←back to thread

A board member's perspective of the RubyGems controversy

(apiguy.substack.com)
104 points Qwuke | 2 comments | 21 Sep 25 19:20 UTC | HN request time: 0.015s | source
1. kragen ◴[22 Sep 25 17:54 UTC] No.45337058[source]
I don't know more about the controversy than what's explained here, but, reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation. (When they work, of course; sometimes those institutions don't work very well.)

I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.

Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.

replies(1): >>45338699 #
2. hluska ◴[22 Sep 25 19:59 UTC] No.45338699[source]
> reading between the lines, it sounds like companies want Ruby Central to operate more like a for-profit company, where people carry out defined tasks in exchange for getting paid, than like a jury or the American Medical Association, where people do what seems best to them in exchange for a harder-to-define sense of collective social obligation.

There was a funding agreement which imposed obligations upon the operators. Those obligations were to be sure that supply chain attacks were reasonably secured against. The volunteers didn’t have to sign that agreement - they chose to and received consideration for their decision to sign.

Licensing terms don’t change the underlying mechanism of a contract and the message is even easier. If your organization cannot abide by the terms of a contract, don’t sign it.