is somewhat at odds with
> Some [...] companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain,
but not so much. Then the sentence goes on with
> but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
So something has been wrongly managed or wrongly sold.
Then the final part about the emotional conversations and the dilemma sounds honest or at least very plausible, but as they write, the critical mistake already happened.
I don't know how to reconcile 'they love Ruby and our community' with moves that are actively hostile to the community.
Something like:
"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."
Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...
My general take on this:
1) Nerds are often not the best at communicating.
2) People on the Internet can be very cruel towards people they don't know.
We could all do better, especially with #2. The Internet used to be cool as hell. Now, by and large, it sucks.
"I WANT to apologize ... that I feel awful."
"How can you possibly talk to someone about changing access, when multiple people tell you no, you are wrong?! A coup is the only way!"
"Because funding deadline, we executed a coup, which will keep everyone safe from hostile actors... Taking over accounts and access"
That's the opposite claim from a coup. It's not fair for you to put those words in his mouth.
Vs the actions of: https://pup-e.com/goodbye-rubygems.pdf
- All access cut off
- Whoops, our bad, have the access back we'll talk about it
- All access cut off
I am not putting words into his mouth, he has chosen to publically communicate in a disjointed way that effectively expresses no contrition, downplays the impact or severity on other parties, and justifies the actions taken as being need because of an external source of influence.
He could rationally have done any of the following:
- Extended an olive branch through genuine apology and used his position as a board member to request a review.
- Not posted anything, as in his own words he "wasn't part of the conversations"
- Posted a perfectly boring "I am sorry it has reached this point and wish the people leaving well"
Instead he posted in such a way as to make it extremely difficult to interpret in a more positive light.
https://pup-e.com/goodbye-rubygems.pdf
> On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:
> renamed the “RubyGems” GitHub enterprise to “Ruby Central”,
> added non-maintainer Marty Haught of Ruby Central, and
> removed every other maintainer of the RubyGems project.
> On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams
Which is important context that was left out of this board member's statement.
Between the initial removal of access, then giving it back after explaining it was a mistake; the people involved started a conversation about governance to clarify/fix things.
https://github.com/rubygems/rfcs/pull/61
The conversation terminated because the majority of those people then had their access revoked again.
When weighing the facts here; which group or claimant has the most evidence for their claims? The technical folks with lots of commits over many years, or the treasurer of an organisation who says the impetus for this was a "funding deadline" so all access had to be seized?
I am skeptical that the model where people carry out defined tasks in exchange for getting paid can properly discharge the obligations of trustworthiness and disinterest that are necessary for the proper functioning of software supply chains. I'm thinking that probably people whose motivation is primarily personal gain will seek out ways to exploit their users' trust for additional personal gain, for example by bundling adware and other malware into their software the way Microsoft does with Windows, or only releasing security updates to paying customers.
Open-source licensing provides some protection against this problem, because it guarantees you the legal right to switch to a non-malicious fork; but the whole reason we're talking about open-source supply chain security in the first place is that your vulnerability to your chosen upstream is still far from nonzero.
Seems pretty clear after reading this. If 1-2 companies pulling funding is enough for them to force you to to what they want, its hard to stay independent.
If the request for additional access controls/access cleanup came from one of the Ruby Central funders, could we not know who that was and what exactly their ask consisted of? I am interested in knowing their side of the story, and what the motivation was. (But in general, cutting off long-time maintainers' access seems like a bad choice - as presumably they have long since proven their good will toward the ruby community as shepherds of these projects.)
This is basically like fixing technical debt. It's painful and it's political but sometimes you have to do the right thing for the community as opposed to trying to assuage individuals' egos.
It sounds like they sold something to their donors they couldn't really guarantee – supply chain safety – and they decided to alienate their contributors to try to appease them.
Only time will tell if this was really damaging to the ruby community or just a temporary hurdle
Which isn’t a bad thing that people get to contribute on company time.
Eventually they brought rails in many commercial companies and these companies succeeded to the point they could pay people to maintain rails.
This makes a lot of sense, and it puts the 'drastic' action in understandable light.
It also contrasts with the 'On September 9th, with no warning or communication, a RubyGems maintainer unilaterally...' from the Goodbye RubyGems letter. Perhaps that person did not have communications or insight?
Going forward I think we could judge the good faith, if it's uncertain, by if we do see people reinstated. Cutting off access (for urgency with a deadline) followed by reinstatement (because they contribute) would match this post. No doubt there will be hurt feelings on all sides, which is understandable, but I hope as humans everyone can get through it.
graypegg•2h ago