So, ignoring everything that got us here, what do people think about this?
As I see it, there is the original rubygems, which has lost all of it's maintainers, and this new one, that has most of the original active maintainers? (how many were there before? it has most of the ones I think about, but I didn't know who was active over there. I mostly saw activity from deivid and didn't know about most of the others to be honest).
It kind feels like this fork is the better maintained piece of software now.
Does anyone have any thoughts on this? Are any people thinking of moving over soon?
Is there any information on what the funding model will be? Also @joeldrapper/anyone is there anything you can share about how the hosting is being covered?[0]
>It kind of feels like this fork is the better-maintained piece of software now.
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?
Is it? Anybody could publish to Rubygems. Baring obviously malicious packages that happened to get noticed by a researcher, what trust were folks placing in Rubygems?
The package repository going rogue is a significant escalation compared to merely having individual malicious packages that go undetected. You can't possibly argue that those two are the same.
To put my cards on the table: RubyGems.org seems plenty trustworthy to me. They seem to be shitty at communication, but locking down production access to systems in light of the state of supply chain attacks in 2025 is the kind of thing that reduces the risk of rogue repo-level activity.
But to your comment: I'm not arguing the same, I'm arguing that the results are the same. If I'm consuming packages from a repo, and I care about the security of the thing I'm running, I need to think about how I know I'm getting legitimate code that does what I expect it to do. One of the risks to that is malicious developers at the package level (either outright malicious or stolen publish credentials). Another is malicious substitution by the package repo. The detection strategies and next steps are different but as a consumer of code, bad code is a risk regardless of who injects it.
Nonsense. The solution to a malicious package is to not use that single package. The solution to a malicious package repository is to abandon that package repository entirely.
Also, you don't secure a package repository through hostile takeovers, and you certainly don't build trust with such an obvious lie. Claiming that the current rubygems.org is in any way trustworthy is utterly absurd.
With this is in place. A ".coop" domain does not signal trustworthiness. It's more like a childish revenge attempt. Don't get me wrong. I think it's a great idea for the original maintainers to begin work on a form. However, they could have chosen a better domain name.
My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io). In general, why should I trust domain_name.xyz over domain_name.com? There are obvious caveats, e.g. it doesn't matter as much for generic words like "gem" and for personal sites that I don't trust much in the first place. In this case, 3 seconds of critical thinking makes it clear that they have a plausible reason for choosing .coop. But given that much of this controversy is premised on toolchain trust, there's plenty of other domains that seem even more trustworthy to me at first glance, e.g. gem-lib.org, gemcoop.org, stuff like that.
Again, a domain name is pretty minor in the scope of this whole fiasco, and I wouldn't have bothered with bringing up this point, but on balance I agree with it.
Using .coop is actually a costly signal that you are, in fact and in law, a cooperative; and intend to stay one; since non-cooperatives are not allowed to occupy those domains. Dot Org, while it's used by a lot of well known organisations, is an open domain that anyone can register in.
Of course, it's also true that many people won't have the spare time to find that out.
> My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io)
This is so funny to hear after 18 years in the west coast silicon-valley lead tech industry. All of the app, io, tv, tech, guru, and now ai I've seen and only when it's "coop" does anyone complain.
I'm pretty sure people have been complaining about weird TLDs for as long as I've been on the internet. .guru, .tech, and .app are all equally untrustworthy to me. I don't recall seeing any .tv websites other than twitch. .io and (only recently) .ai are used often enough that it's contextually plausible a legitimate company would use one of those TLDs as their first choice, but if someone linked to chatgpt.ai or chatgpt.io for example, I'd still assume it's a scam.
I'd only say it's a real issue if this were a "normie-facing" website. But being a developer tool, we all know that there are legitimate domains other than .com, .org, and .net.
I view ".coop" quite highly given it is restricted to actual, legally recognized, cooperatives. Its definitionally more meaningful and "trustworthy" than .com or .org
Combining this with something like tangled.sh/bluesky's AT protocol or what forejo is working on in their activitypub federation integration can actually make it genuinely federated as well
Or maybe radicle as well if someone is okay with swapping in a custom software but the hiccups can be too much imo so tangled.sh is the most interesting thing to me right now
What is stopping something like gem.coop to exist with the at protocol/tangled.sh??
The main page itself provides little to no info so I’m going to make a few assumptions that, to me, seem logical:
1. It must depend on RubyGems in order to stay in sync, because people publish to RubyGems.
2. It has no UI to search or view gems, so still depends on RubyGems for that.
Ignoring any question about technical detail or implementation: there is zero practical reason or motivation to switch unless I am ideologically aligned with the maintainers and their reasoning.
As such, there is zero reason to even entertain the idea of switching in a professional context. At best I’d have to care enough to remember it for personal projects.
So it is with almost any fork. It’ll either converge with the mainline after achieving its goals, take over as the new status quo, or fade into obscurity. If I don’t have any direct stake in that then I’m going to wait it out.
This isn’t to discredit or discount the work or the reasoning, of course. It arguably has a far better standing than forking Rails because of DHH.
The suckiest thing is if the fork pans out, it will look a lot like JS: "Which package manager do you want to use?". That beautiful simplicity of "just use bundler and ruby gems" will be gone.
One thing I will give them massive credit for is walking-the-walk. There wasn't really that much complaining for the aggrieved maintainers of RubyGems. They made a public statement describing their grievances, then quietly got to work on a fork. Taking on a fork of RubyGems seems impossible and foolish, but they now have a non-zero chance of succeeding because they're doing it.
Most people I've talked to inside of big orgs are going to stick with the "safe boring" thing, which will probably be RC backed by Shopify. They will probably throw security bureaucracy at the problem, which will make SOC 2, ISO 270001 auditors. I don't think we'll see a lot of innovation coming from RC since the executive director is non-technical and has demonstrated a very ham-fisted approach to running the organization that seems to be out of touch with developers.
On the flip side, I think if gems.coop takes off, it will be because it's a "better mousetrap". One of the people behind it, André, is working on https://rv.dev, which promises to be a faster, "all-in-one", tool for managing ruby versions, gem dependencies, and even has an "npx-like" run this from from the CLI, the right version of Ruby will install, the gems will install, and it will run. That's a much better DX that I could see developers going for.
I've seen discussions on the periphery of adding namespaces to gems, bringing in checksums, and overall taking a more aggressive technical approach to security. I could see that "winning" over a long enough timeframe if RC continues on their current course.
From a fund-raising PoV, I'm starting to put together the clues that André believes organizations with the means to pay for OSS infrastructure should pay for it. I think I agree with this point-of-view and think it's a path for funding that's more transparent than "A group of donors". I hope we start to see infrastructure run in a manner where the costs are accurately estimated, then divided by the number of companies with the means to pay to arrive at the price.
There's absolutely on consensus on my final point, but I think the root cause of RC's catastrophic failure is having too much of a concentration of funding from a few donors. If you're new to this drama, a major donor pulled funding from RC because they didn't ideologically agree with a conference guest. The details are out there if you want to dive into it, but to keep this thread on point, I hope Ruby Co-op figures out how to spread out their funding model across 100's or 1000's so this doesn't happen again.
I personally cannot think of a new ruby gems or bundler feature from the past decade that I noticed or cared about. That isn't to say that there aren't any; I just don't know what they are.
There have been several releases with incremental but still notable performance improvements. The overall cadence has been pretty steady, intentionally targeting roughly one minor release per year since 2019-ish, with handfuls of quality of life improvements in each. Arguably RubyGems and Bundler are infrastructure, so the major feature is stability. What sort of big feature are you imagining is missing from your dependency management system?
That's basically my point. I'm not missing anything, so I'm happy if it just gets small / stability fixes, which doesn't seem like it needs a six member maintainer group. That team should go off and do a great job with 'rv' or whatever the next brand new idea is, and just let rubygems sit there with minor updates, same as we do for the ruby logger or date class.
It seems unrealistic to believe that packaging infrastructure can just “sit there,” particularly in light of changing expectations around the bare minimum a packaging ecosystem should do to protect its users. I think a more reasonable assumption would be that the (former) RubyGems team did a good job, which translated to boring normality for you.
André is working on a combination of rbenv/asdf, bundler, and gem that I think is interesting. Not that they're wildly broken, but I'd rather have fewer tools and it always seemed a bit odd that they're separate when they're notionally managing the environment in which your ruby code executes.
Given the rise in supply chain attacks, I'd also like a private rubygem instance where I can whitelist gems and even versions for my company in a way that doesn't let anything else install. I'm not sure if they're taking that on or not, but I'd like it.
I think I basically agree with this, but my thoughts are more on which org is better placed now to respond to things like the recent supply chain attacks (ref for the specific recent ruby one[0][1]).
I'm unsure on who is better placed to handle that stuff now. My view is that the people that were doing that are now with gem.coop, but rubygems still has the infra (i.e. you'd email security@rubygems.org still for now).
I'm unsure about what to think about longer term (my personal approach is currently "wait and see").
Similarly, I'm perfectly happy with bundler for now, but if `rv` turns out to be like `uv`, I'd happily switch (drop-in replacement, but faster/some better features).
Socket.dev states "Since at least March 2023". RubyGems says "Our team first detected this activity on July 20th". This attack has ran for almost 5 months undetected. I wouldn't feel reassured at all.
They made bundler output compact, previously it spammed all installed versions and updates mixed, now you can see just updates if you do those for example.. or quite concise "all OK" if everything is as it should be. Small but really nice quality of life change imo
Which part of a project that kicked out its original maintainers still feels "original" to you? At this point, rubygems.org is the fork.
Oh, how times have changed. If Oracle were to close source OpenSolaris today, many here would likely rally behind it, especially if Larry Ellison appeared to align with the right. Submissions about Illumos would have been heavily flagged, much like this one has been for a while.
Excellent point, I can't help but feel gem.coop is essentially Ruby Together 2.0 which reinforces my opinion that the merger of RT with RC was a huge mistake. (It certainly made sense at the time…hindsight is always 20/20…etc.…but still.)
Well maintained? Rubygems has had no commits in the last 10 days and that's not a good sign. I don't think you can find a window with no commits for 10 days in its 15+ year history.
History has shown over and over that when a for-profit org takes over public infrastructure, maintenance is cut to the bone.
> Rubygems has had no commits in the last 10 days and that's not a good sign.
I honestly can't tell if this is satire.
You think no commits for 10 days for a piece of software that has existed for around 20 years is a sign that it's dead?
What kind of code churn do you think this project requires? Perhaps the old development was too unstable if there wasn't a single 10 day window without a commit in 15 years, for what is essentially a solved problem and a tool that people depend on to be stable.
Rubygems has 216 open issues right now.[0] Do you think some of them should be addressed? Without maintenance, and any PR's getting merged, they won't.
Churn is not just rate of commits it is the changing of the same lines/files/functions repeatedly, AI answers seem to get this wrong a few places I checked which is interesting. Rate of change in itself is not 'instability', it can be a sign of new ideas emerging or lot of other positive things.
Package management cannot be a 'solved problem' or there would be no innovation there, and you don't have to look far to find is not the case.
As for the idea that rubygems is 'dead' (not what mperham said), that is still too early to say for sure, as I imagine mperham would also agree, but it is definitely not a good sign. If we only get a trickle of changes to something that was once a very vibrant and lively community repo then that is to the detriment of the whole Ruby ecosystem. That would also be a bad sign.
They had a minor security incident right off the bat, demonstrating they don’t even fully understand what they stole. They aren’t equipped to do the job.
Only “minor” because they were in fact wrong about André being a risk. Had he been a real risk, this would have been about as major as it gets. They left him with root production AWS console and full production database access.
Fortunately he’s a standup guy and not a real security risk, so he emailed them immediately to let them know.
I think right off the bat since they chose .coop as their TLD, a lot of corporate firewalls auto-block them and they have immediately decided to fight an uphill battle to get allow-listed to be a gem repo.
This does not bode well for the team having the socio-technical savviness to see this project through.
It is pretty common that "weird" tlds get blocked more or less whole sale in places you might not expect.
The reason is spam. Before these can get wide spread "normal" adoption they can be heavily used by spammers. Its hard to say if that is because they have desirable look-a-likes available, or if its because the first year is offered at a deep discount. So, systems will get flooded, and on inspection they will see that they don't have any legit traffic from those tlds and will whole sale block them.
But thinking that they can disregard all prior Internet history and just slam into the situation with no concern about what came before is pretty on-brand for a project in the Ruby ecosystem.
I mean regarding the choice of TLD. Forking the package repository ecosystem I fully understand the incentives; it just strikes me as a very Ruby-ecosystem thing to just assume that `.coop` is a good enough TLD with no consequences for using it relative to choosing to use .org, .com, or .net.
> So, ignoring everything that got us here, what do people think about this?
It's fine. Keeps all the complainers away from the larger ecosystem.
I personally trust Ruby Central, 37signals, Shopify, DHH, Tobi, Matz and others over the guy who was launching a startup to compete with rubygems while being a maintainer for rubygems.
I'm starkly opposed to this ridiculous fragmenting of the community. They can and should all go work out contribution agreements with RubyCentral and get over their egos.
What makes you think they _haven't_ tried to work things out with Ruby Central? As per a separate article[1], this seems to be a last resort:
> “Since Ruby Central has informed us they will never allow us to continue working on the projects they now claim they own, that we successfully maintained and operated for the last ten years, the former RubyGems team is launching gem.coop today.”
> When Ruby Together first launched in 2015, the website suggested donations went to pay "our team" (...) This resulted in a nonzero number of donors believing they were funding the work of people like Steve Klabnik, Aaron Patterson, and Sarah Mei, when in fact only Andre was being paid at the time.
This a fact. By this alone I don't think Andre Arko is an honest person.
Back in the day, nobody ever had said to me that they believed I was earning money from Ruby Together. This whole thing was speculation at best. And regardless, once it was suggested that this may be a possibility, it was immediately changed to be unambiguous.
André is absolutely a standup individual.
I have tried to stay in good terms with the other people involved in this (except DHH), but this claim was always ridiculous.
This absolutely happened and is not speculation. I can't find the emails from the individuals that emailed me, but I did find my email to the board of directors asking that the website language be changed because people had pinged me thinking I would be getting money, or that the money would go to fund rubygems.org.
At the time I'd sent the email I was unaware Ruby Together was on HN front page (and that's why people were pinging me)
I think you may have misread it. The original claim is:
> This resulted in a nonzero number of donors believing they were funding the work of people like Steve Klabnik, Aaron Patterson, and Sarah Mei, when in fact only Andre was being paid at the time.
Steve said "that didn't happen to me" and then Aaron said "that definitely did happen to me". Seems pretty relevant. I don't think he was claiming steve was wrong in not having heard that, but Aaron was saying it did happen to him, so the claim is true.
(and in terms of evidence, do you want him to share the emails he got? A first hand account seems enough evidence to me)
Seems pretty unambiguous, and a good reason to chime in.
I was misremembering it. Now that I've checked, it's clear that the claim was that the money was for paying "the team" [1], which consisted of André Arko and David Radcliffe [2]
Altogether, it demonstrates how Andre misled his audience on who was getting the money. IMO, I see a distinct pattern of him crossing boundaries and then covering it up using his social skills & friend group.
TBH the whole thing is pretty opaque. There are a lot of accusations floating around. It's pretty easily to capitalize on "Big evil shopify is making a takeover", but I suspect there's a lot more happening behind the scenes.
- uv is a cool tool, but Astral has signaled their intention to have it tie in nicely to paid services.
- that's a nice moat!
- Andre & friends saw that in the Python community (and uv's success) and decided they could do the same for Ruby
- Their collective announces rv and now wants to make us dependent on them & friends for Ruby Gems.
- After Hashicorp and others, I'm extremely wary of orgs luring me in with free shit. Hashicorp is maybe the lightest example of this but they're very intentional about enterprise-walling business-essential features.
- I don't want the Ruby ecosystem dependent on one party or even a tiny collective of people. This is just as bad to me as the Ruby Central situation right now.
The Ruby ecosystem is already decentralised in that there is no single source of truth for published gems. You can pull the source from any software forge that uses git, you can point to any self hosted gem server or use something like Artifactory or GitHub package registry. You can vendor the code if you want.
This entire post is practically the case in point, except I’m not clear on how they got real time sync with RubyGems and if any other competitor would have the same capability.
To use Astral and uv as an example, they would have to fork PyPI and maintain all the infra for that and not just the tool that manages the dependencies.
By "Astral" do you mean "Spinel"? Also, what paid services? So far the only paid services they've mentioned is retainer services that essentially amount to priority customer support. The tools themselves are only ever described as free
EDIT: Misread the comment and thought it was only about `rv`, not both `uv` and `rv`
What is Spinel? Astral is the developer of uv, and they have announced their hosted platform service, pyx [0]. It appears it will be FOSS as well, but they'll have a hosted version of it.
yeah, but still, the maintainers need to be paid for their time and expertise. not to mention, although bandwidth and storage is cheap, somebody still have to foot the bill. i suggest people donate to this project.
The git protocol is more complex and harder to scale. It's especially wasteful if people are going to redownload all packages every time their amnesiac CI runs.
Single-file archives are much easier to distribute.
Digests and signatures have standard algorithms, not unique to git. Key/identity management is the hard part, but git doesn't solve it for you (if you don't confuse git with GitHub).
Someone has to run the git server. Then, someone has to find the git server to pull each gem from, since not every git server is likely to be up-to-date with the each gem, or the correct version. Since these are all decentralized, each individual owner of a git server has to independently scale as more people start using each one.
The benefit to being centralized is... everything is in one place. Everything scales at once. Every update is available at the same time.
We did this back in the day using artifactory and co. to proxy NPM and a few other package managers as well as docker containers and some other things. No third party service going down could keep us from deploying.
Not everyone does it because as a solo developer or a small team, as it feels like pointless overhead.
So GitHub would be one option. Developers already discover all kind of things there. And each gem can still be provided by its “main repository”, but I don’t mind on whatever domain that repository is located. Somewhat how container images are referenced/distributed already. I think go already does it like that too.
having a decentralized, and maybe sometime unavailable, infrastructure would make more people think about the problem and maybe brings us more stable solutions than we have now.
1. Heavy dependency on Github. AKA Microsoft owns much of the golang ecosystem. Not just the source... The package distribution as well!
2. Many packages are referencing a git (short!) commit hash instead of a version. It still boggles my mind that this is an acceptable practice. Not to mention that git tags can be deleted and recreated... A pinnacle of secure package distribution practices.
3. Stuff like ambiguous imports because apparently nothing enforces proper go.mod files? They are not packages to be compiled after all, they're just repos with some conventional structure (optional)...
Mind you, this is popular production-grade software...
I think this is much worse than even node packages, let alone bundler and rubygems...
1. GitHub dominance is a social phenomenon, not a technical requirement. The go.mod file you linked references ~14 different Git hosts other than GitHub. Go's design doesn't create this centralization; it merely reflects where developers choose to host code.
2. You complain about commit hashes while simultaneously noting that tags can be deleted and recreated. Hashes are precisely the solution to mutable tags. The "short hash" concern is a red herring; Git uses sufficient entropy that collisions are not a practical concern for dependency resolution.
As for "secure package distribution," go.sum files verify files verify consistent downloads. What additional security do you believe centralized registries provide?
3. Can you provide a concrete example of an ambiguous import you've encountered? I'm not familiar enough with Go to understand this criticism.
Exactly. This 'social phenomenon' should have been taken into account when designing a packaging system so that the language's ecosystem does not end up entirely dependent on Microsoft due to 'social reasons'.
> The go.mod file you linked references ~14 different Git hosts
Of which the non-github ones account to what... 15% of the deps in the file?
> You complain about commit hashes while simultaneously noting that tags can be deleted and recreated
Yes. Not using versions (semver) is a bad call, and having people be able to mutate the code of a version is a very bad call. Once a version has been tagged, the only viable choice must be to pull that version and push a new higher version.
> As for "secure package distribution," go.sum files verify files verify consistent downloads
Based on git's hash.
> Git uses sufficient entropy that collisions are not a practical concern
Unless crafted by an adversary? Git's sha1 hashes are not a security tool and must not be used in place of code signing.
They are also not good for versioning, as you can't deduce whether a commit introduces breaking changes. Rubygems has the ability to reference git repos. It's always a pain to update these compared to other semver deps -- you have to go to github and do a comparison between the old and new hashes to try and deduce whether bumping this will break you.
> Can you provide a concrete example of an ambiguous import you've encountered
If we isolate this from the recent controversy: in general, is an alternative (yet mostly compatible) package source, package manager, and/or language version manager neutral, good, or bad for an open source ecosystem?
Here's the thing. They could have put up link to a git repository where others can follow along with the maintenance of this project, but here isn't one. There is a list of maintainers explicitly mentioned on this page but no link to the git repository. This leads me to think this project is not about the code but about the people.
It's a package repository. A link to an Ansible repository or whatever doesn't need to be in the first announcement.
> This leads me to think this project is not about the code but about the people.
Trust is of utmost importance to a package repository. Even more so than code. A hostile takeover, like the one that occurred with RubyGems, fundamentally undermines that trust. In contrast, an alternative run by the original maintainers who have built years of trust, represents a positive shift.
Unfortunately, it seems that your conclusion was drawn before your justifications. When you invent justification though, at least make sure you don't undermine your own position. Where's the prominent link to the Git repo on rubygems.org top page?
I think the issue that you overlook is that you assume this group of individuals is trustworthy.
I'm not saying they aren't, but there are a LOT of conflicting opinions about what happened, why it happened, and who was right/wrong.
This it what tends to happen when money gets involved in a project without a clear structure/business plan/guarantees put in place. People just did whatever and made assumptions, and now suddenly the whole community is rocking and rolling thanks to the actions/view points of a select few.
Ah! Good catch. I saw the repo exists but didn't dig into the contents, given that it's (as far as I know) purely a proxy for rubygems at the moment, I figured it would be pretty simple.
I agree they should post the whole source, regardless.
I understand forking is sometimes needed, but it's also somewhat discouraging to see that the differences couldn't be reconciled.
As long as people are aligned on advancing the Ruby ecosystem, I think it should be possible to cooperate even if there are disagreement in other areas [which political party you support, differences in personal opinions, etc].
Maybe it'll be resolved eventually, just like Merb <> Rails, Bundler <> RubyGems and RubyTogether <> RubyCentral were eventually merged. That's what I'm hoping for!
I feel like a change to the way gems are distributed/downloaded could fix this. Unfortunately, the very powers that could make that happen are the powers that control the software and infrastructure, and have the least incentive to improve things.
I honestly find it ridiculous that this situation happened to begin with, and I also have no clue why people are hating on DHH.
The easiest way to kill an open source project is drama and forking like this. Ruby has been around forever, obviously, however it is far from the most used languages, and drama like this just hurts the ecosystem as a whole.
Drama and forking aren't going to kill Ruby. This is a move like the one from Freenode to LiberaChat: hostile entities take over $thing, sensible people move on to $newthing, the new normal settles around $newthing.
Silencing and excluding such people from open source is the right thing to do because failure to do so means forcing others to interact with people who are hostile to their very existence.
Imagine if someone came into your house and changed all of the locks on you/your family, because "security".
You had built that house from your original designs but the other party claims they own it now because they happen to manage a series of rental listings for houses built to your design.
You had even made it so the plans could be copied and modified in private; if "security" were a real concern with about 10 minutes effort to do so.
Would you agree that it is right, do nothing? Or would you rebuild something new, given how little time it takes to copy the plans.
Swap "house design" for "software project" and "rental listings" for "running an instance of your software project" and you have the current situation.
Developers are free to choose the party they trust more.
Well the site is blocked on my company laptop (reason given: newly registered domain), so it will be a rocky start for them. I love a good vanity domain but using a traditional .org domain probably would have been better, too.
My 2c is that 95% of ruby developers aren't aware of the drama going on around Rubygems.org right now. They have probably seen emails from Ruby Central but largely ignore them and move on with life. Most people have no idea there are issues and they will just continue using Rubygems.org. Getting a project like this to critical mass is incredibly challenging.
I hope they tackle the actual main issue with Rubygems -- lack of any sort of code signing... (I know the functionality exists, but it's not required to publish in Rubygems, and off by default on gem install. In other words it's as if it doesn't exist)
The fash problem in the Rails ecosystem is next on the list, and I hope there is community consensus to fork this as well.
It has code signing. It's just optional, inconvenient, and so unused because of Tragedy of the Commons and complacency. https://guides.rubygems.org/security/
As I said, it's as good as no code signing. The very lack of a chain of trust stemming from rubygems that can be used to verify gem authenticity makes the whole thing useless.
There's some weird opinions coming from mostly DHH. My personal take is that they're blatantly racist, but everyone can have their own
Here's some fun facts:
- DHH enforced a "No Politics at Work" policy.
- DHH wrote a post expressing that he wouldn't want to live in London anymore because it's "no longer full of native Brits", and expressed support for a Tommy Robinson march he called "heartwarming". Tommy Robinson is described as "an anti-Islam campaigner and one of the UK's most prominent far-right activists.". The march DHH praised featured speakers calling for ethnic cleansing via "remigration" and banning all non-Christian religions.
- DHH also promoted "demographic replacement" conspiracy theories and used language connecting immigration to crime, particularly regarding "Pakistani rape gangs" and street theft.
- DHH has been publicly critical of Diversity, Equity, and Inclusion initiatives. This one isn't backed by facts, so take it with a grain of salt.
Cannot speak for the US, but in Europe immigration is connected to crime increase in general. The Ukraine refugees are one of few statistical exceptions.
I think a lot of people are forgetting or at least choose to ignore that DHH is Danish (and specifically a Danish expat) and is probably more inclined to have controversial views on immigration from majority Islamic countries. That's not to give his statements a pass, but to give them some needed context.
I think a lot of people don't know why being Danish is relevant. Is there some reason why controversial views on immigration might be less suprising coming from a Dane?
Denmark is the rare case of a European nation where its center-left listened to feedback from the electorate early on and earnestly adopted policies restricting immigration and refugee admission. As a result they had no populist backlash, and that policy position is uncontroversial to hold publicly.
He doubled down on his opinion by sharing a sequence of posts from a X account that denounces "woke activism" in the software industry and open source projects. He criticised the political activism in open source projects, then, ironically, suggested Palmer Luckey should step in to steward NixOs.
Ironic that DHH is politically active enough that it affects his day to day activities and public perception of his company - kind of the exact opposite of his own policy he expects his employees to abide by.
Is world.hey.com/dhh a personal blog? It's literally on his company's domain... At least in the company slack your fash opinions would reach just your poor colleagues...
> initially his own, but eventually others—by paying themselves a market hourly rate
This is massively flawed thinking. So called "market rate" is actually a tool for value extraction from the workers and is not connected in any shape or form with what they create for company they work at. As corporations refer to this as if it was a consensus (as in developer should earn $x an hour), they pay this much and workers have no choice but to accept (if someone has working class background and no trust fund, it is rather impossible to throw the towel and start own business, sometimes there are even regulations designed to keep workers captive).
In such a project, "founder level" people should pay themselves as much as they think their worth is. Simple as that.
I often hear VC talking that if founder takes too much money, it's a bad look. They just want to shame people into not taking the slice they deserve.
It's interesting that IT is full of intelligent people, yet they can't grasp how they are being played by the market frames set by the rich.
hard disagree. For a project like this, all members should be paid a fair, but not "get rich" sum. There are companies out there that pay EVERYONE the same salary, all the way from CEO to janitor. Mysteriously, those companies don't have folks trying to hijack things, because nobody benefits.
It's almost like removing money from the equation stops all the nasty stuff that happens inside organizations. Who'd have thought?
"Market rate" is not neutral. It is a wage‑fixing device that standardises labour pay while letting profits float to shareholders. Treating it as holy writ is how extraction is hidden in plain sight.
Flat salaries do not remove politics. With unequal equity and control, a flat wage simply disciplines workers while investors keep uncapped upside. If money is the poison, start by flattening carry, liquidation preferences and board vetoes. Otherwise you have only flattened one side.
Capping founder pay is class gatekeeping. It selects for people with savings or family safety nets and pushes working‑class founders out. Shaming those who take cash once they create surplus protects investor optics, not fairness.
Equal pay only makes sense when ownership, risk and power are equal. Without that, "equal pay" is theatre.
This project is or will be a worker-owned co-op, as evidenced by the strict requirements placed on anyone who registers a .coop domain name. I imagine at least equal ownership (if not risk and power) is a given in this specific instance, and profits will explicitly not flow upwards to shareholders who are not also workers.
I'm really pleased to see this happening, but sad that it has come to this.
What I'd really like to see is a whole bunch of people acting more professionally. Who you pray to, who you vote for, and who you sleep with are irrelevant to a professional context - and open source development is a professional context. So everyone needs to keep their professional and personal lives separate. I know that at best I would be disciplined, and at worst sacked if I made comments on the lines that some of the lead players in this sorry saga have made. And that's not pointing the finger at any one person.
If who you vote for will put me into a torture camp (or otherwise devalues my life or personhood), then I can't work with you, so no it is not irrelevant.
(neither the "me" nor the "you" here refer to you or me personally ofc.)
"will put me into a torture camp" for sure, but "devalues my life or personhood" is pretty vague. So, for example, if I value guns and consider them necessary for my well being and personal safety, should I refuse to work with anyone who votes for increased gun control? This sounds like a recipe for very fragmented, unstable society.
If gun owners are being denied health care or being told who they can marry ("it's illegal to marry a fellow gun owner"), then yes, they'll probably want to avoid anyone wretched enough to advocate that.
Short of that, it's NBD right? Not really comparable.
Agreed. Your example could sound like exaggerated, but silence is a form of opinion, of vote, of approval. Even in a professional context, because work is part of the society we live in.
This whole "DHH situation" with Rails has put my mind in weird position. I admire the Rails creator, the business man, the speaker. I admire what he builds, how passionate he is about his work and open-source software. But I very strongly disagree with his vision of immigration, nationalism, parenting, well most of his vision of society.
I was made aware about these opinions because people talked about it. Thanks to these people, I read and listen to him with more nuance, more critical thinking. That does not necessarily mean I would discard Rails, cancel the dude or write shit about him, but that surely means that I will be more careful about how the opinions of this 1 person could impact mine, the ecosystem I work with and the larger ecosystem I live in that is society.
> but silence is a form of opinion, of vote, of approval.
I disagree. We don't have to have an opinion on everything. And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval. It's getting very close to "those who are not with us are against us". And that's a worldview I have very little time for.
Yes, I agree with you. Silence, when you do not have an opinion, is totally fine. And yes, not having an opinion on everything is absolutely fine, probably sane even.
I was answering a comment about a vote that would put you in a torture camp, so a vote on which you are certainly opinionated about.
In other words, don't self-censor when you think something is not right.
Only people who already live in a position of privilege get to have "little time" and settle for worldviews which advocate for a sort of bland tolerance of extremism. I can assure you, for people who are being actively harmed by hateful rhetoric and political policies, "those who are not with us are against us" is absolutely a reality.
Extremism is in the eye of the beholder. Trying to kick a founder out of a hugely successful project because he thinks there has been too much immigration to London is also an extremist view.
> And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval.
Definitely definitely. When a racist paramilitary is disappearing my neighbors my primary concern is whether people will consider me complicit for publicly stating that I have no duty to interfere.
You don't have to have an opinion on everything but you do have to have an opinion on some things. Or I mean, obviously you don't, but then you have to accept the social consequences of cowardice.
Close by where I live is a monument for civilians who were taken from their houses and shot by the German occupiers during the last months of WWII. Simply because they were suspected of having distributed pamphlets. There wasn't even evidence to that claim, and retribution was a thing.
I passed that monument countless of times during my youth, giving me pause to contemplate.
It's a tangible reminder of what ultimately happens when people stay silent about something as final and poignant as one group denying the existence of another group for whatever reasons.
I have no problem with expressing differences over world views. I take issue when that world view entails denying the other side's existence because of differences, and a fervent intent to act on that notion.
> but silence is a form of opinion, of vote, of approval.
No it’s not. Indifference is not approval.
Open source is global and someone in a university in Argentina contributing some features does not “approve” of anything because she didn’t participate in some bickering about US identity politics.
Indifference is acceptance of the status quo, though, yeah? Whether that be on a conscious level of active avoidance or on a subconscious level of never mentally aligning it as a priority to build further understanding to form a thought-out opinion.
There actually is a binary view on your stance against things when you see unfettered hate spread by others and choose (at some level) to not have an opinion. We've seen it before, we see it now, we'll see it again.
Not everyone has the same privilege as you to remain head under sand until there's no commotion left to dodge.
I think the salient meta-concept here is "Open source development is an inherently collaborative enterprise, and if people cannot collaborate, it stifles creation of open source projects and software."
There may very well simply be political eras where the floor of trust isn't there for open source to spring forward by leaps and bounds.
I've been in the "keep work and politics" separate camp most of my life. However, with the lines that have been crossed recently, where literal democracy and freedom are at stake, I don't think people have the luxury of keeping work and politics separate any longer. Fascism is bad and people cannot be silent.
If you say something like “if you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless”, your opinion is immediately worthless.
Those "histrionics" were your own words, slightly duplicated, with "say something like" added. While I don't disagree with this comment, I would recommend that you take the implied advice before expecting others to.
Completely agreed. Sorry, other folks, but you have no right to gatekeep my speech in any way in a professional context. Are you a family member? Then sure, we can have a discussion. Am I a member of your private club or otherwise dependent on your approval of my thoughts or beliefs? Then let's talk. Otherwise, leave me alone. You (the collective you) don't get to decide what I am and am not allowed to think and believe.
Nobody is constraining your beliefs or expressions of them. People are exercising their own individual right not to associate with people who express certain beliefs.
The best "technical" benefit from this is that if one goes down, you could switch to the other in a pinch, so arguably better than the status quo even if you disagree with the organizational/"political" motives.
So RubyGems has betrayed its community by ousting its maintainers. When a community-focused alternative created by the original maintainers is announced, it gets flagged on HN. What is wrong with people?
This situation is eerily similar to the Freenode takeover[1] and the subsequent formation of Libera Chat[2] a few years ago, even down to the political leanings of those behind the takeover. Except if the Freenode incident occurred today, there would be a vocal portion on HN vehemently siding with Freenode solely based on the perceived political affiliations of its owners. Submissions about Libera Chat would face heavy flagging, much like this one has.
It seems the Freenode team may have advanced their plans just a bit too early.
I could be wrong but it may be that some have an additional agenda to try to make e. g. competition to Ruby Central fail. You can see this on ruby-reddit, e. g. by u/f9ae8221b - either way I think the by far best strategy for gem.coop is to address all concerns and statements made, including the wrong ones. Simply be better than rubygems.org - everywhere. (Also, u/f9ae8221b is super-impatient; why can't he wait for a while? Rome was not built in a day, it is strange how he thinks to know the future. I don't know the future - let's wait and see. In the worst case gem.coop will fail; in the best case it'll fix numerous issues, including, by the way, gem/bundler not having had the same functionality. And namespacing too; and inactive accounts, and so on, and so forth. There is a ton of things to do.)
Flagging is definitely getting abused more on HN lately. The consensus seems to be that politics and/or morals are irrelevant outside of personal affairs so we must not have these conversations here.
Which is absurd because the hostile takeover of RubyGems primarily involves technology, with serious implications for the security and trust of nearly all Ruby code. Those flagging this submission are the ones prioritizing politics over this critical issue.
Someone withdrawing funding from Ruby Central doesn't necessitate a hostile takeover of RubyGems. The responsibility lies squarely on people doing the takeover. Needless to say, you haven't shown me any convincing arguments for suppressing the announcement of gem.coop.
Remove flags 2025, all the best stuff is in https://news.ycombinator.com/active. I don't even use Ruby right now, have no dog in whatever drama is behind this, but I don't see what's so offensive about knowing Gem.coop is now a thing.
Just some background: there is a controversy in the Ruby community[0][2] around the governance of the rubygems project. It has been maintained for a long time by employees of Ruby Central but not in a corporate capacity. There was a recent hostile takeover of this project by the Ruby Central corporate arm.
The most likely reason it was flagged from my perspective is that David Heinemeier Hansson (who created rails) is kind of the figurehead of this community and he has controversial opinions[1] which people believe make him unfit to represent their community. The controversy has manifested as people speaking out against DHH in his position. So this post seems to have been flagged for being "political" because it is seemingly in opposition to rubygems for the DHH reason.
Basically just a blog post from some guy aghast that DHH has different political opinions to him. I'm politically on the left too but I can't imagine getting so incensed about someone else having right-leaning views.
Do these people never leave the house to meet anyone outside their echo chamber? The mind boggles.
Er...FYI, your [2] link is to a discussion about an article written by the person to whom you are responding.
Personally, I think the reason this post about gem.coop has been flagged is that we've reached the point at which new HN threads about things related to the recent RubyGems shake-up quickly devolve into people rehashing the DHH "aspect" of it all. So it has become less about flagging the actual target of the post and more about flagging the parts of the discussion that seem to go nowhere.
That's fair enough, I didn't actually notice. Regardless, I was offering the information for other readers, which may or may not include the person I'm replying to.
Edit:
> flagging the parts of the discussion that seem to go nowhere
This is and isn't what actually happens, though. People do flag the parts of the discussion that don't go anywhere but then people also flag the post itself because they think there's no reason to discuss it at all for the fact there's a vocal part (minority or majority doesn't really matter) that wants to discuss a topic that's not going anywhere.
People shouldn't flag the post itself just because it's likely to gather or even has gathered a crowd that will discuss such directionless topics when there are better topics to discuss, even (especially?) if they're not currently being discussed.
Afaik rubygems kicked some long term contributors and stole the entire project. Thats some serious red flags for me. At what point rubyruby gems does something nasty is only a matter of time. They could start to gatekeep or even worse add some sort of paid version.
Anyway.. a core piece of infra like this needs to be open for anyone and not closed for some shady entrerprize.
In short, a hostile takeover forced by Shopify through Ruby Central.
It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf against the wishes of the sponsors, losing them a lot of sponsorship money, as well as community support.
He deserves a few more titles now. Like prolific xenophobia[1] and sexism[2] proponent, and generally a person that has no connection with the real world[3].
This is a little glib, you dropped "Entirely" because you know multiple first hand accounts are actually worth something. If you want to argue the credibility of those accounts, then please be specific about it.
So you critisize Joel because he worked at Shopify. He pointed that out when he wrote the article.
Let's add here that YOU also worked at Shopify, until recently.
IF we are going to be critical, then let's be complete here.
I actually think there is a lot of validity to the statement made that Shopify is NOT a neutral party here. We can dispute how much Shopify was involved, but to assume "all is unsubstantiated" while not even disclosing one's own work at Shopify, feels super-strange here.
> It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf
This is so incredibly one-sided that it misleads more than it informs.
The person they are talking about is DHH. Inviting the creator of Rails to speak at RailsConf – a conference for Rails – is not the outlandish behaviour this comment makes it sound like.
Agreed. There is a lot of conflation of statements that are not directly connected.
The whole DHH argument, for instance, as well as some people having a vendetta about him, is not, or not directly, related to the hostile take-over of rubygems.org. There is a slight partial overlap, but it is a separate discussion (even if DHH was involved with the take-over via Shopify because he does not like Arko or Shopify wanting more power-control to bully the independent developers at rubygems.org with more corporate rules and restrictions; and, by the way, DHH never mentions Arko's name, but even this is a separate discussion still. For instance I specifically do not care about rails nor DHH really, but the hostile take-over was a complete no-go. Ruby Central really pissed off too many people here and unfortunately there are still many open questions that ruby-core has to think about. I am not necessarily saying all came with malicious intent, because I think there is an english language barrier too in regards to Hiroshi Shibata, but even then it may be better to have someone with better knowledge about the english language in charge of gems; there seems to be some strange disconnect or translation going on between english, into japanese and japanese culture, and it is super-confusing.)
Interesting, I only knew who he was through his "Leaving the cloud" serie of posts.
I am just trying to draw a parallel between the two to try to understand its broader ideology. So some might say both big cities like London and hyperscaler like AWS are:
- very expensive and have become unaffordable for many actors
- limit your freedom to scale and accommodate a very broad range of guests
- under massive surveillance and control
where the comparison stops is:
- AWS offers pretty good security but London is not (and hasn't for a long time)
- It is pretty easy to get kicked out of AWS if you do not follow the rule or pay
NYC has roughly the same stats - 40% of the residents there are foreign-born. This is more to do with low birth rates by natives, so population growth in NYC and London is entirely driven by immigration. The biggest problem is that it's too expensive for most people to have and raise kids in major cities.
What was more troubling to me was that he called the Tommy Robinson rallies "heartwarming". TR was a member of an explicitly fascist, white nationalist party. The rallies were full of signs calling for death to Muslims. Or, in the same blog post, his disproven claims of migrant gang r*pes. On top of that, he has written some really vile things about transgender people.
I would like to go to a tech conference and focus on Ruby, not politics. I'd like to leave my identity home and discuss software engineering and interesting technical ideas. DHH has made that impossible.
> I suspect these "really vile things" will turn out to be not so vile (like JKR)
"Not so vile" things like spreading lies about a female Olymics Boxer's gender, calling her terrible names, and inciting her online followers to harass her? She not only bullies transgender individuals but also targets other women who don't meet her own standards of femininity. If you have no problems with people like that, no wonder you can't fathom why the Ruby community has trouble accepting similar people with open arms.
Evidence for thee, but not for me? You write with such authority on this topic, yet you insist on demanding evidence for even the most basic knowledge surrounding it.
Consider what this conversation was actually about - a male sexual predator, caught pleasuring himself in the showers attached to a girls' changing room, who claimed, when caught, to have a female gender identity:
Setting aside that you're passing claims from a far-right troll as facts, that still doesn’t make it acceptable to equate trans women with sexual predators, both morally and logically. Or are you suggesting that if you can find one male sexual predator, it justifies equating all males with predators? I have a feeling you’d be up in arms about that.
Anyways, it's clear that you're intent on dehumanizing others, even creating a new account for the sole purpose of saying the most vile things, so I'll stop replying here.
The reason that this male sexual predator was allowed to use the female changing room and showers is because he claimed to have a female gender identity.
This illustrates the safeguarding risk in allowing males to use female spaces on the basis of simply saying that they identify as female. It ends up with situations like this: a registered sex offender pleasuring his erect penis in a shower area that young girls are using, and a reluctance of the authorities to stop him and file charges because they're in the thrall of policy that deems self-declared gender identity to be unquestionable.
> are you suggesting that if you can find one male sexual predator, it justifies equating all males with predators
For the purposes of safeguarding, yes. This is much of the reason why we have female-only spaces in the first place, as a preventative against male predation.
Not all males are predatory, but one can be quite sure that the subset of males who disregard and ignore women's and girls' boundaries are. Including the sex offender being discussed in that Twitter conversation. And any other male who demands access to female spaces.
Oh sorry I thought you were talking about DHH. I've been trying to find a link to something awful that he's said but nobody has one.
And as for that incident, "spreading lies" is clearly an exaggeration. That boxers gender is at best debatable. She's clearly on the awkward boundary between genders that sport (and society in general) doesn't really know how to deal with.
> literally equating trans women with sexual predators
Not what she was saying. She was calling out an only-true-scotsmen argument.
Shame on you for promoting libel by spreading unverified claims as fact. Have you even paused to consider what it's like for those on the receiving end of such harmful lies? Or do you, like JKR, revel in it even more after you've thought about it?
The evidence indicates that Khelif is male, with male physiological advantage, and therefore should never have been competing in women's boxing. And it is a matter of record that Khelif withdrew from the Eindhoven Cup rather than take the sex verification tests required to compete.
That proposed lawsuit mentioned in your BBC article near the end of 2024 went nowhere, by the way. How could it? The facts show there was no libel.
I'm not. It's true that I dislike Ruby and prefer everyone would abandon it, but that's orthogonal to the issue we're discussing. In fact I'm saying that the Ruby community is being stupid and shooting themselves in the foot by characterizing relatively mainstream right wing views as "extremism".
If I was being disingenuous I should really encourage this schism!
> It
Dunno if you're a native English speaker or not but the normal way to refer to someone of unknown gender is "they". "It" is offensive.
This doesn't preclude extreme. Not commenting on whether the community's is shooting themselves in the foot or not, just that the reason provided is not a good one for believing so.
> If I was being disingenuous I should really encourage this schism!
I do not think that you are necessarily being disingenuous but misunderstanding the difference of opinion in this way actually seems to encourage said schism.
You have misunderstood why people use the term "extremism".
> Mainstream views can't be extreme by definition.
Of course they can; mainstream views can't be uncommon by definition. Extreme doesn't strictly mean uncommon (not even in a political context), it is also used to mean "high degree", which can include distance from political centrism but can also include, e.g., frustration or flavor of cookie. To give another example, various online "challenges" like the "ice bucket challenge" are extreme but were also relatively mainstream when they were commonly performed and posted online; the term "ice bucket challenge" is still mainstream and the challenge itself is extreme (in fact, the reason it's called a "challenge" is because it is extreme).
Thinking there's too many immigrants might be mainstream (it currently is) but whether or not it's extreme depends on the degree to which it's believed. If it's believed to a high degree (such as "immigration is the worst thing about the capital city of this nation") by a large number of people then it is an extreme mainstream view by definition.
> various online "challenges" like the "ice bucket challenge" are extreme
Ok I think you just have a very abnormal (extreme even?) definition of the word "extreme".
In a political context it literally means "far from the norm". His views are not far from the norm, as much as you might hate that. (I'm not a huge fan either but I'm not going to distort reality to make myself feel better.)
> In a political context it literally means "far from the norm".
No, this is simply what you want it to mean, keeping in mind you're trying to tell other people what they mean with their word choice. Extreme views can be normal and mainstream and typical. There are many normalized-but-extreme views in current mainstream politics.
> Ok I think you just have a very abnormal (extreme even?) definition of the word "extreme".
Pouring a bucket of ice water on your head to bring attention to something is extreme. Like, it's over-the-top and exaggerated. You can disagree but that's kinda moot: someone isn't strictly wrong that it's extreme, you just disagree. You still didn't address the greater point that extreme, as it's being used, is orthogonal to mainstream.
But I guess I can link to a dictionary so you can see that I have a pretty normal (and mild) definition of the word in question. I hope you don't cherry-pick definition 1c, ignoring definitions 1a and 1b, which are, of course, valid.
Maybe 4 is the best definition, seeing as it gives "the extreme political left" as an example usage. It's not obvious to me how "advanced and thoroughgoing" means "not mainstream", though. I wouldn't mind an explanation.
As I understood it, to secure (their words) the supply chain, they took ownership of the code and repo (which others disputed as being owned by them) and kicked out users from Github.
It is said the underlying cause is that devs push rv which is threatening RubyGems.
How is rv threatening rubygems? I am pretty excited about rv on first glance, I tried it and it was too beta when I did to work nicely, but definitely good to have a uv type tool for ruby.
"Yes, I agree. And some of the “admins” even announced publicly many days ago they were launching a competitor tool and were funding raising for it. I’d not trust the system to such “admin”."
But how is this a conflict? Both are not-for-profit projects with the same goal? How can one even use the term 'competition' in this context? What if the Ruby community embraces a new and better package manager? This is, again, a net win for the Ruby community, and both projects strive for that?
Is Rubygems a company? My mind cannot comprehend why are people conflating not-for-profit open-source projects with for-profit companies...
If Rubygems was a company, they'd have a trademark, they'd have patents, they'd have lawyers to protect the money they were making from their brand and product. But we are speaking about not-for-profit open-source projects, not for for-profit corporations!
Ruby Central is a company that manages rubygems.org and rubygems. The maintainers who were locked out were being paid by Ruby Central while fundraising for their startup creating a competitor.
Doesn't it seem like a bit of a security risk to you?
The response you link to was published on September 30, 2025, so it's not the response to gem.coop? I'd say gem.coop is the response to Ruby Central's actions?
So, ignoring everything that got us here, what do people think about this?
As I see it, there is the original rubygems, which has lost all of it's maintainers, and this new one, that has most of the original active maintainers? (how many were there before? it has most of the ones I think about, but I didn't know who was active over there. I mostly saw activity from deivid and didn't know about most of the others to be honest).
It kind feels like this fork is the better maintained piece of software now.
Does anyone have any thoughts on this? Are any people thinking of moving over soon?
Is there any information on what the funding model will be? Also @joeldrapper/anyone is there anything you can share about how the hosting is being covered?[0]
[0] https://news.ycombinator.com/item?id=45490386
>It kind of feels like this fork is the better-maintained piece of software now.
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?
Trustworthiness is far more important for a package manager. No amount of storage or bandwidth can compensate for an untrustworthy package manager.
Is it? Anybody could publish to Rubygems. Baring obviously malicious packages that happened to get noticed by a researcher, what trust were folks placing in Rubygems?
The package repository going rogue is a significant escalation compared to merely having individual malicious packages that go undetected. You can't possibly argue that those two are the same.
To put my cards on the table: RubyGems.org seems plenty trustworthy to me. They seem to be shitty at communication, but locking down production access to systems in light of the state of supply chain attacks in 2025 is the kind of thing that reduces the risk of rogue repo-level activity.
But to your comment: I'm not arguing the same, I'm arguing that the results are the same. If I'm consuming packages from a repo, and I care about the security of the thing I'm running, I need to think about how I know I'm getting legitimate code that does what I expect it to do. One of the risks to that is malicious developers at the package level (either outright malicious or stolen publish credentials). Another is malicious substitution by the package repo. The detection strategies and next steps are different but as a consumer of code, bad code is a risk regardless of who injects it.
Nonsense. The solution to a malicious package is to not use that single package. The solution to a malicious package repository is to abandon that package repository entirely.
Also, you don't secure a package repository through hostile takeovers, and you certainly don't build trust with such an obvious lie. Claiming that the current rubygems.org is in any way trustworthy is utterly absurd.
TFA is about a new server/registry hosting for community gems. Not a fork of Bundler.
With this is in place. A ".coop" domain does not signal trustworthiness. It's more like a childish revenge attempt. Don't get me wrong. I think it's a great idea for the original maintainers to begin work on a form. However, they could have chosen a better domain name.
Read https://en.wikipedia.org/wiki/.coop
Think about all of the organisational structures you know of.
Then ask yourself how is a cooperative fundamentally untrustworthy?
My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io). In general, why should I trust domain_name.xyz over domain_name.com? There are obvious caveats, e.g. it doesn't matter as much for generic words like "gem" and for personal sites that I don't trust much in the first place. In this case, 3 seconds of critical thinking makes it clear that they have a plausible reason for choosing .coop. But given that much of this controversy is premised on toolchain trust, there's plenty of other domains that seem even more trustworthy to me at first glance, e.g. gem-lib.org, gemcoop.org, stuff like that.
Again, a domain name is pretty minor in the scope of this whole fiasco, and I wouldn't have bothered with bringing up this point, but on balance I agree with it.
Using .coop is actually a costly signal that you are, in fact and in law, a cooperative; and intend to stay one; since non-cooperatives are not allowed to occupy those domains. Dot Org, while it's used by a lot of well known organisations, is an open domain that anyone can register in.
Of course, it's also true that many people won't have the spare time to find that out.
> My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io)
This is so funny to hear after 18 years in the west coast silicon-valley lead tech industry. All of the app, io, tv, tech, guru, and now ai I've seen and only when it's "coop" does anyone complain.
I'm pretty sure people have been complaining about weird TLDs for as long as I've been on the internet. .guru, .tech, and .app are all equally untrustworthy to me. I don't recall seeing any .tv websites other than twitch. .io and (only recently) .ai are used often enough that it's contextually plausible a legitimate company would use one of those TLDs as their first choice, but if someone linked to chatgpt.ai or chatgpt.io for example, I'd still assume it's a scam.
Nothing here instills trust or makes me want to learn more.
https://register.coop/
https://register.coop/services/
That website isn't the official registry. The .coop TLD has been operated since 2002, with the official registry at https://identity.coop.
Neither the current authorized registrar list (https://identity.coop/register) nor the archived 2013 list (https://web.archive.org/web/20131019082806/http://www.nic.co...) includes register.coop. Where did you find this site?
I saw someone else saying something about the domain name, but I didn't really give it a second thought when I read it.
Can you explain what the issue is?
I'd only say it's a real issue if this were a "normie-facing" website. But being a developer tool, we all know that there are legitimate domains other than .com, .org, and .net.
It's one of those "attractive distractions" that us nerds like to bikeshed over.
Honestly, after "tweet" caught on as a verb, I've given up on thinking that we have any sort of crystal ball when it comes to names.
I view ".coop" quite highly given it is restricted to actual, legally recognized, cooperatives. Its definitionally more meaningful and "trustworthy" than .com or .org
What? Which part of the word "co-op" sounds like a "childish revenge attempt"?
https://en.wikipedia.org/wiki/Cooperative
It's a word that nicely captures their objectives.
Maybe they read it like “coup”?
Chicken.coop
Coop as in co-op, as in “co-operative”.
> It's more like a childish revenge attempt.
Gaslight much? "coop" implies intention and direction...you know, that thing that rubygems.org could have used?
Isn't that how golang works?
I remember some complaints about the traffic that it produced[0] (though I don't think it's a bad idea. Basically federated downloads).
[0] https://sourcehut.org/blog/2023-01-09-gomodulemirror/
Combining this with something like tangled.sh/bluesky's AT protocol or what forejo is working on in their activitypub federation integration can actually make it genuinely federated as well
Or maybe radicle as well if someone is okay with swapping in a custom software but the hiccups can be too much imo so tangled.sh is the most interesting thing to me right now
What is stopping something like gem.coop to exist with the at protocol/tangled.sh??
I believe the CDN is provided for free by Fastly. Not sure about other funding at the moment.
> It kind feels like this fork is the better maintained piece of software now.
Which fork of what software..?
> We’re excited to introduce gem.coop – a new server for gems in the Ruby ecosystem.
This is a new hosting service for gems, not a fork of bundler. Or is there missing context?
re: funding model, looks like it's TBD[0]
[0] https://bsky.app/profile/indirect.io/post/3m2j2pcinz22j
The main page itself provides little to no info so I’m going to make a few assumptions that, to me, seem logical:
1. It must depend on RubyGems in order to stay in sync, because people publish to RubyGems.
2. It has no UI to search or view gems, so still depends on RubyGems for that.
Ignoring any question about technical detail or implementation: there is zero practical reason or motivation to switch unless I am ideologically aligned with the maintainers and their reasoning.
As such, there is zero reason to even entertain the idea of switching in a professional context. At best I’d have to care enough to remember it for personal projects.
So it is with almost any fork. It’ll either converge with the mainline after achieving its goals, take over as the new status quo, or fade into obscurity. If I don’t have any direct stake in that then I’m going to wait it out.
This isn’t to discredit or discount the work or the reasoning, of course. It arguably has a far better standing than forking Rails because of DHH.
True, but this is a new beginning.Give time and credit to build an alternative. I think another repo server will not harm anyone in the long run
It's bittersweet.
The suckiest thing is if the fork pans out, it will look a lot like JS: "Which package manager do you want to use?". That beautiful simplicity of "just use bundler and ruby gems" will be gone.
One thing I will give them massive credit for is walking-the-walk. There wasn't really that much complaining for the aggrieved maintainers of RubyGems. They made a public statement describing their grievances, then quietly got to work on a fork. Taking on a fork of RubyGems seems impossible and foolish, but they now have a non-zero chance of succeeding because they're doing it.
Most people I've talked to inside of big orgs are going to stick with the "safe boring" thing, which will probably be RC backed by Shopify. They will probably throw security bureaucracy at the problem, which will make SOC 2, ISO 270001 auditors. I don't think we'll see a lot of innovation coming from RC since the executive director is non-technical and has demonstrated a very ham-fisted approach to running the organization that seems to be out of touch with developers.
On the flip side, I think if gems.coop takes off, it will be because it's a "better mousetrap". One of the people behind it, André, is working on https://rv.dev, which promises to be a faster, "all-in-one", tool for managing ruby versions, gem dependencies, and even has an "npx-like" run this from from the CLI, the right version of Ruby will install, the gems will install, and it will run. That's a much better DX that I could see developers going for.
I've seen discussions on the periphery of adding namespaces to gems, bringing in checksums, and overall taking a more aggressive technical approach to security. I could see that "winning" over a long enough timeframe if RC continues on their current course.
From a fund-raising PoV, I'm starting to put together the clues that André believes organizations with the means to pay for OSS infrastructure should pay for it. I think I agree with this point-of-view and think it's a path for funding that's more transparent than "A group of donors". I hope we start to see infrastructure run in a manner where the costs are accurately estimated, then divided by the number of companies with the means to pay to arrive at the price.
There's absolutely on consensus on my final point, but I think the root cause of RC's catastrophic failure is having too much of a concentration of funding from a few donors. If you're new to this drama, a major donor pulled funding from RC because they didn't ideologically agree with a conference guest. The details are out there if you want to dive into it, but to keep this thread on point, I hope Ruby Co-op figures out how to spread out their funding model across 100's or 1000's so this doesn't happen again.
I personally cannot think of a new ruby gems or bundler feature from the past decade that I noticed or cared about. That isn't to say that there aren't any; I just don't know what they are.
There have been several releases with incremental but still notable performance improvements. The overall cadence has been pretty steady, intentionally targeting roughly one minor release per year since 2019-ish, with handfuls of quality of life improvements in each. Arguably RubyGems and Bundler are infrastructure, so the major feature is stability. What sort of big feature are you imagining is missing from your dependency management system?
That's basically my point. I'm not missing anything, so I'm happy if it just gets small / stability fixes, which doesn't seem like it needs a six member maintainer group. That team should go off and do a great job with 'rv' or whatever the next brand new idea is, and just let rubygems sit there with minor updates, same as we do for the ruby logger or date class.
It seems unrealistic to believe that packaging infrastructure can just “sit there,” particularly in light of changing expectations around the bare minimum a packaging ecosystem should do to protect its users. I think a more reasonable assumption would be that the (former) RubyGems team did a good job, which translated to boring normality for you.
> so I'm happy if it just gets small / stability fixes
Seems like you're the ideal consumer for this new service, since it actually has people who can do that.
André is working on a combination of rbenv/asdf, bundler, and gem that I think is interesting. Not that they're wildly broken, but I'd rather have fewer tools and it always seemed a bit odd that they're separate when they're notionally managing the environment in which your ruby code executes.
Given the rise in supply chain attacks, I'd also like a private rubygem instance where I can whitelist gems and even versions for my company in a way that doesn't let anything else install. I'm not sure if they're taking that on or not, but I'd like it.
the rv thesis is here: https://andre.arko.net/2025/08/25/rv-a-new-kind-of-ruby-mana...
> I'd also like a private rubygem instance
that was always possible https://guides.rubygems.org/run-your-own-gem-server/
(there's also "gem server")
I think I basically agree with this, but my thoughts are more on which org is better placed now to respond to things like the recent supply chain attacks (ref for the specific recent ruby one[0][1]).
I'm unsure on who is better placed to handle that stuff now. My view is that the people that were doing that are now with gem.coop, but rubygems still has the infra (i.e. you'd email security@rubygems.org still for now).
I'm unsure about what to think about longer term (my personal approach is currently "wait and see").
Similarly, I'm perfectly happy with bundler for now, but if `rv` turns out to be like `uv`, I'd happily switch (drop-in replacement, but faster/some better features).
[0] https://www.bleepingcomputer.com/news/security/60-malicious-...
[1] https://blog.rubygems.org/2025/08/08/malicious-gems-removal....
Socket.dev states "Since at least March 2023". RubyGems says "Our team first detected this activity on July 20th". This attack has ran for almost 5 months undetected. I wouldn't feel reassured at all.
Lockfile checksums are quite new and useful.
They made bundler output compact, previously it spammed all installed versions and updates mixed, now you can see just updates if you do those for example.. or quite concise "all OK" if everything is as it should be. Small but really nice quality of life change imo
I don't plan on switching to a rubygems fork that does not offer technical/security benefits over the original.
They can win me over with a gem distribution site that requires code signing out of the box and a bundler that enforces it out of the box.
Which part of a project that kicked out its original maintainers still feels "original" to you? At this point, rubygems.org is the fork.
Oh, how times have changed. If Oracle were to close source OpenSolaris today, many here would likely rally behind it, especially if Larry Ellison appeared to align with the right. Submissions about Illumos would have been heavily flagged, much like this one has been for a while.
Excellent point, I can't help but feel gem.coop is essentially Ruby Together 2.0 which reinforces my opinion that the merger of RT with RC was a huge mistake. (It certainly made sense at the time…hindsight is always 20/20…etc.…but still.)
For me, having the software be maintained (and have a security engineer working on it) feels like a security benefit.
Does the original have many maintainers left?
It has allegedly been taken over by Shopify. I expect it to be very well maintained. The issues are of ethical character.
Well maintained? Rubygems has had no commits in the last 10 days and that's not a good sign. I don't think you can find a window with no commits for 10 days in its 15+ year history.
History has shown over and over that when a for-profit org takes over public infrastructure, maintenance is cut to the bone.
> Rubygems has had no commits in the last 10 days and that's not a good sign.
I honestly can't tell if this is satire.
You think no commits for 10 days for a piece of software that has existed for around 20 years is a sign that it's dead?
What kind of code churn do you think this project requires? Perhaps the old development was too unstable if there wasn't a single 10 day window without a commit in 15 years, for what is essentially a solved problem and a tool that people depend on to be stable.
Rubygems has 216 open issues right now.[0] Do you think some of them should be addressed? Without maintenance, and any PR's getting merged, they won't.
[0] https://github.com/rubygems/rubygems/issues
Churn is not just rate of commits it is the changing of the same lines/files/functions repeatedly, AI answers seem to get this wrong a few places I checked which is interesting. Rate of change in itself is not 'instability', it can be a sign of new ideas emerging or lot of other positive things.
Package management cannot be a 'solved problem' or there would be no innovation there, and you don't have to look far to find is not the case.
As for the idea that rubygems is 'dead' (not what mperham said), that is still too early to say for sure, as I imagine mperham would also agree, but it is definitely not a good sign. If we only get a trickle of changes to something that was once a very vibrant and lively community repo then that is to the detriment of the whole Ruby ecosystem. That would also be a bad sign.
I expect a lot of people will stop pushing gem updates to `rubygems.org` once `gem.coop` supports publishing directly to namespaces.
Yes, I will be one of those people.
They had a minor security incident right off the bat, demonstrating they don’t even fully understand what they stole. They aren’t equipped to do the job.
Only “minor” because they were in fact wrong about André being a risk. Had he been a real risk, this would have been about as major as it gets. They left him with root production AWS console and full production database access.
Fortunately he’s a standup guy and not a real security risk, so he emailed them immediately to let them know.
I missed that. What happened?
https://joel.drapper.me/p/ruby-central-security-measures/
I think right off the bat since they chose .coop as their TLD, a lot of corporate firewalls auto-block them and they have immediately decided to fight an uphill battle to get allow-listed to be a gem repo.
This does not bode well for the team having the socio-technical savviness to see this project through.
Don't think it will be the TLD specifically. Most corporate firewalls block domains under a certain age, so it will just be a matter of time.
Really? Maybe I'm naive, but why would .coop be blocked?
It is pretty common that "weird" tlds get blocked more or less whole sale in places you might not expect.
The reason is spam. Before these can get wide spread "normal" adoption they can be heavily used by spammers. Its hard to say if that is because they have desirable look-a-likes available, or if its because the first year is offered at a deep discount. So, systems will get flooded, and on inspection they will see that they don't have any legit traffic from those tlds and will whole sale block them.
.xyz is kind of infamous for being in this situation. https://news.ycombinator.com/item?id=28554400
I have no idea if that applies to .coop though.
How does `.coop` get used for spam when you need to prove you’re an actual cooperative to get one?
.xyz is open registration and is known to be a spam/abuse source. .coop is restricted to legally-formed cooperatives. Apples and oranges.
I wonder if you can count on some crappy enterprise firewall to make that distinction.
Pretty sure it is because they are cheep for the first year. And the blocks are often for domains younger than one year, instead of whole tld.
coop has around 12 years of age on xyz at least.
seems like an easy fix in a month with a new TLD though.
How will anything ever change we're still guilted into thinking about crappy default corporate firewalls when choosing a TLD?
Though there's no way that this is something you care about, cmon.
Most places seem to manage.
But thinking that they can disregard all prior Internet history and just slam into the situation with no concern about what came before is pretty on-brand for a project in the Ruby ecosystem.
Ah yes, "slam in" to a situation is definitely the correct terminology for forking a project that was seized from you by a hostile party.
I mean regarding the choice of TLD. Forking the package repository ecosystem I fully understand the incentives; it just strikes me as a very Ruby-ecosystem thing to just assume that `.coop` is a good enough TLD with no consequences for using it relative to choosing to use .org, .com, or .net.
Is there evidence that corporate firewalls commonly block .coop?
> So, ignoring everything that got us here, what do people think about this?
It's fine. Keeps all the complainers away from the larger ecosystem.
I personally trust Ruby Central, 37signals, Shopify, DHH, Tobi, Matz and others over the guy who was launching a startup to compete with rubygems while being a maintainer for rubygems.
I'm starkly opposed to this ridiculous fragmenting of the community. They can and should all go work out contribution agreements with RubyCentral and get over their egos.
What makes you think they _haven't_ tried to work things out with Ruby Central? As per a separate article[1], this seems to be a last resort:
> “Since Ruby Central has informed us they will never allow us to continue working on the projects they now claim they own, that we successfully maintained and operated for the last ten years, the former RubyGems team is launching gem.coop today.”
[1]: https://socket.dev/blog/gem-cooperative-emerges-as-a-communi...
I suspect many of these maintainers are making absurd ultimatums of RubyCentral.
That's a strange suspicion. Why?
Because many mass-resigned unless Andre was re-instated.
I think many mass resigned when their commit access was taken away from their own project by a company that doesn't have a right to do that.
Some people might consider that a dick move.
Given some of the ways Andre Arko gets described (See https://justin.searls.co/posts/why-im-not-rushing-to-take-si... for a recent overview) I'm a little wary of what the motivation behind this is.
This reads like a hit piece based on a personal vendetta. I'd be careful how much weight to give this.
> When Ruby Together first launched in 2015, the website suggested donations went to pay "our team" (...) This resulted in a nonzero number of donors believing they were funding the work of people like Steve Klabnik, Aaron Patterson, and Sarah Mei, when in fact only Andre was being paid at the time.
This a fact. By this alone I don't think Andre Arko is an honest person.
Back in the day, nobody ever had said to me that they believed I was earning money from Ruby Together. This whole thing was speculation at best. And regardless, once it was suggested that this may be a possibility, it was immediately changed to be unambiguous.
André is absolutely a standup individual.
I have tried to stay in good terms with the other people involved in this (except DHH), but this claim was always ridiculous.
This absolutely happened and is not speculation. I can't find the emails from the individuals that emailed me, but I did find my email to the board of directors asking that the website language be changed because people had pinged me thinking I would be getting money, or that the money would go to fund rubygems.org.
At the time I'd sent the email I was unaware Ruby Together was on HN front page (and that's why people were pinging me)
Okay, if you got emails, you got emails, but I did not.
I absolutely wouldn't want people to think that I'd be getting the money, so I think clarifying it was a good thing, regardless.
It's so weird of you to jump in like this, man.
It's weird for people to try and set the record straight when you mention them by name?
Can you explain what you find so weird? From what I can tell, the GP is adding useful information using his firsthand experience.
Did they? No evidence and worded to suggest Steve didn’t experience it, that counts as useful information now?
I think you may have misread it. The original claim is:
> This resulted in a nonzero number of donors believing they were funding the work of people like Steve Klabnik, Aaron Patterson, and Sarah Mei, when in fact only Andre was being paid at the time.
Steve said "that didn't happen to me" and then Aaron said "that definitely did happen to me". Seems pretty relevant. I don't think he was claiming steve was wrong in not having heard that, but Aaron was saying it did happen to him, so the claim is true.
(and in terms of evidence, do you want him to share the emails he got? A first hand account seems enough evidence to me)
Seems pretty unambiguous, and a good reason to chime in.
I was misremembering it. Now that I've checked, it's clear that the claim was that the money was for paying "the team" [1], which consisted of André Arko and David Radcliffe [2]
[1] https://web.archive.org/web/20150919025358/https://rubytoget...
[2] https://web.archive.org/web/20150919025603/https://rubytoget...
Your links are off-base. They're from September 2015, which is months after Andre Arko was told to revise the /teams page.
Since no /teams page was archived before March 2015, here's the Github commit of the overly vague team page https://github.com/rubytogether/rubytogether.org/blob/9a03c4.... This page was linked from https://web.archive.org/web/20150425040538/http://RubyTogeth... which stated "We pool funds from corporate and individual members to pay our team[github link]"
Altogether, it demonstrates how Andre misled his audience on who was getting the money. IMO, I see a distinct pattern of him crossing boundaries and then covering it up using his social skills & friend group.
I just want to know how much was David Radcliffe getting paid for his time?
It's all good, you were quoting the blog post.
Frankly that page is even more clear than I remembered. All of this happened so long ago.
TBH the whole thing is pretty opaque. There are a lot of accusations floating around. It's pretty easily to capitalize on "Big evil shopify is making a takeover", but I suspect there's a lot more happening behind the scenes.
Does it? Seems pretty detailed with plenty of easily verifiable details...
To take the maximally negative view of things:
The Ruby ecosystem is already decentralised in that there is no single source of truth for published gems. You can pull the source from any software forge that uses git, you can point to any self hosted gem server or use something like Artifactory or GitHub package registry. You can vendor the code if you want.
This entire post is practically the case in point, except I’m not clear on how they got real time sync with RubyGems and if any other competitor would have the same capability.
To use Astral and uv as an example, they would have to fork PyPI and maintain all the infra for that and not just the tool that manages the dependencies.
By "Astral" do you mean "Spinel"? Also, what paid services? So far the only paid services they've mentioned is retainer services that essentially amount to priority customer support. The tools themselves are only ever described as free
EDIT: Misread the comment and thought it was only about `rv`, not both `uv` and `rv`
What is Spinel? Astral is the developer of uv, and they have announced their hosted platform service, pyx [0]. It appears it will be FOSS as well, but they'll have a hosted version of it.
[0]: https://astral.sh/blog/introducing-pyx
My mistake, I completely misread your comment and thought you were _only_ talking about `rv` as opposed to both `uv` and `rv`!
spinel is the company spun up around rv, ruby's uv version.
https://spinel.coop/
"If it's free, you're the product"
It’s amazing to see the open source community step up like this. Kudos and gratitude to everyone that made this happen!
yeah, but still, the maintainers need to be paid for their time and expertise. not to mention, although bandwidth and storage is cheap, somebody still have to foot the bill. i suggest people donate to this project.
Just a thought of mine: why don’t we switch fully to git? Commit signing, tag signing, Decentralize. Doesn’t that sound like a good alternativ?
The git protocol is more complex and harder to scale. It's especially wasteful if people are going to redownload all packages every time their amnesiac CI runs.
Single-file archives are much easier to distribute.
Digests and signatures have standard algorithms, not unique to git. Key/identity management is the hard part, but git doesn't solve it for you (if you don't confuse git with GitHub).
git bundles exist to solve the single-file caching and distribution problems
Going crazy: we cold also adopt the container registry api for distributing gems, similar to how helm charts are also distributed nower days.
Someone has to run the git server. Then, someone has to find the git server to pull each gem from, since not every git server is likely to be up-to-date with the each gem, or the correct version. Since these are all decentralized, each individual owner of a git server has to independently scale as more people start using each one.
The benefit to being centralized is... everything is in one place. Everything scales at once. Every update is available at the same time.
We did this back in the day using artifactory and co. to proxy NPM and a few other package managers as well as docker containers and some other things. No third party service going down could keep us from deploying.
Not everyone does it because as a solo developer or a small team, as it feels like pointless overhead.
So GitHub would be one option. Developers already discover all kind of things there. And each gem can still be provided by its “main repository”, but I don’t mind on whatever domain that repository is located. Somewhat how container images are referenced/distributed already. I think go already does it like that too.
having a decentralized, and maybe sometime unavailable, infrastructure would make more people think about the problem and maybe brings us more stable solutions than we have now.
Exactly. Go already adopts that.
Well, rubygems (the software) can pull from any git repository. So we kind of have it already anyway.
You've seen golang's package... situation?... and you still think switching to Git is a good idea?
What "situation"?
Let's review for example Traefik's dependency list: https://github.com/traefik/traefik/blob/master/go.mod
1. Heavy dependency on Github. AKA Microsoft owns much of the golang ecosystem. Not just the source... The package distribution as well!
2. Many packages are referencing a git (short!) commit hash instead of a version. It still boggles my mind that this is an acceptable practice. Not to mention that git tags can be deleted and recreated... A pinnacle of secure package distribution practices.
3. Stuff like ambiguous imports because apparently nothing enforces proper go.mod files? They are not packages to be compiled after all, they're just repos with some conventional structure (optional)...
Mind you, this is popular production-grade software...
I think this is much worse than even node packages, let alone bundler and rubygems...
1. GitHub dominance is a social phenomenon, not a technical requirement. The go.mod file you linked references ~14 different Git hosts other than GitHub. Go's design doesn't create this centralization; it merely reflects where developers choose to host code.
2. You complain about commit hashes while simultaneously noting that tags can be deleted and recreated. Hashes are precisely the solution to mutable tags. The "short hash" concern is a red herring; Git uses sufficient entropy that collisions are not a practical concern for dependency resolution.
As for "secure package distribution," go.sum files verify files verify consistent downloads. What additional security do you believe centralized registries provide?
3. Can you provide a concrete example of an ambiguous import you've encountered? I'm not familiar enough with Go to understand this criticism.
> GitHub dominance is a social phenomenon
Exactly. This 'social phenomenon' should have been taken into account when designing a packaging system so that the language's ecosystem does not end up entirely dependent on Microsoft due to 'social reasons'.
> The go.mod file you linked references ~14 different Git hosts
Of which the non-github ones account to what... 15% of the deps in the file?
> You complain about commit hashes while simultaneously noting that tags can be deleted and recreated
Yes. Not using versions (semver) is a bad call, and having people be able to mutate the code of a version is a very bad call. Once a version has been tagged, the only viable choice must be to pull that version and push a new higher version.
> As for "secure package distribution," go.sum files verify files verify consistent downloads
Based on git's hash.
> Git uses sufficient entropy that collisions are not a practical concern
Unless crafted by an adversary? Git's sha1 hashes are not a security tool and must not be used in place of code signing.
They are also not good for versioning, as you can't deduce whether a commit introduces breaking changes. Rubygems has the ability to reference git repos. It's always a pain to update these compared to other semver deps -- you have to go to github and do a comparison between the old and new hashes to try and deduce whether bumping this will break you.
> Can you provide a concrete example of an ambiguous import you've encountered
See end of linked go.mod
If we isolate this from the recent controversy: in general, is an alternative (yet mostly compatible) package source, package manager, and/or language version manager neutral, good, or bad for an open source ecosystem?
Mostly good. Monopolies stagnate. Competition helps drive innovation.
In open source too.
Great move to counter the hostile takeover of the RubyGems GitHub repo (not the rubygems.org repo) and organization by Ruby Central.
I hope they find financing to cover hosting costs.
I believe the hosting is already covered.
Is there anything more you can share about that? I guess I should just sign up to the newsletter and wait and find out...
Here's the thing. They could have put up link to a git repository where others can follow along with the maintenance of this project, but here isn't one. There is a list of maintainers explicitly mentioned on this page but no link to the git repository. This leads me to think this project is not about the code but about the people.
It's a package repository. A link to an Ansible repository or whatever doesn't need to be in the first announcement.
> This leads me to think this project is not about the code but about the people.
Trust is of utmost importance to a package repository. Even more so than code. A hostile takeover, like the one that occurred with RubyGems, fundamentally undermines that trust. In contrast, an alternative run by the original maintainers who have built years of trust, represents a positive shift.
Unfortunately, it seems that your conclusion was drawn before your justifications. When you invent justification though, at least make sure you don't undermine your own position. Where's the prominent link to the Git repo on rubygems.org top page?
https://web.archive.org/web/20251003112525/https://rubygems....
I think the issue that you overlook is that you assume this group of individuals is trustworthy.
I'm not saying they aren't, but there are a LOT of conflicting opinions about what happened, why it happened, and who was right/wrong.
This it what tends to happen when money gets involved in a project without a clear structure/business plan/guarantees put in place. People just did whatever and made assumptions, and now suddenly the whole community is rocking and rolling thanks to the actions/view points of a select few.
> I think the issue that you overlook is that you assume this group of individuals is trustworthy.
Of course I do, because the original maintainers earned that trust over the course of years. That's not an issue.
Source lives here: https://github.com/gem-coop
The only public repo is a static website.
Ah! Good catch. I saw the repo exists but didn't dig into the contents, given that it's (as far as I know) purely a proxy for rubygems at the moment, I figured it would be pretty simple.
I agree they should post the whole source, regardless.
I understand forking is sometimes needed, but it's also somewhat discouraging to see that the differences couldn't be reconciled.
As long as people are aligned on advancing the Ruby ecosystem, I think it should be possible to cooperate even if there are disagreement in other areas [which political party you support, differences in personal opinions, etc].
Maybe it'll be resolved eventually, just like Merb <> Rails, Bundler <> RubyGems and RubyTogether <> RubyCentral were eventually merged. That's what I'm hoping for!
I feel like a change to the way gems are distributed/downloaded could fix this. Unfortunately, the very powers that could make that happen are the powers that control the software and infrastructure, and have the least incentive to improve things.
I honestly find it ridiculous that this situation happened to begin with, and I also have no clue why people are hating on DHH.
The easiest way to kill an open source project is drama and forking like this. Ruby has been around forever, obviously, however it is far from the most used languages, and drama like this just hurts the ecosystem as a whole.
As a former Ruby dev, it makes me sad.
Drama and forking aren't going to kill Ruby. This is a move like the one from Freenode to LiberaChat: hostile entities take over $thing, sensible people move on to $newthing, the new normal settles around $newthing.
As for DHH, he's a far-right racist.
https://jakelazaroff.com/words/dhh-is-way-worse-than-i-thoug...
Silencing and excluding such people from open source is the right thing to do because failure to do so means forcing others to interact with people who are hostile to their very existence.
Is this not an overreaction to the rubygems rubycentral fiasco?
No.
Imagine if someone came into your house and changed all of the locks on you/your family, because "security". You had built that house from your original designs but the other party claims they own it now because they happen to manage a series of rental listings for houses built to your design. You had even made it so the plans could be copied and modified in private; if "security" were a real concern with about 10 minutes effort to do so.
Would you agree that it is right, do nothing? Or would you rebuild something new, given how little time it takes to copy the plans.
Swap "house design" for "software project" and "rental listings" for "running an instance of your software project" and you have the current situation.
Developers are free to choose the party they trust more.
Important move to maintain a free community. I'm switching over to Gem.coop now.
Well the site is blocked on my company laptop (reason given: newly registered domain), so it will be a rocky start for them. I love a good vanity domain but using a traditional .org domain probably would have been better, too.
My 2c is that 95% of ruby developers aren't aware of the drama going on around Rubygems.org right now. They have probably seen emails from Ruby Central but largely ignore them and move on with life. Most people have no idea there are issues and they will just continue using Rubygems.org. Getting a project like this to critical mass is incredibly challenging.
I hope they tackle the actual main issue with Rubygems -- lack of any sort of code signing... (I know the functionality exists, but it's not required to publish in Rubygems, and off by default on gem install. In other words it's as if it doesn't exist)
The fash problem in the Rails ecosystem is next on the list, and I hope there is community consensus to fork this as well.
It has code signing. It's just optional, inconvenient, and so unused because of Tragedy of the Commons and complacency. https://guides.rubygems.org/security/
https://www.benjaminfleischer.com/2013/11/08/how-to-sign-you...
As I said, it's as good as no code signing. The very lack of a chain of trust stemming from rubygems that can be used to verify gem authenticity makes the whole thing useless.
What does “fash problem” mean?
There's some weird opinions coming from mostly DHH. My personal take is that they're blatantly racist, but everyone can have their own
Here's some fun facts:
- DHH enforced a "No Politics at Work" policy.
- DHH wrote a post expressing that he wouldn't want to live in London anymore because it's "no longer full of native Brits", and expressed support for a Tommy Robinson march he called "heartwarming". Tommy Robinson is described as "an anti-Islam campaigner and one of the UK's most prominent far-right activists.". The march DHH praised featured speakers calling for ethnic cleansing via "remigration" and banning all non-Christian religions.
- DHH also promoted "demographic replacement" conspiracy theories and used language connecting immigration to crime, particularly regarding "Pakistani rape gangs" and street theft.
- DHH has been publicly critical of Diversity, Equity, and Inclusion initiatives. This one isn't backed by facts, so take it with a grain of salt.
Cannot speak for the US, but in Europe immigration is connected to crime increase in general. The Ukraine refugees are one of few statistical exceptions.
Have you got any references for this claim?
Well, https://link.springer.com/article/10.1007/s10611-024-10144-y seems to claim there is a link for sexual crimes. This paper suggests that there is some delayed effect https://www.sciencedirect.com/science/article/pii/S092753712....
I think a lot of people are forgetting or at least choose to ignore that DHH is Danish (and specifically a Danish expat) and is probably more inclined to have controversial views on immigration from majority Islamic countries. That's not to give his statements a pass, but to give them some needed context.
And no, I'm not saying that Danes are racist.
I think a lot of people don't know why being Danish is relevant. Is there some reason why controversial views on immigration might be less suprising coming from a Dane?
Denmark is the rare case of a European nation where its center-left listened to feedback from the electorate early on and earnestly adopted policies restricting immigration and refugee admission. As a result they had no populist backlash, and that policy position is uncontroversial to hold publicly.
Denmark also has significantly lower rates of violence, crime, rapes and more. Sweden sees ~10 times more rapes than Denmark.
As a Norwegian I respect Denmark for putting its people first.
He doubled down on his opinion by sharing a sequence of posts from a X account that denounces "woke activism" in the software industry and open source projects. He criticised the political activism in open source projects, then, ironically, suggested Palmer Luckey should step in to steward NixOs.
Ironic that DHH is politically active enough that it affects his day to day activities and public perception of his company - kind of the exact opposite of his own policy he expects his employees to abide by.
He posts about it on his personal blog, not on his company Slack.
Is world.hey.com/dhh a personal blog? It's literally on his company's domain... At least in the company slack your fash opinions would reach just your poor colleagues...
Everyone with a Hey.com email gets a world.hey.com account linked to your email. So yes it's a personal blog.
Hey.com is 37Signals' Gmail, not the company's private domain.
That's the part where the term "fascist" is misused to smear somebody they disagree with. It can be safely ignored.
I thought so but didn’t want to assume.
People really like to misuse terms like fascism these days, huh…
It's so crazy. He's a fascist because he said something about the chant population of London. And he didn't want politics at the work place
How the hell is any of that facism
If you know you know.
> initially his own, but eventually others—by paying themselves a market hourly rate
This is massively flawed thinking. So called "market rate" is actually a tool for value extraction from the workers and is not connected in any shape or form with what they create for company they work at. As corporations refer to this as if it was a consensus (as in developer should earn $x an hour), they pay this much and workers have no choice but to accept (if someone has working class background and no trust fund, it is rather impossible to throw the towel and start own business, sometimes there are even regulations designed to keep workers captive).
In such a project, "founder level" people should pay themselves as much as they think their worth is. Simple as that.
I often hear VC talking that if founder takes too much money, it's a bad look. They just want to shame people into not taking the slice they deserve.
It's interesting that IT is full of intelligent people, yet they can't grasp how they are being played by the market frames set by the rich.
hard disagree. For a project like this, all members should be paid a fair, but not "get rich" sum. There are companies out there that pay EVERYONE the same salary, all the way from CEO to janitor. Mysteriously, those companies don't have folks trying to hijack things, because nobody benefits.
It's almost like removing money from the equation stops all the nasty stuff that happens inside organizations. Who'd have thought?
"Market rate" is not neutral. It is a wage‑fixing device that standardises labour pay while letting profits float to shareholders. Treating it as holy writ is how extraction is hidden in plain sight.
Flat salaries do not remove politics. With unequal equity and control, a flat wage simply disciplines workers while investors keep uncapped upside. If money is the poison, start by flattening carry, liquidation preferences and board vetoes. Otherwise you have only flattened one side.
Capping founder pay is class gatekeeping. It selects for people with savings or family safety nets and pushes working‑class founders out. Shaming those who take cash once they create surplus protects investor optics, not fairness.
Equal pay only makes sense when ownership, risk and power are equal. Without that, "equal pay" is theatre.
This project is or will be a worker-owned co-op, as evidenced by the strict requirements placed on anyone who registers a .coop domain name. I imagine at least equal ownership (if not risk and power) is a given in this specific instance, and profits will explicitly not flow upwards to shareholders who are not also workers.
A brief announcement post: https://andre.arko.net/2025/10/05/announcing-gem-coop/
I'm really pleased to see this happening, but sad that it has come to this.
What I'd really like to see is a whole bunch of people acting more professionally. Who you pray to, who you vote for, and who you sleep with are irrelevant to a professional context - and open source development is a professional context. So everyone needs to keep their professional and personal lives separate. I know that at best I would be disciplined, and at worst sacked if I made comments on the lines that some of the lead players in this sorry saga have made. And that's not pointing the finger at any one person.
If who you vote for will put me into a torture camp (or otherwise devalues my life or personhood), then I can't work with you, so no it is not irrelevant.
(neither the "me" nor the "you" here refer to you or me personally ofc.)
"will put me into a torture camp" for sure, but "devalues my life or personhood" is pretty vague. So, for example, if I value guns and consider them necessary for my well being and personal safety, should I refuse to work with anyone who votes for increased gun control? This sounds like a recipe for very fragmented, unstable society.
If gun owners are being denied health care or being told who they can marry ("it's illegal to marry a fellow gun owner"), then yes, they'll probably want to avoid anyone wretched enough to advocate that.
Short of that, it's NBD right? Not really comparable.
[flagged]
It's absolutely comparable. They both involve limiting rights and freedoms.
That's a strawman, because that isn't about the value of my life or my personhood.
Agreed. Your example could sound like exaggerated, but silence is a form of opinion, of vote, of approval. Even in a professional context, because work is part of the society we live in.
This whole "DHH situation" with Rails has put my mind in weird position. I admire the Rails creator, the business man, the speaker. I admire what he builds, how passionate he is about his work and open-source software. But I very strongly disagree with his vision of immigration, nationalism, parenting, well most of his vision of society.
I was made aware about these opinions because people talked about it. Thanks to these people, I read and listen to him with more nuance, more critical thinking. That does not necessarily mean I would discard Rails, cancel the dude or write shit about him, but that surely means that I will be more careful about how the opinions of this 1 person could impact mine, the ecosystem I work with and the larger ecosystem I live in that is society.
> but silence is a form of opinion, of vote, of approval.
I disagree. We don't have to have an opinion on everything. And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval. It's getting very close to "those who are not with us are against us". And that's a worldview I have very little time for.
Yes, I agree with you. Silence, when you do not have an opinion, is totally fine. And yes, not having an opinion on everything is absolutely fine, probably sane even.
I was answering a comment about a vote that would put you in a torture camp, so a vote on which you are certainly opinionated about.
In other words, don't self-censor when you think something is not right.
> that's a worldview I have very little time for
Only people who already live in a position of privilege get to have "little time" and settle for worldviews which advocate for a sort of bland tolerance of extremism. I can assure you, for people who are being actively harmed by hateful rhetoric and political policies, "those who are not with us are against us" is absolutely a reality.
Extremism is in the eye of the beholder. Trying to kick a founder out of a hugely successful project because he thinks there has been too much immigration to London is also an extremist view.
> And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval.
Definitely definitely. When a racist paramilitary is disappearing my neighbors my primary concern is whether people will consider me complicit for publicly stating that I have no duty to interfere.
You don't have to have an opinion on everything but you do have to have an opinion on some things. Or I mean, obviously you don't, but then you have to accept the social consequences of cowardice.
Are you neighbors illegal aliens?
If you believe we shouldn't have borders than just say so.
I'll put it like this.
Close by where I live is a monument for civilians who were taken from their houses and shot by the German occupiers during the last months of WWII. Simply because they were suspected of having distributed pamphlets. There wasn't even evidence to that claim, and retribution was a thing.
I passed that monument countless of times during my youth, giving me pause to contemplate.
It's a tangible reminder of what ultimately happens when people stay silent about something as final and poignant as one group denying the existence of another group for whatever reasons.
I have no problem with expressing differences over world views. I take issue when that world view entails denying the other side's existence because of differences, and a fervent intent to act on that notion.
It's a matter of boundaries, and speaking up.
Silence can also indicate disapproval.
> but silence is a form of opinion, of vote, of approval.
No it’s not. Indifference is not approval.
Open source is global and someone in a university in Argentina contributing some features does not “approve” of anything because she didn’t participate in some bickering about US identity politics.
This is a lot more than just US identity politics, as shown by the fully idiotic take on London he did.
Indifference is acceptance of the status quo, though, yeah? Whether that be on a conscious level of active avoidance or on a subconscious level of never mentally aligning it as a priority to build further understanding to form a thought-out opinion.
There actually is a binary view on your stance against things when you see unfettered hate spread by others and choose (at some level) to not have an opinion. We've seen it before, we see it now, we'll see it again. Not everyone has the same privilege as you to remain head under sand until there's no commotion left to dodge.
I think the salient meta-concept here is "Open source development is an inherently collaborative enterprise, and if people cannot collaborate, it stifles creation of open source projects and software."
There may very well simply be political eras where the floor of trust isn't there for open source to spring forward by leaps and bounds.
[flagged]
> If you actually cared about people devaluing your life you should also be outraged at any Mormons/Muslims/etc in power.
Not everyone is a fundamentalist.
Please stop with this type of ridiculous hyperbole.
People would be less inclined to say ridiculous things like this if they didn't keep happening.
When was the last torture camp in the USA?
Well the most famous one is conveniently not on US grounds, but operated by the US (Guantanamo). And then there is https://phr.org/our-work/resources/endless-nightmare-solitar....
I've been in the "keep work and politics" separate camp most of my life. However, with the lines that have been crossed recently, where literal democracy and freedom are at stake, I don't think people have the luxury of keeping work and politics separate any longer. Fascism is bad and people cannot be silent.
If you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless.
If you say something like “if you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless”, your opinion is immediately worthless.
Do you really not understand how unhinged you sound when you resort to such histrionics?
Those "histrionics" were your own words, slightly duplicated, with "say something like" added. While I don't disagree with this comment, I would recommend that you take the implied advice before expecting others to.
Not everyone involved in open source has a boss. I don't care what a boss would hypothetically do to me, so that's not helpful guidance.
Completely agreed. Sorry, other folks, but you have no right to gatekeep my speech in any way in a professional context. Are you a family member? Then sure, we can have a discussion. Am I a member of your private club or otherwise dependent on your approval of my thoughts or beliefs? Then let's talk. Otherwise, leave me alone. You (the collective you) don't get to decide what I am and am not allowed to think and believe.
Nobody is constraining your beliefs or expressions of them. People are exercising their own individual right not to associate with people who express certain beliefs.
Ah. So just good old fashioned bigotry.
Generally, bigotry is bias based on immutable traits. Beliefs are not immutable.
[flagged]
Oh, of course.
To a right-winger, safety is bigotry and hatred is love. Of course, how else could it ever be.
Do you really care about freedom if you don't let white nationalists abuse everyone and everything in their power all the time?
[flagged]
Is this political or does it have actual technical merit?
The best "technical" benefit from this is that if one goes down, you could switch to the other in a pinch, so arguably better than the status quo even if you disagree with the organizational/"political" motives.
Why?
why's (poignant) Guide to Ruby
So RubyGems has betrayed its community by ousting its maintainers. When a community-focused alternative created by the original maintainers is announced, it gets flagged on HN. What is wrong with people?
This situation is eerily similar to the Freenode takeover[1] and the subsequent formation of Libera Chat[2] a few years ago, even down to the political leanings of those behind the takeover. Except if the Freenode incident occurred today, there would be a vocal portion on HN vehemently siding with Freenode solely based on the perceived political affiliations of its owners. Submissions about Libera Chat would face heavy flagging, much like this one has.
It seems the Freenode team may have advanced their plans just a bit too early.
[1]: https://news.ycombinator.com/item?id=27286628
[2]: https://news.ycombinator.com/item?id=27207734
I could be wrong but it may be that some have an additional agenda to try to make e. g. competition to Ruby Central fail. You can see this on ruby-reddit, e. g. by u/f9ae8221b - either way I think the by far best strategy for gem.coop is to address all concerns and statements made, including the wrong ones. Simply be better than rubygems.org - everywhere. (Also, u/f9ae8221b is super-impatient; why can't he wait for a while? Rome was not built in a day, it is strange how he thinks to know the future. I don't know the future - let's wait and see. In the worst case gem.coop will fail; in the best case it'll fix numerous issues, including, by the way, gem/bundler not having had the same functionality. And namespacing too; and inactive accounts, and so on, and so forth. There is a ton of things to do.)
He is employee of Shopify, which is a side in all this. I would take these conspiracy theories with a grain of salt at least.
Flagging is definitely getting abused more on HN lately. The consensus seems to be that politics and/or morals are irrelevant outside of personal affairs so we must not have these conversations here.
Which is absurd because the hostile takeover of RubyGems primarily involves technology, with serious implications for the security and trust of nearly all Ruby code. Those flagging this submission are the ones prioritizing politics over this critical issue.
Politically-charged ultimatums _caused_ the hostile takeover of RubyGems. This whole thing is politics all the way down.
Someone withdrawing funding from Ruby Central doesn't necessitate a hostile takeover of RubyGems. The responsibility lies squarely on people doing the takeover. Needless to say, you haven't shown me any convincing arguments for suppressing the announcement of gem.coop.
Why is this flagged? This is super relevant to HN!
I wrote this comment with what I understand to be the relevant context: https://news.ycombinator.com/item?id=45490531
+1.
Brigading
Why has this been flagged?
Remove flags 2025, all the best stuff is in https://news.ycombinator.com/active. I don't even use Ruby right now, have no dog in whatever drama is behind this, but I don't see what's so offensive about knowing Gem.coop is now a thing.
Just some background: there is a controversy in the Ruby community[0][2] around the governance of the rubygems project. It has been maintained for a long time by employees of Ruby Central but not in a corporate capacity. There was a recent hostile takeover of this project by the Ruby Central corporate arm.
The most likely reason it was flagged from my perspective is that David Heinemeier Hansson (who created rails) is kind of the figurehead of this community and he has controversial opinions[1] which people believe make him unfit to represent their community. The controversy has manifested as people speaking out against DHH in his position. So this post seems to have been flagged for being "political" because it is seemingly in opposition to rubygems for the DHH reason.
0: https://hn.algolia.com/?dateRange=pastMonth&page=0&prefix=fa...
1: https://davidcel.is/articles/rails-needs-new-governance (this article has a lot of examples from DHH's blog)
2: https://news.ycombinator.com/item?id=45348390
> 1: https://davidcel.is/articles/rails-needs-new-governance (this article has a lot of examples from DHH's blog)
Basically just a blog post from some guy aghast that DHH has different political opinions to him. I'm politically on the left too but I can't imagine getting so incensed about someone else having right-leaning views.
Do these people never leave the house to meet anyone outside their echo chamber? The mind boggles.
Er...FYI, your [2] link is to a discussion about an article written by the person to whom you are responding.
Personally, I think the reason this post about gem.coop has been flagged is that we've reached the point at which new HN threads about things related to the recent RubyGems shake-up quickly devolve into people rehashing the DHH "aspect" of it all. So it has become less about flagging the actual target of the post and more about flagging the parts of the discussion that seem to go nowhere.
EDIT: expanded
That's fair enough, I didn't actually notice. Regardless, I was offering the information for other readers, which may or may not include the person I'm replying to.
Edit:
> flagging the parts of the discussion that seem to go nowhere
This is and isn't what actually happens, though. People do flag the parts of the discussion that don't go anywhere but then people also flag the post itself because they think there's no reason to discuss it at all for the fact there's a vocal part (minority or majority doesn't really matter) that wants to discuss a topic that's not going anywhere.
People shouldn't flag the post itself just because it's likely to gather or even has gathered a crowd that will discuss such directionless topics when there are better topics to discuss, even (especially?) if they're not currently being discussed.
Is there any context on why? Is there some controversy regarding RubyGems.org I'm not aware of?
This article was the most nuanced I found while everything was still hot. https://archive.ph/SEzoV
[flagged]
Afaik rubygems kicked some long term contributors and stole the entire project. Thats some serious red flags for me. At what point rubyruby gems does something nasty is only a matter of time. They could start to gatekeep or even worse add some sort of paid version.
Anyway.. a core piece of infra like this needs to be open for anyone and not closed for some shady entrerprize.
That's a particularly one sided account of the events.
Ruby Central wanted to oust one or two specific maintainers because of a rocky relationship (whether it was warranted or not is not my point).
It later backfired when a majority of the other maintainers resigned.
> They could start to gatekeep or even worse add some sort of paid version.
That's a funny accusation given that's something the ousted maintainers now behind gem.coop wanted to do a while ago.
In short, a hostile takeover forced by Shopify through Ruby Central.
It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf against the wishes of the sponsors, losing them a lot of sponsorship money, as well as community support.
https://joel.drapper.me/p/rubygems-takeover/
Might be worth noting the figure in question is the creator of Ruby on Rails.
[flagged]
[flagged]
He deserves a few more titles now. Like prolific xenophobia[1] and sexism[2] proponent, and generally a person that has no connection with the real world[3].
[1] https://web.archive.org/web/20250920061923/https://world.hey...
[2] https://web.archive.org/web/20250920061926/https://world.hey...
[3] https://web.archive.org/web/20250918051013/https://world.hey...
> a hostile takeover forced by Shopify through Ruby Central.
That's entirely unsubstantiated.
I heard it directly from people directly involved.
So it is unsubstantiated.
This is a little glib, you dropped "Entirely" because you know multiple first hand accounts are actually worth something. If you want to argue the credibility of those accounts, then please be specific about it.
I dropped the entirely because I am on mobile.
We don’t have multiple first hand accounts. All we have is second hand account being relayed by someone with a massive axe to grind against Shopify.
There are a lot of truly committed Rubyists at Shopify, particularly the one handling the relationship with Ruby Central.
The idea that Shopify had done what Joel aledges without a single one of the involved parties on the Shopify side blowing the whistle is preposterous.
So you critisize Joel because he worked at Shopify. He pointed that out when he wrote the article.
Let's add here that YOU also worked at Shopify, until recently.
IF we are going to be critical, then let's be complete here.
I actually think there is a lot of validity to the statement made that Shopify is NOT a neutral party here. We can dispute how much Shopify was involved, but to assume "all is unsubstantiated" while not even disclosing one's own work at Shopify, feels super-strange here.
> He pointed that out when he wrote the article.
Did he point out how it ended, and how he spent the better part of two years having public tantrums about it on Twitter?
Disclosing that you worked somewhere isn't relevant. Worse, it can easily give the impression that there is some insider knowledge involved.
What is relevant is how the relationship ended.
> Let's add here that YOU also worked at Shopify, until recently.
Yes, and I left over some major disagreements, hence if I have a bias, it would be against Shopify, not in favor.
> It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf
This is so incredibly one-sided that it misleads more than it informs.
The person they are talking about is DHH. Inviting the creator of Rails to speak at RailsConf – a conference for Rails – is not the outlandish behaviour this comment makes it sound like.
Agreed. There is a lot of conflation of statements that are not directly connected.
The whole DHH argument, for instance, as well as some people having a vendetta about him, is not, or not directly, related to the hostile take-over of rubygems.org. There is a slight partial overlap, but it is a separate discussion (even if DHH was involved with the take-over via Shopify because he does not like Arko or Shopify wanting more power-control to bully the independent developers at rubygems.org with more corporate rules and restrictions; and, by the way, DHH never mentions Arko's name, but even this is a separate discussion still. For instance I specifically do not care about rails nor DHH really, but the hostile take-over was a complete no-go. Ruby Central really pissed off too many people here and unfortunately there are still many open questions that ruby-core has to think about. I am not necessarily saying all came with malicious intent, because I think there is an english language barrier too in regards to Hiroshi Shibata, but even then it may be better to have someone with better knowledge about the english language in charge of gems; there seems to be some strange disconnect or translation going on between english, into japanese and japanese culture, and it is super-confusing.)
[flagged]
Interesting, I only knew who he was through his "Leaving the cloud" serie of posts.
I am just trying to draw a parallel between the two to try to understand its broader ideology. So some might say both big cities like London and hyperscaler like AWS are:
- very expensive and have become unaffordable for many actors
- limit your freedom to scale and accommodate a very broad range of guests
- under massive surveillance and control
where the comparison stops is:
- AWS offers pretty good security but London is not (and hasn't for a long time)
- It is pretty easy to get kicked out of AWS if you do not follow the rule or pay
The population of London at the last census was still 60% British born. The difference between 2000 is that the figure was 60% white British.
He's not saying London doesn't have enough British people, he's saying it doesn't have enough white people in it.
That and saying it was heartwarming to see a Tommy Robinson march who represents the most extreme fringe of British right wing politics.
NYC has roughly the same stats - 40% of the residents there are foreign-born. This is more to do with low birth rates by natives, so population growth in NYC and London is entirely driven by immigration. The biggest problem is that it's too expensive for most people to have and raise kids in major cities.
What was more troubling to me was that he called the Tommy Robinson rallies "heartwarming". TR was a member of an explicitly fascist, white nationalist party. The rallies were full of signs calling for death to Muslims. Or, in the same blog post, his disproven claims of migrant gang r*pes. On top of that, he has written some really vile things about transgender people.
I would like to go to a tech conference and focus on Ruby, not politics. I'd like to leave my identity home and discuss software engineering and interesting technical ideas. DHH has made that impossible.
> he has written some other really vile things about transgender people.
Do you have a link? I suspect these "really vile things" will turn out to be not so vile (like JKR), just things you don't agree with.
> I'd like to leave my identity home and discuss software engineering and interesting technical ideas. DHH has made that impossible.
Really? Did he talk about politics at this Ruby conference? Seems like it is you that can't focus on Ruby.
> I suspect these "really vile things" will turn out to be not so vile (like JKR)
"Not so vile" things like spreading lies about a female Olymics Boxer's gender, calling her terrible names, and inciting her online followers to harass her? She not only bullies transgender individuals but also targets other women who don't meet her own standards of femininity. If you have no problems with people like that, no wonder you can't fathom why the Ruby community has trouble accepting similar people with open arms.
Again, link? It's no good just talking about what heinous things someone has done. That kind of talk is always incredibly unreliable.
Evidence for thee, but not for me? You write with such authority on this topic, yet you insist on demanding evidence for even the most basic knowledge surrounding it.
https://www.bbc.com/news/articles/cm2njjm4e2po
https://xcancel.com/jk_rowling/status/1819007216214573268
https://xcancel.com/jk_rowling/status/1931144695771435140
Also, on another note, here's one of her many posts from JKR literally equating trans women with sexual predators.
https://xcancel.com/jk_rowling/status/1972054407148695732
It's astonishing how far some people will go to defend this kind of dehumanization of fellow human beings.
> Also, here's one of her many posts from JKR literally equating trans women with sexual predators.
> https://xcancel.com/jk_rowling/status/1972054407148695732
Consider what this conversation was actually about - a male sexual predator, caught pleasuring himself in the showers attached to a girls' changing room, who claimed, when caught, to have a female gender identity:
https://xcancel.com/KatieDR96/status/1972050074227429663
Setting aside that you're passing claims from a far-right troll as facts, that still doesn’t make it acceptable to equate trans women with sexual predators, both morally and logically. Or are you suggesting that if you can find one male sexual predator, it justifies equating all males with predators? I have a feeling you’d be up in arms about that.
Anyways, it's clear that you're intent on dehumanizing others, even creating a new account for the sole purpose of saying the most vile things, so I'll stop replying here.
The reason that this male sexual predator was allowed to use the female changing room and showers is because he claimed to have a female gender identity.
This illustrates the safeguarding risk in allowing males to use female spaces on the basis of simply saying that they identify as female. It ends up with situations like this: a registered sex offender pleasuring his erect penis in a shower area that young girls are using, and a reluctance of the authorities to stop him and file charges because they're in the thrall of policy that deems self-declared gender identity to be unquestionable.
> are you suggesting that if you can find one male sexual predator, it justifies equating all males with predators
For the purposes of safeguarding, yes. This is much of the reason why we have female-only spaces in the first place, as a preventative against male predation.
Not all males are predatory, but one can be quite sure that the subset of males who disregard and ignore women's and girls' boundaries are. Including the sex offender being discussed in that Twitter conversation. And any other male who demands access to female spaces.
Oh sorry I thought you were talking about DHH. I've been trying to find a link to something awful that he's said but nobody has one.
And as for that incident, "spreading lies" is clearly an exaggeration. That boxers gender is at best debatable. She's clearly on the awkward boundary between genders that sport (and society in general) doesn't really know how to deal with.
> literally equating trans women with sexual predators
Not what she was saying. She was calling out an only-true-scotsmen argument.
[flagged]
Shame on you for promoting libel by spreading unverified claims as fact. Have you even paused to consider what it's like for those on the receiving end of such harmful lies? Or do you, like JKR, revel in it even more after you've thought about it?
https://www.bbc.com/sport/olympics/articles/c4gp8evl009o
https://www.dw.com/en/algeria-condemns-baseless-imane-khelif...
https://www.snopes.com/news/2024/11/20/imane-khelif-medical-...
Of course Algeria are going to deny it. But look:
https://www.telegraph.co.uk/boxing/2025/06/01/imane-khelif-m...
https://www.3wiresports.com/articles/2025/6/1/xxyetyl1aewfij...
https://lecorrespondant.net/docteur-suis%e2%80%91je-un-homme...
https://www.independent.co.uk/news/imane-khelif-eindhoven-ne...
The evidence indicates that Khelif is male, with male physiological advantage, and therefore should never have been competing in women's boxing. And it is a matter of record that Khelif withdrew from the Eindhoven Cup rather than take the sex verification tests required to compete.
That proposed lawsuit mentioned in your BBC article near the end of 2024 went nowhere, by the way. How could it? The facts show there was no libel.
https://tomstu.art/the-dhh-problem
Couldn't find anything there, can you be more specific?
"I care about Ruby and want it to die…”
“I try to discourage them because I don’t want more Ruby code in the world…”
I wouldn't bother replying to that account, it's not arguing in good faith. Ishkebab has stated many times its goal is to kill ruby and its community.
It's commenting here to stir things up.
https://news.ycombinator.com/item?id=43331847
https://news.ycombinator.com/item?id=43331847
> It's commenting here to stir things up.
I'm not. It's true that I dislike Ruby and prefer everyone would abandon it, but that's orthogonal to the issue we're discussing. In fact I'm saying that the Ruby community is being stupid and shooting themselves in the foot by characterizing relatively mainstream right wing views as "extremism".
If I was being disingenuous I should really encourage this schism!
> It
Dunno if you're a native English speaker or not but the normal way to refer to someone of unknown gender is "they". "It" is offensive.
> relatively mainstream
This doesn't preclude extreme. Not commenting on whether the community's is shooting themselves in the foot or not, just that the reason provided is not a good one for believing so.
> If I was being disingenuous I should really encourage this schism!
I do not think that you are necessarily being disingenuous but misunderstanding the difference of opinion in this way actually seems to encourage said schism.
> This doesn't preclude extreme.
Uhm yeah it literally does. Mainstream views can't be extreme by definition. You might not agree with them, but that's a different thing.
> misunderstanding the difference of opinion in this way
I haven't misunderstood anything.
> I haven't misunderstood anything.
You have misunderstood why people use the term "extremism".
> Mainstream views can't be extreme by definition.
Of course they can; mainstream views can't be uncommon by definition. Extreme doesn't strictly mean uncommon (not even in a political context), it is also used to mean "high degree", which can include distance from political centrism but can also include, e.g., frustration or flavor of cookie. To give another example, various online "challenges" like the "ice bucket challenge" are extreme but were also relatively mainstream when they were commonly performed and posted online; the term "ice bucket challenge" is still mainstream and the challenge itself is extreme (in fact, the reason it's called a "challenge" is because it is extreme).
Thinking there's too many immigrants might be mainstream (it currently is) but whether or not it's extreme depends on the degree to which it's believed. If it's believed to a high degree (such as "immigration is the worst thing about the capital city of this nation") by a large number of people then it is an extreme mainstream view by definition.
> various online "challenges" like the "ice bucket challenge" are extreme
Ok I think you just have a very abnormal (extreme even?) definition of the word "extreme".
In a political context it literally means "far from the norm". His views are not far from the norm, as much as you might hate that. (I'm not a huge fan either but I'm not going to distort reality to make myself feel better.)
> In a political context it literally means "far from the norm".
No, this is simply what you want it to mean, keeping in mind you're trying to tell other people what they mean with their word choice. Extreme views can be normal and mainstream and typical. There are many normalized-but-extreme views in current mainstream politics.
> Ok I think you just have a very abnormal (extreme even?) definition of the word "extreme".
Pouring a bucket of ice water on your head to bring attention to something is extreme. Like, it's over-the-top and exaggerated. You can disagree but that's kinda moot: someone isn't strictly wrong that it's extreme, you just disagree. You still didn't address the greater point that extreme, as it's being used, is orthogonal to mainstream.
But I guess I can link to a dictionary so you can see that I have a pretty normal (and mild) definition of the word in question. I hope you don't cherry-pick definition 1c, ignoring definitions 1a and 1b, which are, of course, valid.
Maybe 4 is the best definition, seeing as it gives "the extreme political left" as an example usage. It's not obvious to me how "advanced and thoroughgoing" means "not mainstream", though. I wouldn't mind an explanation.
https://www.merriam-webster.com/dictionary/extreme
[flagged]
[flagged]
As I understood it, to secure (their words) the supply chain, they took ownership of the code and repo (which others disputed as being owned by them) and kicked out users from Github.
It is said the underlying cause is that devs push rv which is threatening RubyGems.
How is rv threatening rubygems? I am pretty excited about rv on first glance, I tried it and it was too beta when I did to work nicely, but definitely good to have a uv type tool for ruby.
"Yes, I agree. And some of the “admins” even announced publicly many days ago they were launching a competitor tool and were funding raising for it. I’d not trust the system to such “admin”."
https://bsky.app/profile/rmfranca.bsky.social/post/3lz7alpob...
See https://spinel.coop/
"Spinel develops rv, the next-generation Ruby version manager"
This doesn't explain how rv is threatening rubygems in any way.
They were using the name "rubygems" to fund-raise for not-"rubygems."
But how is this a conflict? Both are not-for-profit projects with the same goal? How can one even use the term 'competition' in this context? What if the Ruby community embraces a new and better package manager? This is, again, a net win for the Ruby community, and both projects strive for that?
It doesn't really matter if it's a non-profit. How do you think your company would react if you started raising money using their name?
Is Rubygems a company? My mind cannot comprehend why are people conflating not-for-profit open-source projects with for-profit companies...
If Rubygems was a company, they'd have a trademark, they'd have patents, they'd have lawyers to protect the money they were making from their brand and product. But we are speaking about not-for-profit open-source projects, not for for-profit corporations!
Ruby Central is a company that manages rubygems.org and rubygems. The maintainers who were locked out were being paid by Ruby Central while fundraising for their startup creating a competitor.
Doesn't it seem like a bit of a security risk to you?
No. (Disclaimer I got paid to work on rubygems and have been doing this for 18 years)
[flagged]
Oh, don't worry, I get what you and Rafael are trying to insinuate. I just want you to spell it out so that hopefully you see how stupid it sounds.
[flagged]
flagged??
Based on the comments getting downvoted, it feels like some brigading going on.
Flagging this post is quite disturbing.
There is a conversation around this which needs to be had. Maybe on bsky or x?
https://x.com/africajam/status/1975206106738901110
https://bsky.app/profile/indirect.io/post/3m2iq5p7eoc2j
FYI, this is Ruby Central's response: https://rubycentral.org/news/our-stewardship-where-we-are-wh...
This cannot be a response, as it was posted days before this was released.
The response you link to was published on September 30, 2025, so it's not the response to gem.coop? I'd say gem.coop is the response to Ruby Central's actions?