A board member's perspective of the RubyGems controversy

(apiguy.substack.com)

104 points Qwuke | 1 comments | 21 Sep 25 19:20 UTC | HN request time: 0.209s | source

Show context

sc68cal ◴[22 Sep 25 17:50 UTC] No.45336997[source]▶

This story is missing any context around what occurred. The only thing I was able to find was by searching, and I came to this PDF statement.

https://pup-e.com/goodbye-rubygems.pdf

> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:

> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,

> added non-maintainer Marty Haught of Ruby Central, and

> removed every other maintainer of the RubyGems project.

> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams

Which is important context that was left out of this board member's statement.

replies(4): >>45337310 #>>45337618 #>>45338226 #>>45338752 #

x0x0 ◴[22 Sep 25 20:04 UTC] No.45338752[source]▶

>>45336997 #

How you can tell this is all lies from the board is simple:

> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?

The first thing is they didn't tell them. The second bit is simple:

"Hi [x], I'm sure you've seen the news about npm. Given supply chain attacks directed at them and the one recently foiled against the python folks, we're [doing fill in here], including reducing permissions. [More info here.] Further updates as soon as we have them."

That email takes 10 minutes to write and send.

replies(3): >>45339074 #>>45340717 #>>45340924 #

1. gus_massa ◴[22 Sep 25 23:05 UTC] No.45340717[source]▶

>>45338752 #

99% agree, but it's a very sensitive topic and I'd take like an hour to pulish it.

↑