Ruby Central Fact Check
On Tuesday, I revealed that Shopify was behind Ruby Central’s sudden takeover of the RubyGems open source properties. Ruby Central has not yet responded to my request for comment.
While we wait for a response from Ruby Central, I thought it might be helpful to fact-check some of Ruby Central’s claims.
Claim: Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem.1
True
Claim: The decision to takeover the RubyGems projects was made and approved by the Ruby Central Board.1
True
Freedom Dumlao confirmed this. We also know that Shopify was putting significant financial pressure on the board to make this decision.
Claim: Ruby Central has a strong interim on-call rotation in place.1
Unclear
It is my understanding that this on-call rotation includes experienced engineers from Shopify as well as other volunteers. Most of the engineers in the rotation don’t yet have much if any experience running the RubyGems.org Service.
Claim: Ruby Central’s goal is to move the RubyGems projects into a healthier, more transparent and community centred governance model that is more in line with OSS development.1
False
The RubyGems projects were already operating with a healthy, transparent, community centred unwritten governance model and the community was taking steps to firm up the governance model at the time of the takeover.
HSBT broke with the existing pact when he added Marty Haught as an owner. As a result, Ruby Central, at the request of Shopify, seized the RubyGems open source properties from their maintainers.
Ruby Central has been on a path towards less and less transparency since Shan Cureton took over as Executive Director.
Claim: Ruby Central is focused on building the right conditions for open source stewardship to thrive.1
False
See above.
Claim: Bundler and RubyGems came under Ruby Central’s responsibility through the merger with Ruby Together.2
False
I have read the merger document signed by Evan Phoenix on 16 August 2021 and André Arko on 20 August 2021. Bundler and RubyGems never belonged to Ruby Together and they were not transferred to Ruby Central as part of the merger.
Ruby Central does have a responsibility to fund open source Ruby ecosystem projects and it was expected that Ruby Central would continue funding the open source development both Bundler and RubyGems as well as other open source projects including Ruby Toolbox and Ruby API.
Claim: The takeover of Bundler and RubyGems was necessary for the security of the RubyGems.org Service.2
False
The RubyGems.org Service is a domain name rubygems.org and servers operated by Ruby Central. Ruby Central are responsible for the code they deploy to these servers, but they do not need to deploy code directly from the RubyGems open source GitHub repositories.
Ruby Central could maintain a private soft-fork, syncing only the community commits that authorised RubyGems Service operators have verified. This soft-fork could also apply patches and changes as Ruby Central’s operators deem necessary.
Alternatively, Ruby Central could have created a hard-fork of the RubyGems open source code and maintained it in public as an alternative community project led by Ruby Central.
Claim: The decision to remove commit privileges from RubyGems maintainers was never meant to be permanent.2
False
Ruby Central never intended to hand the RubyGems open source properties back to their original maintainers, which were André Arko, Colby Swandale, David Rodríguez, Ellen, HSBT, Josef Šimánek, Martin Emde and Samuel Giddins.
All maintainers apart from HSBT and Colby (who works for Ruby Central) have been removed from the GitHub organisation.
I know for a fact that they at least singled out André Arko, and likely also Samuel Giddins as people who would not be allowed back. So for at least some maintainers, this was meant to be permanent.
As things stand, two new “owners” have been added to the GitHub organisation: Marty Haught (the Director of Open Source at Ruby Central) and Ufuk Kayserilioglu (an Engineering Manager at Shopify who is also on the Ruby Central Board).
Claim: The takeover of the RubyGems open source properties was made in good faith.2
False
I know for a fact that Ruby Central knew that it had no right to take over the RubyGems open source properties. I know this from speaking to the people involved and I have video evidence that Ruby Central knew.
Claim: RubyGems.org is not just code, it’s a production service.2
False
This claim is deliberately misleading and cannot be true however you read it. There are two entities this could be referring to:
- The RubyGems.org Service — A service operated by Ruby Central, available at
rubygems.org. - The RubyGems.org open source code — a repository of open source code maintained by the community.
The RubyGems.org Service is a production service, but it is not source code. It could be running the RubyGems.org source code or it could be running other source code, but it is not source code.
The RubyGems.org open source code is source code but it is not a production service. Anyone can run this source code on their own servers with their own domain.
Claim: Incident response and core maintenance continue as usual.2
False
There is no way that Ruby Central can lose as many operators as it did and continue “as usual”. The new on-call rotation is made up of experienced developers, but they are not experienced with running the RubyGems.org Service.
Core maintenance cannot continue as usual because the maintainers of the open source RubyGems projects cannot commit to their projects.
Disclosure
I was employed by Shopify between 2017 and 2022.
Changelog
- Updated to clarify that HSBT and Colby have not been removed, while all the other maintainers were.
- Added details about new GitHub organisation owners: Marty Haught and Ufuk Kayserilioglu.