is somewhat at odds with
> Some [...] companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain,
but not so much. Then the sentence goes on with
> but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
So something has been wrongly managed or wrongly sold.
Then the final part about the emotional conversations and the dilemma sounds honest or at least very plausible, but as they write, the critical mistake already happened.
I don't know how to reconcile 'they love Ruby and our community' with moves that are actively hostile to the community.
Seems pretty clear-cut to me.
Something like:
"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."
Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...
My general take on this:
1) Nerds are often not the best at communicating.
2) People on the Internet can be very cruel towards people they don't know.
We could all do better, especially with #2. The Internet used to be cool as hell. Now, by and large, it sucks.
Given that access was cut, then restored, then cut again, then days, then someone finally says "hey were were going to lose critical funding" makes it seem like a post-facto excuse for a hostile takeover.
And the whole "oh, well, we're bad at comms" makes it sound even worse!
Which is the whole crux of the issue. At no point in any of this did Ruby Central do anything reasonable. The they tried to explain that their unreasonable actions were reasonable, if you only knew the things they knew, which they were for some reason unable to tell people until just now.
Could it be true? Sure, absolutely.
Does it seem reasonable at the moment? Hell no.
> Let's get some kind of committer agreement in place with those folks who need access (the same way many other high profile open source projects have), and remove access from those who don't, while still being fully open to accepting PRs and being open to re-welcoming them as committers if they decide that is how they want to spend their time in the future.
> Here's the challenge. How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
deivid-rodriguez's last commits were Sept 18: https://github.com/rubygems/rubygems/commits/master/?since=2...
With 7873 commits since 2018 he's 2x over the second one and crushingly the most active contributor since then: https://github.com/rubygems/rubygems/graphs/contributors
However you slice it, none of that fits into TFA's above narrative.
His access being revoked can only be described as complete bonkers.
Ruby Central as an organization touts that it is responsible for RubyGems. Assuming this narrative is accurate, they needed to get agreements in place with contributors to appease some funding partners.
This shit happens. Especially as an open-source project started by one dude in 2009 turns into critical infrastructure managed by a 501(c)(3) non-profit.
That they failed so fucking spectacularly speaks incredibly poorly of their board.
From the guy who has supplied most of the chain.
If you can't work out an agreement after a good faith period... then that can become a good reason.
"I WANT to apologize ... that I feel awful."
"How can you possibly talk to someone about changing access, when multiple people tell you no, you are wrong?! A coup is the only way!"
"Because funding deadline, we executed a coup, which will keep everyone safe from hostile actors... Taking over accounts and access"
That's the opposite claim from a coup. It's not fair for you to put those words in his mouth.
https://pup-e.com/goodbye-rubygems.pdf
> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
> added non-maintainer Marty Haught of Ruby Central, and
> removed every other maintainer of the RubyGems project.
> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams
Which is important context that was left out of this board member's statement.
Between the initial removal of access, then giving it back after explaining it was a mistake; the people involved started a conversation about governance to clarify/fix things.
https://github.com/rubygems/rfcs/pull/61
The conversation terminated because the majority of those people then had their access revoked again.
When weighing the facts here; which group or claimant has the most evidence for their claims? The technical folks with lots of commits over many years, or the treasurer of an organisation who says the impetus for this was a "funding deadline" so all access had to be seized?
I think this person has good cause for being very upset at the lack of communication and the sudden removal of them from the organization. They were a maintainer of RubyGems for a decade.
You responded with an ad-hominem attack. If you can offer a rebuttal of the facts then please do, otherwise try to refrain from personal attacks.
A maintainer of RubyGems was forcibly removed from the RubyGems GitHub org — which was renamed to Ruby Central — along with every other maintainer. Then access was restored, then revoked again. There was no explanation, no communication, and no understandable reasoning for this.
And still! If there is an "official" statement, I can't find one on https://rubycentral.org/.
This wildly transcends "issues with both internal and external communication" or "we're just a bunch of makers who can't be expected to be good at organization or communication" (to highly paraphrase TFA). This is an absolutely disastrous breach of the community's trust.
> less emotional,
Expressing emotions is good, actually.
Sounds like they made some really big changes and put zero effort into communicating to people who've spent 10+ years working on the project.
I should not have skimmed it. From your link:
> In the same post he praises Tommy Robinson (actual name Stephen Christopher Yaxley-Lennon), a right-wing agitator with several convictions for violent offences and a long history of association with far-right groups such as the English Defence League and the British Nationalist Party. He then goes on to describe those that attended last weekend’s far-right rally in London as “perfectly normal, peaceful Brits” protesting against the “demographic nightmare” that has enveloped London, despite the violence and disorder they caused.
> To all of that he ads a dash of Islamophobia, citing “Pakistani rape gangs” as one of the reasons for the unrest, repeating a weaponised trope borne from a long since discredited report from the Quilliam Foundation, an organisation with ties to both the the US Tea Party, and Tommy Robinson himself.
This is ... disqualifying. That's the best word I can summon here to express my dismay. This is a crossed line. Absolutely nutso.
edit2: Uh wow I really should not have skimmed it. Here's one paragraph from DHH's blog itself:
> Which brings us back to Robinson's powerful march yesterday. The banner said "March for Freedom", and focused as much on that now distant-to-the-Brits concept of free speech, as it did on restoring national pride. And for good reason! The totalitarian descent into censorious darkness in Britain has been as swift as its demographic shift.
Well, if that doesn't speak volumes as to DHH's values, I don't know what does.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
The first thing is they didn't tell them. The second bit is simple:
"Hi [x], I'm sure you've seen the news about npm. Given supply chain attacks directed at them and the one recently foiled against the python folks, we're [doing fill in here], including reducing permissions. [More info here.] Further updates as soon as we have them."
That email takes 10 minutes to write and send.
Reasonable people would've accepted that fine. And you don't have to worry about unreasonable people, because most people will find them unreasonable and dismiss anything they say.
And communicating [situation], [action(s)], [how this affects you] is one of the most basic professional communication skills you could imagine.
I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.
Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.
There was a funding agreement which imposed obligations upon the operators. Those obligations were to be sure that supply chain attacks were reasonably secured against. The volunteers didn’t have to sign that agreement - they chose to and received consideration for their decision to sign.
Licensing terms don’t change the underlying mechanism of a contract and the message is even easier. If your organization cannot abide by the terms of a contract, don’t sign it.
Seems pretty clear after reading this. If 1-2 companies pulling funding is enough for them to force you to to what they want, its hard to stay independent.
If the request for additional access controls/access cleanup came from one of the Ruby Central funders, could we not know who that was and what exactly their ask consisted of? I am interested in knowing their side of the story, and what the motivation was. (But in general, cutting off long-time maintainers' access seems like a bad choice - as presumably they have long since proven their good will toward the ruby community as shepherds of these projects.)
This is basically like fixing technical debt. It's painful and it's political but sometimes you have to do the right thing for the community as opposed to trying to assuage individuals' egos.
It sounds like they sold something to their donors they couldn't really guarantee – supply chain safety – and they decided to alienate their contributors to try to appease them.
Only time will tell if this was really damaging to the ruby community or just a temporary hurdle
Which isn’t a bad thing that people get to contribute on company time.
Eventually they brought rails in many commercial companies and these companies succeeded to the point they could pay people to maintain rails.
> 37signals built Rails for Basecamp and has since used it to create all their web products.
just because they host it doesn't mean it's theirs
my webhost doesn't own the community around my projects simply because it's on their server
This makes a lot of sense, and it puts the 'drastic' action in understandable light.
It also contrasts with the 'On September 9th, with no warning or communication, a RubyGems maintainer unilaterally...' from the Goodbye RubyGems letter. Perhaps that person did not have communications or insight?
Going forward I think we could judge the good faith, if it's uncertain, by if we do see people reinstated. Cutting off access (for urgency with a deadline) followed by reinstatement (because they contribute) would match this post. No doubt there will be hurt feelings on all sides, which is understandable, but I hope as humans everyone can get through it.
But I don't see any excuse for not putting out a statement when you do it. You have to know there will be a fight, and you will look like the bad guy. Perhaps I could see directly communicating to the maintainers that you expect that they'll be reinstated. But to say nothing? To let the post by duckinator float around for days without having a "we did this because of security concerns, we want to work together and find a resolution..." It's incomprehensible that they thought this would go well.
> Some of those companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain, but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
This is the most candid bit of the article.
RubyCentral seems to have screwed up. The sense I get after reading this paragraph is that RC's non-apologies about poor communication are smoke. Why did they have to move this quickly/silently? Well...
If you are taking money from businesses in exchange for certain assurances about the security/soundness of RubyGems, you have a responsibility the minute pen leaves paper to KYC(ontributors). Not when there's suddenly a fire, or when your clients notice.
By all appearances, RC was negligent, if not necessarily in the legal sense. They were highly reactive in response to a problem they should have been across already, and they have paid for it with a chunk of the Ruby community's trust.
To now retcon this action as poorly-communicated but ultimately noble and security-minded does not sit very well.
How much information and what information did Board members have when making their votes?
One thing that hasn’t been addressed is who was responsible for communications and implementation of this. It says here that the Director of Open Source did what the Board asked of him. Outside of the Board, which as stated here were heads down and trying to problem solve, Ruby Central’s website also shows a staff of several non-technical employees. Prominently, there is an Executive Director with a background in communications and non profit work per their LinkedIn. Where was this Executive Director and the other staff members during this? Were they involved with decision making and communication around this? How involved was the Board of Directors in implementation after the decision was made? It is a hollow statement to say they are just technical people trying to problem solve when there appears to be a whole team of non-technical staff members and an executive specializing in communications. Something clearly went wrong here and there are a lot of missing pieces around what happened after the vote took place. Most of this could have been mitigated with standard processes and simply communicating to maintainers and the community.
This is not to say that they didn’t act in the best interests of the community by tightening security, but an organization of this nature should be able to act more independently.
Do you contribute? I can send you a link if you don’t.
> How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them?
Start by letting go of the goal of not upsetting them. Make sure you do communicate clearly. Just say what you said a paragraph earlier: open source ecosystems, including ours, are increasingly suffering supply chain attacks. To guard against this, we need to tighten access that has traditionally been fairly loose. Starting <date>, we're going to remove general access and ask that contributors sign <link to agreement> before re-enabling access.
I mean, maybe that is what happened -- as the OP says, he wasn't part of the conversations so can't say. From the earlier public posts, it doesn't _sound_ like that's what happened. But I'd say as a general rule, it's important to communicate disruptive changes ahead of time to those affected and give a clear path to how they can mitigate the disruption.
Just drop all the facts. Acknowledge you fucked up. Or dont say anything at all?
A board position means responsibility not just "head down coding". And that means communicating with people.
For clarity I wasnt super keen on the original submission this is responding to, for similar reasons.
corytheboyd•1d ago
People went WAY too far WAY too fast on this. There HAS to be urgency to this, the software supply chain is presently, undeniably, under attack.
Frankly, everyone blasting RubyCentral the last few days should feel shame and embarrassment. These aren’t evil suits at Microsoft, they’re normal people invested in maintaining a critical piece of infrastructure for the good of all who love and profit from Ruby.
jaredcwhite•20h ago
picadi•4h ago
expectations around "strategic planning" and "marketing/PR" are not realistic. You should just be glad these randos don't have admin access to the Github org anymore. Any one of them were huge targets for adversaries who want to ship malware in Rubygems, supply chain attacks are very real and having commit access directly to rubygems/bundler is too powerful for a rando.
my main takeaway from reading all this is why were so many assorted people given such high levels of access..
nightpool•4h ago
nenenejej•1h ago