm right about the root cause here).

(I'm mostly thinking in terms of supply-chain attacks, like this one: https://blog.rubygems.org/2025/08/25/rubygems-security-respo...)

replies(2): >>45301909 #>>45302420 #
woodruffw ◴[19 Sep 25 14:14 UTC] No.45301909[source]
That would be a pretty broad assumption of liability: I'm not very involved in Ruby but I am involved in Python packaging, and to my knowledge there's been no similar discussion around the PSF's keys-to-the-code control over PyPI (which is in a similar position in terms of supply chain attack vectors).

In other words: that argument is interesting, but it feels strained to me :-) -- I don't think RubyGems or Ruby Central is actually legally liable in this way (or if they are, it suggests a failure of clarity in their EULA/TOS).

replies(1): >>45302746 #
1. nevinera ◴[19 Sep 25 15:31 UTC] No.45302746[source]
Well.. "legal liability" is kind of complex topic. Usually what really matters isn't "what the courts will actually determine if such a case is brought" it's "how much will it cost to prove that lack of liability, and what is the risk that we are wrong?". I also don't believe that such an organization is liable for anything beyond negligence, but whether the lack of an action constitutes negligence is .. well, one can rarely be totally confident in the outcome of that kind of proceeding.

The (mostly PR) explanation they produced seems to express roughly the same thing I was guessing though: https://rubycentral.org/news/strengthening-the-stewardship-o...