IMPORTANT: Please review gems.coop as a replacement for source 'rubygems.org' in your Gemfile.

Updates

9:59AM ET (19 Sep 2025)

Will update with more info as I learn more. But here’s everything I could find so far.

10:15AM ET (19 Sep 2025)

Added a link to the open letter from RubyCentral. They are hosting an open Q&A Zoom on 23 September🔀.

12:46PM ET (19 Sep 2025)

Still not a whole lot of clarity about the situation, but additional links added below.

The people I’ve spoken with that know many of the technical folks involved (Marty et al.) have vouched for the character of those technical people. Rhiannon Payne’s commentary suggests this is a leadership issue. Based on the rather tonedeaf and apparent doublespeak of the official word of Ruby Central, that seems to track pretty well.

There is an ongoing discussion about governance initiated by Martin Emde that is being actively mediated by Mike McQuaid (from Homebrew). However,

The arms-length appearance of this is that it was a perhaps well-intentioned but horribly-executed maneuver. The security / safety of RubyGems as a service seems presently intact. Since the last update by Marty Haught, Emde appears to be dissatisfied with the state of things and is, perhaps, also withdrawing in solidarity with Ellen Dash? This is unclear as there has not been a formal statement outside of that update.

9:20AM ET (26 Sep 2025)

Based on the summary fact-checking followup by Joel Drapper (see link below), specifically:

HSBT broke with the existing pact when he added Marty Haught as an owner. As a result, Ruby Central, at the request of Shopify, seized the RubyGems open source properties from their maintainers.

and

I have read the merger document signed by Evan Phoenix on 16 August 2021 and André Arko on 20 August 2021. Bundler and RubyGems never belonged to Ruby Together and they were not transferred to Ruby Central as part of the merger.

The transgressions appear to be:

1. Github user @HSBT was a rogue actor who violated community trust through a forcible change in ownership of a community resource
2. The maintainers were removed unjustly and as a rogue act
3. RubyCentral does not have the de jure authority to justify their de facto possession of this community resource.

The correcting actions seem to be:

1. Explicitly extend an offer to restore their positions as Repo maintainers to: André Arko, Colby Swandale, David Rodríguez, Ellen Dash, Josef Šimánek, Martin Emde and Samuel Giddins.
2. Removal or reduction of administrative privileges for HSBT, since this user has shown they cannot be trusted to act in accordance with the community
3. Reduction of Marty Haught’s Organizational role from Administrator to Member, and setting his privileges to one where he is able to actively contribute to the repository (acting as an advocate for Ruby Central) but unable to act on any hostile demands by RubyCentral or Shopify.

These items need to be satisfied to reset things to even. To repair some of the harm that has been done to community trust, I think these things should also happen so that we can heal and move forwards:

1. An apology from Shan Cureton (on behalf of RubyCentral) explaining in detail that she understands how and why these actions were inappropriate within the context of this open source community.
2. An acknowledgement by Shan Cureton that she understands that the assertions made in the press release Ruby Central released were in fact untrue and misguided. (See Joel Drapper’s fact checking post)
3. An apology from HSBT to the maintainers that were removed and to the community as a whole.

5 Oct 2025

Most of the maintainers behind the original rubygems repository have just created gem.coop, which is a functional replacement for rubygems.org as a source entry in your Gemfile. This is built on a governance model similar to the “Homebrew” project, aided by the lead maintainer of that project.

Since RubyCentral refuses to take accountability or even acknowledge any kind of misconduct here, this feels like the absolute best path forwards. I strongly encourage any Ruby users to make this change.

9 Oct 2025

RubyCentral posts an “AWS Root Access Event” security incident post-mortem. Joel Drapper had reported previously how André Arko still had root access to the AWS instance for RubyGems, because RubyCentral failed to cover all their bases when they did their takeover.

My editorialized opinion is: had RubyCentral acted in good faith and executed this seizure of power ethically, they could have avoided this by having everyone work collaboratively.

10 Oct 2025

André Arko responds to RubyCentral’s “incident report”. He provides a lot more transparency and clarity than RubyCentral did in their incident report, and it seems pretty apparent that his actions were aligned with his DevOps role in being an on-call for RubyCentral. He responsibly disclosed his access to Marty Haught.

This quote struck me in particular:

I have also noticed I am still, as of September 30, the owner of the GitHub organizations named “rubycentral” and “rubytogether”. I am unable to transfer the HelpScout or PagerDuty accounts, as you have disabled my andre(at)rubygems.org Google account.

Had RubyCentral acted responsibly, they would have (a) known all of the various administrative services being used by the team, and (b) coordinated with the existing team to ensure a seamless transfer of service before making that impossible by disabling their e-mail accounts.

RubyCentral also apparently had accused André of fraudulent access:

Ruby Central’s attorney was sending my lawyer a letter alleging I had committed a federal crime, on the theory that I had “hacked” Ruby Central’s AWS account.

I do not have confidence nor faith in RubyCentral’s leadership to be able to participate positively in this community.

Officially / Openly Stated withdrawal from RubyGems / RubyCentral

• Ellen Dash (RubyGems)
• André Arko (RubyGems)
• Martin Emde(?) (RubyCentral)
• Rhiannon Payne (RubyCentral)
• Sam Giddins (RubyCentral)
• Josef Šimánek (RubyCentral)

Discussion and relevant links happening presently

• @duckinator’s open letter of resignation
• @duckinator (as @puppy)’s thread on Mastodon
• @duckinator’s PR self-removing from maintainers list
• André Arko’s letter of resignation
• Discussion thread on /r/ruby
• Discussion thread on YCombinator
• Martin Emde (another Rubygems maintainer)
• Martin Emde’s Governance Model proposal
• Letter re: the takeover from RubyCentral
• Article about the RubyGems supply-chain attack referenced in the RubyCentral open letter
• Rhiannon Payne (former Ruby Central employee) commentary (previous statements deleted)
• Joel Drapper writing about Shopify’s influence on RubyCentral
• Board member Freedom Dumlao’s “(…) perspective of the RubyGems controversy”
• Ruby Central: It’s Complicated
• Jared White’s summary editorial
• Fact-checking Ruby Central’s Press Release by Joel Drapper
• How Ruby Went Off the Rails (404 Media)
• Fragmented (Skill Issue)
• Andre Arko has registered bundler as a trademark
• The RubyGems takeover from the perspective of an open-source developer
• Rubygems.org AWS Root Access Event – September 2025
• The RubyGems “security incident”

Ellen Dash (@puppy / @duckinator)’s initial open letter

## Ruby Central’s Attack on RubyGems

Hi! I’m Ellen, but you probably know me as duckinator or puppy.

I really wish I didn’t have to write this, but I feel the Ruby community needs to know it.

I have been part of the Ruby community since I was 13, and one of the RubyGems maintainers for the last decade.

This community has helped me through very hard times, and you mean the world to me.

One of the most important lessons I learned from y’all is this:

> A person’s character is determined not only by their actions,

> but also the actions they stay silent while witnessing.

## This Month Has Been A Fuck Of A Year

This is what unfolded between September 9 2025 and September 19 2025, as I understand it.

On September 9th, with no warning or communication, a RubyGems maintainer unilaterally:

renamed the “RubyGems” GitHub enterprise to “Ruby Central”, added non-maintainer Marty Haught of Ruby Central, and removed every other maintainer of the RubyGems project.

He refused to revert these changes, saying he would need permission from Marty to do so.

On September 15th, this maintainer said he restored the previous permissions after talking with Marty. Marty stated the deletion was a “mistake” and “should never have happened”.

The “restoration” kept a notable change: Marty was now an owner of the GitHub enterprise.

The RubyGems team responded by immediately began putting in place an overdue official governance policy, inspired by Homebrew’s.

On September 18th, with no explanation, Marty Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams.

By doing this, he took control for himself and other full-time employees of Ruby Central.

Later that day, after refusing to restore GitHub permissions, Ruby Central further revoked access to the bundler and rubygems-update gems on RubyGems.org

I will not mince words here: This was a hostile takeover.

## My Stance On This

I consider Ruby Central’s behavior a threat to the Ruby community as a whole.

The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action. Ruby Central crossed a line by doing this.

When called out, these changes were mostly reverted. Then, it was done again.

By crossing that line a second time after being called out for it, Ruby Central has made it extremely clear to me that they are not engaging in good faith.

Ruby Central’s behavior has forced my hand. I refuse to watch this without speaking up.

I am resigning from my position at Ruby Central, effective immediately.

To remove any doubt: Ruby Central unilaterally, with no explanation, revoked all access to RubyGems against both my wishes and the wishes of the entire RubyGems team.

Ellen Dash (@duckinator)