That said, I really don't like the hand waving of the HTTP log thing in this post. Yeah sure, company names aren't as sensitive/radioactive as an SSN or an email, but selling usage data isn't exactly a noble endeavor.
I don't think anyone comes out of this looking good. Some are worse than others, sure, but this is just a mess from top to bottom.
What "hand waving"? André explicitly mentioned he did not have any log or information.
> I have no interest in any PII, commercially or otherwise. As my private email published by Ruby Central demonstrates, my entire proposal was based solely on company-level information, with no information about individuals included in any way.
Here Andre is downplaying his ask of the logs. Even if Andre didn't get them, the logs were desired. Had Ruby Central acquiesced the logs would've been parsed and sold. Might not be an issue for you but I am frankly not interested in having any data shared or sold like this.
EDIT: oh, you might be referring to the RubyCentral statement. I didn't read the original security incident text, so my bad here. Sorry.
I do not feel like I'm reading between any lines here-- Ruby Central directly showed that André Arko asked for the data to sell in order to cover the on-call fees. Yes, they have reason to smear him and shouldn't be trusted, but André confirms that he asked for the logs. None of that is up for debate, these are just the facts!
What we can argue about is 1) whether this is meaningfully different than what RC does already as noted by their ToS and 2) whether or not company names derived from the HTTP logs is sensitive or whatever. It is my position that neither André nor RC should be selling this sort of usage data, regardless of motivation. Personally I think the monetization of such data is bad in general, but I understand not everyone feels the same. It just gives me the ick.
EDIT: Immediately after submitting this, I saw that you issued a correction. Bad timing on my part I suppose!
The incident is clear cut and makes RubyCentral staff look incompetent. They cut off access to 1password and did not even consider that someone may have a copy of the credentials somewhere? As in "maybe in their head"? Rotating shared credentials in such a situation is security 101 and they failed. And when Andre notifies them that they failed, instead of quietly saying "Thanks, we've fixed that", they make it a security incident and include - without any further context - a single email from something that must have been a longer conversation.
Yeah you do. They're intentionally smearing him. (And they're no better at doing that than they are at security.)
My current read is that RC majorly botched the takeover, demonstrated gaps in security know-how, and then retroactively framed everything as a problem with André. The details of the logs are mostly immaterial to the rest of the claims, but are still suspicious enough to spice up the announcement. I believe this because, at the moment, I don't see anything in the original RC post that wasn't satisfactorily explained by this post.
Which the privacy policy of RubyCentral allows, so I don't get why they suddenly have ethical problems with that, apart of course from throwing shade on Andre. Parsing logs for company access is what basically everyone does, and frankly, I don't see the problem with getting leads from data like this. That has nothing to do with "selling PII".
I think an offer of covering all the 2nd level support costs in return for the right - that Ruby Central's own T&Cs grant - to monetise company usage stats, is a reasonable offer.
The "other side's" alternative was to steal ownership and control of a whole bunch of volunteer gem authors work at the behest of a different corporate sponsor who was clearly demonstrating they wanted to be able to not only throw their weight around and force policies and priorities on RubyGems/RubyCentral, but also to make it personal by explicitly calling for long term contributors to be removed entirely on a whim.
And reading this, and the other disclosure from Ruby Central, they seem to be handling this maintainer/employee offboarding woefully incompetently at really, really basic levels. Obtaining control to secret management and doing a general secret rotation of management secrets isn't an obscure first step.
This context does slightly soften my view, especially the part about multiple 1Password accounts being in play. However there is a big thing still missing to me... Why would Arko not immediately notify RC that he had changed the password due to these concerns?
If it was really a noble good faith action by the assigned on-call, giving a heads up to the remaining stakeholders would be the obligatory next step, no?
According to RC's timeline, the password reset happened on September 19, but Arko did not disclose the issue to RC until September 30. From what I can tell, he has not refuted that timeline or explained the gap.
"The erratic and contradictory communication supplied by Marty Haught, and the complete silence from Shan and the board, made it impossible to tell exactly who had been authorized to take what actions. As this situation occurred, I was the primary on-call. My contractual, paid responsibility to Ruby Central was to defend the RubyGems.org service against potential threats. "
and
"Given Marty’s claims, the sudden permission deletions made no sense. Worried about the possibility of hacked accounts or some sort of social engineering, I took action as the primary on-call engineer to lock down the AWS account and prevent any actions by possible attackers."
and
"Within a couple of days, Ruby Central made an (unsigned) public statement, and various board members agreed to talk directly to maintainers. At that point, I realized that what I thought might have been a malicious takeover was both legitimate and deliberate, and Marty would never “fix the permissions structure”, or “follow up more” as he said. Once I understood the situation, I backed off to let Ruby Central take care of their “security audit”. I left all accounts in a state where they could recover access."
> According to RC's timeline, the password reset happened on September 19, but Arko did not disclose the issue to RC until September 30.
The password reset happened on September 19, and "within a few days" he realised it was an intentional/malicious takeover, and he walked away knowing they had the means to recover their own access - no longer his monkeys, no longer his circus. The 30 Sep date was when he was asked by someone if he still had access, and he discovered he did, and let them know immediately.
That all seems way more likely to be true and feels more plausible than anything Ruby Central has published over the last month or so...
They still don’t seem to be in complete control or understanding of the infrastructure they forcefully took control of.
> September 18 2025 18:40 UTC: Ruby Central notifies Mr. Arko, via email, of the board’s decision to remove his RubyGems.org production access, and the termination of his on-call services.
> Marty Haught sent an email to the team within minutes, at 12:47pm PDT [19:47 UTC?], saying he was (direct quote) “terribly sorry” and “I messed up”. [...] the complete silence from Shan and the board, made it impossible to tell exactly who had been authorized to take what actions. As this situation occurred, I was the primary on-call.
André also mentioned that he disclosed further remaining production access a few days ago, on Oct 5. Looking forward to Ruby Central's followup post-incident review for this subsequent incident, which they failed to address or mention at all in their initial publication.
All of them really, not just Marty H.
For the past 10 years the Ruby community had been co-opted by political activists. Things like COC's and the Contributor Covenant etc. started in the Ruby community. The activists went after many top contributors in the community because of personal political beliefs etc, instead of behavior in the community itself. Some even called for ejecting DHH, the creator of rails, and Matz, the creator of the language, from the community.
When the Overton window finally stopped shifting to the left and started to move right, a lot of people who had remained quiet due to real threats of loss of business, work etc. finally started to speak up. DHH was one of them and has been very outspoken with his beliefs that open source software should be a-political and open to all instead of the political purity tests the activists were pushing.
From what I observed, when I was in involved in the Ruby community, Arko appeared to be a political activist. While there may have been an actual security concern here, my guess is that this had more to do with a desire to not have someone who may have been involved in trying to eject the top creators in the community being a point of failure for key infrastructure for the Ruby ecosystem.
I've seen a lot of DHH content, and I'd never describe it as radical right wing.
Therefore, "open source software should be a-political and open to all" is by definition both impossible (you cannot have a group without politics) and a political statement (as it is suggesting a decision making process.) Furthermore, don't mistake a conservative position (e.g. everything should stay the same) for an apolitical one.
[1]: For example:
> politics: “who gets what, where, when, and how”—the process for resolving disputes and allocating scarce resources"
https://openstax.org/books/introduction-political-science/pa...
ChrisArchitect•6h ago
Rubygems.org AWS Root Access Event – September 2025
https://news.ycombinator.com/item?id=45530832