zlacker

[return to "Ruby Central's Attack on RubyGems [pdf]"]
1. drbrag+us[view] [source] 2025-09-19 12:34:14
>>jolux+(OP)
Ruby Central's whole thing is they maintain, develop, and secure bundler and ruby gems. Marty was previously a lead at Ruby Central and recently came back to RC as their Open Source Lead. It sounds like there was a clusterfuck getting the repo switched over but I'm not seeing how this is an attack on Ruby gems. Am I missing something?
◧◩
2. woodru+Xu[view] [source] 2025-09-19 12:48:59
>>drbrag+us
I think the missing piece here is that almost every person publicly involved with RubyGems’ development has left the project in recent weeks. I don’t have any special insight here, but from an outsider’s perspective it seems as through Ruby Central is trying to turn a former “host” relationship into a “control” relationship.
◧◩◪
3. nevine+5B[view] [source] 2025-09-19 13:29:25
>>woodru+Xu
I think you're right, but I suspect the root here is one of legal liability - if rubycentral is operating as a nonprofit that hosts _a recurring attack vector on other companies_, they'll have legal obligations to secure that service against those attacks. I assume they are continuously deploying out of that repository, and took the simplest route to controlling the attack vectors?

I'm not sure how anyone familiar with open-source communities would fail to predict the backlash though. They really should have forked the repository and switched the deployments over to their downstream fork (if I'm right about the root cause here).

(I'm mostly thinking in terms of supply-chain attacks, like this one: https://blog.rubygems.org/2025/08/25/rubygems-security-respo...)

◧◩◪◨
4. nevine+Eie[view] [source] 2025-09-23 23:24:11
>>nevine+5B
Well, there's more information out and it seems pretty.. damning. I wasn't convinced by "power grab", but "economic pressure from our sole remaining major sponsor" is _way_ more believable, and the chain is events is getting fairly clear. Check out Joel's explanation for a coherent delve into the events: https://joel.drapper.me/p/rubygems-takeover/

Now I just have to hope the fallout from this includes a less centralized replacement for the tools I'm used to - I haven't found anything solid yet, but I imagine andre will be examining this problem space with rv now.

[go to top]