Did they do that?
I got off the Ruby and Rails trains ages ago (around the time that Rails changed the package management solution it used; that convinced me the whole project was not in its "adults in the room" phase yet and I couldn't be bothered to keep up with a project that would require me to pay attention to it every quarter instead of putting a project down for a year and having it mostly work when I picked it up again). Sad to say this kerfluffle hasn't exactly shifted my opinion of the ecosystem.
"Hello Ruby Community, We recognize that our originally scheduled Q&A session overlaps with the observance of Rosh Hashanah and may not have been the best timing for many in our community. We sincerely apologize for the short notice of this change, especially since the session was set to take place tomorrow. In response to the feedback we’ve received, we’ve made the decision to postpone the session. A new date and time will be shared with you in the coming days. In the meantime, we invite you to watch this statement from our Executive Director. This update is intended to ensure everyone receives the same information and can view it at a time that works best for them."
In other words: They aren't respecting the holiday. They're using it as an excuse.
Open source is about licensing and not about governance. There are plenty of open source projects where the owner is a dictator. In this case the owner of the github organization has control over who is a part of it and who has permissions within it.
When someone says “open source,” that’s often shorthand for the broader definition.
Ruby central was short for cash, Shopify used that to pressure them into a takeover of several core community repos like bundler so that Shopify can control those indirectly? Is that it?
I’m assuming there’s a ton of reputational risk in this move, and my understanding as an outsider is that Shopify already has a ton of weight in the Ruby ecosystem - they seem to be the one case quoted by everyone as the “proof that Ruby scales”.
As an aside, I imagine the discussion of this will be end up being... difficult, because people are tending not react to these sorts of things well.
Oh, so this is just dhh doing a hostile takeover of core ruby infrastructure where previously he had to try to work with people, now he can just tell people what he wants to be done, because they work for him.
I remember Ruby Central denied they ever tried to deplatform DHH. But now when they are platforming DHH Sidekiq wants out.
I honestly think it is may be way simpler. Shopify is willing to sponsor and put money into it but they also want it done ASAP, preferably now. They give a deadline and Ruby Central didn't think, plan or act until too late.
And the moment it was badly done, politics creeps in.
Then again, that is not a very web scale suggestion.
Let's be paranoid for a moment. What if there's a supply side attack on a gem used by Homebrew. That's basically installed on every dev machine, auto-updates automatically/silently, could have sudo, that no one would care or even know how to point at a private gem repository.
I doubt there will ever be a run-time dependency of rubygems with Shopify. I would be more alarmed if, say, Microsoft GitHub™, Google, Cloudflare would "step up to safe the project".
And history ain't written. Who knows how this will hurt them.
Shopify is a multi-billion dollar company that has processed over a trillion dollars. They are a high value target for sophisticated attackers. It’s entirely possible they are trying to accomplish some security and supply chain goals to protect their Ruby pipeline, but completely messed up the execution and did not predict the community interpretation and backlash.
0: https://www.shopify.com/news/david-heinemeier-hansson-board
Sounds like a variant of the xz takeover, but using money this time and in public.
Shopify, pulling strings at Ruby Central, forces Bundler and RubyGems takeover
https://news.ycombinator.com/item?id=45348390
Ruby Central's Attack on RubyGems
https://news.ycombinator.com/item?id=45299170
A board member's perspective of the RubyGems controversy
The funny thing about inventing a language you love, is you spend your career writing C rather than actually writing code in the language you love.
Also I doubt the culture warriors are going to get what they want from Matz, he's a devout Mormon, a religious group known for conservative beliefs.
I guess the only lesson here is trust no one and keep your repos under your account.
> "Embrace, extend, and extinguish" ... is a phrase that the U.S. Department of Justice found was used internally by Microsoft to describe its strategy for entering product categories involving widely used open standards, extending those standards with proprietary capabilities, and using the differences to strongly disadvantage its competitors.
Not every instance of corporate bad behavior in open source is EEE. Shopify isn't in competition with open source or potentially threatened by open source. They are not extending open standards or technology.
Maybe I'm being pedantic, but I'd rather not muddy the water with unhelpful, sloppy metaphors.
Ruby on Rails
Chef
---
Some of the largest websites in the world run on Ruby: GitHub and Shopify.
Ruby was used, for example, as the DevOps language prior to Go
Also, ActiveRecord gained significant capabilities with named scopes, something that isn’t as widely copied.
Finally, Ruby itself lends itself well to writing DSLs, something that Javascript and TypeScript sucks at, but sometimes I still see people try and fail.
To be fair, it is my personal opinion that there has not been anything substantially innovative since Rails 5. The features I have seen since is better done with Elixir/Phoenix, mainly because the BEAM runtime makes better concurrency primitives available.
WebObjects and EOF were the MVC and ORM frameworks powering Disney (Go.com) almost a decade before Rails existed.
A decade before Rails puts it in 1995. Do you have some resources on this? I like looking into the history of tech.
WebObjects was rewritten from ObjC to Java in the 2000s. EOF, the ORM layer it shared with NeXTSTEP/OPENSTEP, was rewritten as Core Data and released in Mac OS X Tiger.
It really occupies the same niche that Python does, but personally I find ruby more pleasant to work with in every way.
> London is no longer the city I was infatuated with in the late '90s and early 2000s. Chiefly because it's no longer full of native Brits [1]
He also has a history of this kind of posting
> There was the post where he described an ad featuring a plus-sized Black women as “grotesque” and celebrated the ads being replaced with ones featuring “blond babies”
However, taking away funding as retaliation for a conference talk is offensive, too. In the end facts (money) made the decision. I don't think Shopify has bad intentions.
Clearly, it's about the racists tweets and blog posts one prominent member of Rails has made. And the community needs to address this in a clear way. Not with boycotting the wrong parties, especially an infrastructure provider of our community. Thank you Sidekiq for supporting RubyGems in the past, but pulling the plug was not the best move for the community.
The losing of sponsorships because of the talk is what gave shopify leverage. And they used it.. out of fear over the rv tool.
Where are you getting that Shopify fears rv?
The tool looks to replace gems and it's ecosystem.
rv builds on André's reputation. The best way to squander it would be to attack the rubygem infrastructure.
I fully understand and support to be angry about and cut all ties to the 3-letter-guy, but I think this Ruby Central/Rubygems issue is a case of "friendly fire".
Would it be compatible with specifying urls (such as git repos)?
# From a specific branch
gem 'my_gem', git: 'https://github.com/user/my_gem.git', branch: 'development'
# From a specific tag
gem 'my_gem', git: 'https://github.com/user/my_gem.git', tag: 'v1.2.3'
# From a specific commit (ref)
gem 'my_gem', git: 'https://github.com/user/my_gem.git', ref: 'a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0'Sounds nut? We used to do this with .dlls in sourcesafe and was fine. boring.
Are there any reliable decentralized package distribution systems operating at within 2 orders of magnitude of that scale? How do they handle administrative issues such as malicious packages or name squatting? Standards updates? Enforcement of correct metadata? And all the other common things package indexes need to handle.
I'm clearly skeptical, but would be very interested in any real world success stories.
Deno is a Javascript implementation for the backend that attempts to mimic this pattern (it later introduced a more npm-like centralized repository, but afaik it's optional). Deno is of course less popular than Python, but its url-centered model can really scale imo.
But the Web is notorious for the problems I listed, you end up with standards around not following standards. It leaves almost all the responsibility on the client tool (browser or whatever) to do validation to stop malicious sites, name squatting, accepting and "fixing" poorly constructed metadata etc.
> Deno is a Javascript implementation for the backend that attempts to mimic this pattern (it later introduced a more npm-like centralized repository, but afaik it's optional). Deno is of course less popular than Python, but its url-centered model can really scale imo.
I was not familiar with Deno, I've done some shallow reading on this now and it's certainly interesting. I don't know enough about the JavaScript world to make a comment on the pros or cons.
But I don't think can work for Python, as transitive dependencies would immediately conflict as soon as dependencies required a different version of the same transitive dependency. And the guarantee of Python packaging is you only have a single version of a library installed in an environment, while it can cause some dependency solver headache, it also solves a lot of problems as it makes it safe to pass around objects.
People are not logs floating helplessly in a river. People take decisions and make things happen. They create and run the process, not viceversa.
The critique must be directed at people.
[0] https://press.uchicago.edu/ucp/books/book/chicago/U/bo252799...
And as a bonus, you don't have any rights to self-defence, you cannot own a gun, in UK you cannot even use dumb pepperspray for defense, ridiculous. Great to live in country, where your only option for self-defense is to lay on the ground and die or be raped, while you wait for police.
All these lefties do is to destroy, they don't want to discuss anything.
retrorubies•4mo ago
bradly•4mo ago
This all reminds me of the feelings after Merb was put down after pressure from Engine Yard so they could guard against their Ruby on Rails hosting business.
hosh•4mo ago
bradly•4mo ago
> But not everyone felt so good about it. I worked for Engine Yard, and we had made our mark selling Ruby on Rails deployment to large customers like Groupon, Kongregate and Github. I got hired at Engine Yard in part because the company's founders were worried that Rails wouldn't make it long-term. They wanted to hedge against this possibility.
> Unfortunately for me, waging an all-out war against Ruby on Rails from inside of a company that makes its money selling Ruby on Rails deployment is a pretty bad life strategy.
> I don't know everything that went on behind the scenes, but Engine Yard's management eventually asked me to consider merging with Rails. If I'm being honest, they pushed me to consider merging with Rails.
I'm sure there were other reasons for the merge as well, and I don't want to take anything away from Yehuda and the decision he made at the time, but I was a volunteer at the first MerbConf just a couple months before the "merge" and it all felt very sudden and at odds with the direction the project was headed. I had my cynical take that EY was behind the move, but those were just my personal feelings. Honestly it was refreshing to read Yehuda's story 12 years later as it helped put some of the pieces together as to why.