So, ignoring everything that got us here, what do people think about this?
As I see it, there is the original rubygems, which has lost all of it's maintainers, and this new one, that has most of the original active maintainers? (how many were there before? it has most of the ones I think about, but I didn't know who was active over there. I mostly saw activity from deivid and didn't know about most of the others to be honest).
It kind feels like this fork is the better maintained piece of software now.
Does anyone have any thoughts on this? Are any people thinking of moving over soon?
Is there any information on what the funding model will be? Also @joeldrapper/anyone is there anything you can share about how the hosting is being covered?[0]
>It kind of feels like this fork is the better-maintained piece of software now.
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?
With this is in place. A ".coop" domain does not signal trustworthiness. It's more like a childish revenge attempt. Don't get me wrong. I think it's a great idea for the original maintainers to begin work on a form. However, they could have chosen a better domain name.
I'd only say it's a real issue if this were a "normie-facing" website. But being a developer tool, we all know that there are legitimate domains other than .com, .org, and .net.
Combining this with something like tangled.sh/bluesky's AT protocol or what forejo is working on in their activitypub federation integration can actually make it genuinely federated as well
Or maybe radicle as well if someone is okay with swapping in a custom software but the hiccups can be too much imo so tangled.sh is the most interesting thing to me right now
What is stopping something like gem.coop to exist with the at protocol/tangled.sh??
I personally cannot think of a new ruby gems or bundler feature from the past decade that I noticed or cared about. That isn't to say that there aren't any; I just don't know what they are.
I think I basically agree with this, but my thoughts are more on which org is better placed now to respond to things like the recent supply chain attacks (ref for the specific recent ruby one[0][1]).
I'm unsure on who is better placed to handle that stuff now. My view is that the people that were doing that are now with gem.coop, but rubygems still has the infra (i.e. you'd email security@rubygems.org still for now).
I'm unsure about what to think about longer term (my personal approach is currently "wait and see").
Similarly, I'm perfectly happy with bundler for now, but if `rv` turns out to be like `uv`, I'd happily switch (drop-in replacement, but faster/some better features).
Socket.dev states "Since at least March 2023". RubyGems says "Our team first detected this activity on July 20th". This attack has ran for almost 5 months undetected. I wouldn't feel reassured at all.
There have been several releases with incremental but still notable performance improvements. The overall cadence has been pretty steady, intentionally targeting roughly one minor release per year since 2019-ish, with handfuls of quality of life improvements in each. Arguably RubyGems and Bundler are infrastructure, so the major feature is stability. What sort of big feature are you imagining is missing from your dependency management system?
André is working on a combination of rbenv/asdf, bundler, and gem that I think is interesting. Not that they're wildly broken, but I'd rather have fewer tools and it always seemed a bit odd that they're separate when they're notionally managing the environment in which your ruby code executes.
Given the rise in supply chain attacks, I'd also like a private rubygem instance where I can whitelist gems and even versions for my company in a way that doesn't let anything else install. I'm not sure if they're taking that on or not, but I'd like it.
That's basically my point. I'm not missing anything, so I'm happy if it just gets small / stability fixes, which doesn't seem like it needs a six member maintainer group. That team should go off and do a great job with 'rv' or whatever the next brand new idea is, and just let rubygems sit there with minor updates, same as we do for the ruby logger or date class.
They made bundler output compact, previously it spammed all installed versions and updates mixed, now you can see just updates if you do those for example.. or quite concise "all OK" if everything is as it should be. Small but really nice quality of life change imo
The main page itself provides little to no info so I’m going to make a few assumptions that, to me, seem logical:
1. It must depend on RubyGems in order to stay in sync, because people publish to RubyGems.
2. It has no UI to search or view gems, so still depends on RubyGems for that.
Ignoring any question about technical detail or implementation: there is zero practical reason or motivation to switch unless I am ideologically aligned with the maintainers and their reasoning.
As such, there is zero reason to even entertain the idea of switching in a professional context. At best I’d have to care enough to remember it for personal projects.
So it is with almost any fork. It’ll either converge with the mainline after achieving its goals, take over as the new status quo, or fade into obscurity. If I don’t have any direct stake in that then I’m going to wait it out.
This isn’t to discredit or discount the work or the reasoning, of course. It arguably has a far better standing than forking Rails because of DHH.
I think right off the bat since they chose .coop as their TLD, a lot of corporate firewalls auto-block them and they have immediately decided to fight an uphill battle to get allow-listed to be a gem repo.
This does not bode well for the team having the socio-technical savviness to see this project through.
It is pretty common that "weird" tlds get blocked more or less whole sale in places you might not expect.
The reason is spam. Before these can get wide spread "normal" adoption they can be heavily used by spammers. Its hard to say if that is because they have desirable look-a-likes available, or if its because the first year is offered at a deep discount. So, systems will get flooded, and on inspection they will see that they don't have any legit traffic from those tlds and will whole sale block them.
But thinking that they can disregard all prior Internet history and just slam into the situation with no concern about what came before is pretty on-brand for a project in the Ruby ecosystem.
I mean regarding the choice of TLD. Forking the package repository ecosystem I fully understand the incentives; it just strikes me as a very Ruby-ecosystem thing to just assume that `.coop` is a good enough TLD with no consequences for using it relative to choosing to use .org, .com, or .net.
Which part of a project that kicked out its original maintainers still feels "original" to you? At this point, rubygems.org is the fork.
Oh, how times have changed. If Oracle were to close source OpenSolaris today, many here would likely rally behind it, especially if Larry Ellison appeared to align with the right. Submissions about Illumos would have been heavily flagged, much like this one has been for a while.
Excellent point, I can't help but feel gem.coop is essentially Ruby Together 2.0 which reinforces my opinion that the merger of RT with RC was a huge mistake. (It certainly made sense at the time…hindsight is always 20/20…etc.…but still.)
They had a minor security incident right off the bat, demonstrating they don’t even fully understand what they stole. They aren’t equipped to do the job.
Well maintained? Rubygems has had no commits in the last 10 days and that's not a good sign. I don't think you can find a window with no commits for 10 days in its 15+ year history.
History has shown over and over that when a for-profit org takes over public infrastructure, maintenance is cut to the bone.
> Rubygems has had no commits in the last 10 days and that's not a good sign.
I honestly can't tell if this is satire.
You think no commits for 10 days for a piece of software that has existed for around 20 years is a sign that it's dead?
What kind of code churn do you think this project requires? Perhaps the old development was too unstable if there wasn't a single 10 day window without a commit in 15 years, for what is essentially a solved problem and a tool that people depend on to be stable.
I'm starkly opposed to this ridiculous fragmenting of the community. They can and should all go work out contribution agreements with RubyCentral and get over their egos.
What makes you think they _haven't_ tried to work things out with Ruby Central? As per a separate article[1], this seems to be a last resort:
> “Since Ruby Central has informed us they will never allow us to continue working on the projects they now claim they own, that we successfully maintained and operated for the last ten years, the former RubyGems team is launching gem.coop today.”
> When Ruby Together first launched in 2015, the website suggested donations went to pay "our team" (...) This resulted in a nonzero number of donors believing they were funding the work of people like Steve Klabnik, Aaron Patterson, and Sarah Mei, when in fact only Andre was being paid at the time.
This a fact. By this alone I don't think Andre Arko is an honest person.
Back in the day, nobody ever had said to me that they believed I was earning money from Ruby Together. This whole thing was speculation at best. And regardless, once it was suggested that this may be a possibility, it was immediately changed to be unambiguous.
André is absolutely a standup individual.
I have tried to stay in good terms with the other people involved in this (except DHH), but this claim was always ridiculous.
This absolutely happened and is not speculation. I can't find the emails from the individuals that emailed me, but I did find my email to the board of directors asking that the website language be changed because people had pinged me thinking I would be getting money, or that the money would go to fund rubygems.org.
At the time I'd sent the email I was unaware Ruby Together was on HN front page (and that's why people were pinging me)
I was misremembering it. Now that I've checked, it's clear that the claim was that the money was for paying "the team" [1], which consisted of André Arko and David Radcliffe [2]
TBH the whole thing is pretty opaque. There are a lot of accusations floating around. It's pretty easily to capitalize on "Big evil shopify is making a takeover", but I suspect there's a lot more happening behind the scenes.
- uv is a cool tool, but Astral has signaled their intention to have it tie in nicely to paid services.
- that's a nice moat!
- Andre & friends saw that in the Python community (and uv's success) and decided they could do the same for Ruby
- Their collective announces rv and now wants to make us dependent on them & friends for Ruby Gems.
- After Hashicorp and others, I'm extremely wary of orgs luring me in with free shit. Hashicorp is maybe the lightest example of this but they're very intentional about enterprise-walling business-essential features.
- I don't want the Ruby ecosystem dependent on one party or even a tiny collective of people. This is just as bad to me as the Ruby Central situation right now.
The Ruby ecosystem is already decentralised in that there is no single source of truth for published gems. You can pull the source from any software forge that uses git, you can point to any self hosted gem server or use something like Artifactory or GitHub package registry. You can vendor the code if you want.
This entire post is practically the case in point, except I’m not clear on how they got real time sync with RubyGems and if any other competitor would have the same capability.
To use Astral and uv as an example, they would have to fork PyPI and maintain all the infra for that and not just the tool that manages the dependencies.
By "Astral" do you mean "Spinel"? Also, what paid services? So far the only paid services they've mentioned is retainer services that essentially amount to priority customer support. The tools themselves are only ever described as free
EDIT: Misread the comment and thought it was only about `rv`, not both `uv` and `rv`
What is Spinel? Astral is the developer of uv, and they have announced their hosted platform service, pyx [0]. It appears it will be FOSS as well, but they'll have a hosted version of it.
yeah, but still, the maintainers need to be paid for their time and expertise. not to mention, although bandwidth and storage is cheap, somebody still have to foot the bill. i suggest people donate to this project.
The git protocol is more complex and harder to scale. It's especially wasteful if people are going to redownload all packages every time their amnesiac CI runs.
Single-file archives are much easier to distribute.
Digests and signatures have standard algorithms, not unique to git. Key/identity management is the hard part, but git doesn't solve it for you (if you don't confuse git with GitHub).
Someone has to run the git server. Then, someone has to find the git server to pull each gem from, since not every git server is likely to be up-to-date with the each gem, or the correct version. Since these are all decentralized, each individual owner of a git server has to independently scale as more people start using each one.
The benefit to being centralized is... everything is in one place. Everything scales at once. Every update is available at the same time.
We did this back in the day using artifactory and co. to proxy NPM and a few other package managers as well as docker containers and some other things. No third party service going down could keep us from deploying.
Not everyone does it because as a solo developer or a small team, as it feels like pointless overhead.
If we isolate this from the recent controversy: in general, is an alternative (yet mostly compatible) package source, package manager, and/or language version manager neutral, good, or bad for an open source ecosystem?
I understand forking is sometimes needed, but it's also somewhat discouraging to see that the differences couldn't be reconciled.
As long as people are aligned on advancing the Ruby ecosystem, I think it should be possible to cooperate even if there are disagreement in other areas [which political party you support, differences in personal opinions, etc].
Maybe it'll be resolved eventually, just like Merb <> Rails, Bundler <> RubyGems and RubyTogether <> RubyCentral were eventually merged. That's what I'm hoping for!
Here's the thing. They could have put up link to a git repository where others can follow along with the maintenance of this project, but here isn't one. There is a list of maintainers explicitly mentioned on this page but no link to the git repository. This leads me to think this project is not about the code but about the people.
It's a package repository. A link to an Ansible repository or whatever doesn't need to be in the first announcement.
> This leads me to think this project is not about the code but about the people.
Trust is of utmost importance to a package repository. Even more so than code. A hostile takeover, like the one that occurred with RubyGems, fundamentally undermines that trust. In contrast, an alternative run by the original maintainers who have built years of trust, represents a positive shift.
Unfortunately, it seems that your conclusion was drawn before your justifications. When you invent justification though, at least make sure you don't undermine your own position. Where's the prominent link to the Git repo on rubygems.org top page?
Ah! Good catch. I saw the repo exists but didn't dig into the contents, given that it's (as far as I know) purely a proxy for rubygems at the moment, I figured it would be pretty simple.
I agree they should post the whole source, regardless.
Imagine if someone came into your house and changed all of the locks on you/your family, because "security".
You had built that house from your original designs but the other party claims they own it now because they happen to manage a series of rental listings for houses built to your design.
You had even made it so the plans could be copied and modified in private; if "security" were a real concern with about 10 minutes effort to do so.
Would you agree that it is right, do nothing? Or would you rebuild something new, given how little time it takes to copy the plans.
Swap "house design" for "software project" and "rental listings" for "running an instance of your software project" and you have the current situation.
Developers are free to choose the party they trust more.
I'm really pleased to see this happening, but sad that it has come to this.
What I'd really like to see is a whole bunch of people acting more professionally. Who you pray to, who you vote for, and who you sleep with are irrelevant to a professional context - and open source development is a professional context. So everyone needs to keep their professional and personal lives separate. I know that at best I would be disciplined, and at worst sacked if I made comments on the lines that some of the lead players in this sorry saga have made. And that's not pointing the finger at any one person.
If who you vote for will put me into a torture camp (or otherwise devalues my life or personhood), then I can't work with you, so no it is not irrelevant.
(neither the "me" nor the "you" here refer to you or me personally ofc.)
"will put me into a torture camp" for sure, but "devalues my life or personhood" is pretty vague. So, for example, if I value guns and consider them necessary for my well being and personal safety, should I refuse to work with anyone who votes for increased gun control? This sounds like a recipe for very fragmented, unstable society.
If gun owners are being denied health care or being told who they can marry ("it's illegal to marry a fellow gun owner"), then yes, they'll probably want to avoid anyone wretched enough to advocate that.
Short of that, it's NBD right? Not really comparable.
I consider this somewhat unfortunate example, since we, as a society, are putting limits on this very thing. For example age, or species. How is that supposed to work if people are not allow to debate and express their opinions on where those limits are supposed to be?
Similar with the health care. What is covered and what is not, and who has to pay and who has it (almost) free, should very much be up for a debate. Otherwise, how do you improve anything?
I think the salient meta-concept here is "Open source development is an inherently collaborative enterprise, and if people cannot collaborate, it stifles creation of open source projects and software."
There may very well simply be political eras where the floor of trust isn't there for open source to spring forward by leaps and bounds.
Agreed. Your example could sound like exaggerated, but silence is a form of opinion, of vote, of approval. Even in a professional context, because work is part of the society we live in.
This whole "DHH situation" with Rails has put my mind in weird position. I admire the Rails creator, the business man, the speaker. I admire what he builds, how passionate he is about his work and open-source software. But I very strongly disagree with his vision of immigration, nationalism, parenting, well most of his vision of society.
I was made aware about these opinions because people talked about it. Thanks to these people, I read and listen to him with more nuance, more critical thinking. That does not necessarily mean I would discard Rails, cancel the dude or write shit about him, but that surely means that I will be more careful about how the opinions of this 1 person could impact mine, the ecosystem I work with and the larger ecosystem I live in that is society.
> but silence is a form of opinion, of vote, of approval.
I disagree. We don't have to have an opinion on everything. And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval. It's getting very close to "those who are not with us are against us". And that's a worldview I have very little time for.
Only people who already live in a position of privilege get to have "little time" and settle for worldviews which advocate for a sort of bland tolerance of extremism. I can assure you, for people who are being actively harmed by hateful rhetoric and political policies, "those who are not with us are against us" is absolutely a reality.
Yes, I agree with you. Silence, when you do not have an opinion, is totally fine. And yes, not having an opinion on everything is absolutely fine, probably sane even.
I was answering a comment about a vote that would put you in a torture camp, so a vote on which you are certainly opinionated about.
In other words, don't self-censor when you think something is not right.
Close by where I live is a monument for civilians who were taken from their houses and shot by the German occupiers during the last months of WWII. Simply because they were suspected of having distributed pamphlets. There wasn't even evidence to that claim, and retribution was a thing.
I passed that monument countless of times during my youth, giving me pause to contemplate.
It's a tangible reminder of what ultimately happens when people stay silent about something as final and poignant as one group denying the existence of another group for whatever reasons.
I have no problem with expressing differences over world views. I take issue when that world view entails denying the other side's existence because of differences, and a fervent intent to act on that notion.
> And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval.
Definitely definitely. When a racist paramilitary is disappearing my neighbors my primary concern is whether people will consider me complicit for publicly stating that I have no duty to interfere.
You don't have to have an opinion on everything but you do have to have an opinion on some things. Or I mean, obviously you don't, but then you have to accept the social consequences of cowardice.
> but silence is a form of opinion, of vote, of approval.
No it’s not. Indifference is not approval.
Open source is global and someone in a university in Argentina contributing some features does not “approve” of anything because she didn’t participate in some bickering about US identity politics.
Indifference is acceptance of the status quo, though, yeah? Whether that be on a conscious level of active avoidance or on a subconscious level of never mentally aligning it as a priority to build further understanding to form a thought-out opinion.
There actually is a binary view on your stance against things when you see unfettered hate spread by others and choose (at some level) to not have an opinion. We've seen it before, we see it now, we'll see it again.
Not everyone has the same privilege as you to remain head under sand until there's no commotion left to dodge.
I've been in the "keep work and politics" separate camp most of my life. However, with the lines that have been crossed recently, where literal democracy and freedom are at stake, I don't think people have the luxury of keeping work and politics separate any longer. Fascism is bad and people cannot be silent.
If you say something like “if you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless”, your opinion is immediately worthless.
Completely agreed. Sorry, other folks, but you have no right to gatekeep my speech in any way in a professional context. Are you a family member? Then sure, we can have a discussion. Am I a member of your private club or otherwise dependent on your approval of my thoughts or beliefs? Then let's talk. Otherwise, leave me alone. You (the collective you) don't get to decide what I am and am not allowed to think and believe.
Nobody is constraining your beliefs or expressions of them. People are exercising their own individual right not to associate with people who express certain beliefs.
The best "technical" benefit from this is that if one goes down, you could switch to the other in a pinch, so arguably better than the status quo even if you disagree with the organizational/"political" motives.
I hope they tackle the actual main issue with Rubygems -- lack of any sort of code signing... (I know the functionality exists, but it's not required to publish in Rubygems, and off by default on gem install. In other words it's as if it doesn't exist)
The fash problem in the Rails ecosystem is next on the list, and I hope there is community consensus to fork this as well.
It has code signing. It's just optional, inconvenient, and so unused because of Tragedy of the Commons and complacency. https://guides.rubygems.org/security/
As I said, it's as good as no code signing. The very lack of a chain of trust stemming from rubygems that can be used to verify gem authenticity makes the whole thing useless.
There's some weird opinions coming from mostly DHH. My personal take is that they're blatantly racist, but everyone can have their own
Here's some fun facts:
- DHH enforced a "No Politics at Work" policy.
- DHH wrote a post expressing that he wouldn't want to live in London anymore because it's "no longer full of native Brits", and expressed support for a Tommy Robinson march he called "heartwarming". Tommy Robinson is described as "an anti-Islam campaigner and one of the UK's most prominent far-right activists.". The march DHH praised featured speakers calling for ethnic cleansing via "remigration" and banning all non-Christian religions.
- DHH also promoted "demographic replacement" conspiracy theories and used language connecting immigration to crime, particularly regarding "Pakistani rape gangs" and street theft.
- DHH has been publicly critical of Diversity, Equity, and Inclusion initiatives. This one isn't backed by facts, so take it with a grain of salt.
Cannot speak for the US, but in Europe immigration is connected to crime increase in general. The Ukraine refugees are one of few statistical exceptions.
I think a lot of people are forgetting or at least choose to ignore that DHH is Danish (and specifically a Danish expat) and is probably more inclined to have controversial views on immigration from majority Islamic countries. That's not to give his statements a pass, but to give them some needed context.
I think a lot of people don't know why being Danish is relevant. Is there some reason why controversial views on immigration might be less suprising coming from a Dane?
Denmark is the rare case of a European nation where its center-left listened to feedback from the electorate early on and earnestly adopted policies restricting immigration and refugee admission. As a result they had no populist backlash, and that policy position is uncontroversial to hold publicly.
He doubled down on his opinion by sharing a sequence of posts from a X account that denounces "woke activism" in the software industry and open source projects. He criticised the political activism in open source projects, then, ironically, suggested Palmer Luckey should step in to steward NixOs.
Ironic that DHH is politically active enough that it affects his day to day activities and public perception of his company - kind of the exact opposite of his own policy he expects his employees to abide by.
So RubyGems has betrayed its community by ousting its maintainers. When a community-focused alternative created by the original maintainers is announced, it gets flagged on HN. What is wrong with people?
This situation is eerily similar to the Freenode takeover[1] and the subsequent formation of Libera Chat[2] a few years ago, even down to the political leanings of those behind the takeover. Except if the Freenode incident occurred today, there would be a vocal portion on HN vehemently siding with Freenode solely based on the perceived political affiliations of its owners. Submissions about Libera Chat would face heavy flagging, much like this one has.
It seems the Freenode team may have advanced their plans just a bit too early.
I could be wrong but it may be that some have an additional agenda to try to make e. g. competition to Ruby Central fail. You can see this on ruby-reddit, e. g. by u/f9ae8221b - either way I think the by far best strategy for gem.coop is to address all concerns and statements made, including the wrong ones. Simply be better than rubygems.org - everywhere. (Also, u/f9ae8221b is super-impatient; why can't he wait for a while? Rome was not built in a day, it is strange how he thinks to know the future. I don't know the future - let's wait and see. In the worst case gem.coop will fail; in the best case it'll fix numerous issues, including, by the way, gem/bundler not having had the same functionality. And namespacing too; and inactive accounts, and so on, and so forth. There is a ton of things to do.)
Flagging is definitely getting abused more on HN lately. The consensus seems to be that politics and/or morals are irrelevant outside of personal affairs so we must not have these conversations here.
Which is absurd because the hostile takeover of RubyGems primarily involves technology, with serious implications for the security and trust of nearly all Ruby code. Those flagging this submission are the ones prioritizing politics over this critical issue.
Someone withdrawing funding from Ruby Central doesn't necessitate a hostile takeover of RubyGems. The responsibility lies squarely on people doing the takeover. Needless to say, you haven't shown me any convincing arguments for suppressing the announcement of gem.coop.
Remove flags 2025, all the best stuff is in https://news.ycombinator.com/active. I don't even use Ruby right now, have no dog in whatever drama is behind this, but I don't see what's so offensive about knowing Gem.coop is now a thing.
Just some background: there is a controversy in the Ruby community[0][2] around the governance of the rubygems project. It has been maintained for a long time by employees of Ruby Central but not in a corporate capacity. There was a recent hostile takeover of this project by the Ruby Central corporate arm.
The most likely reason it was flagged from my perspective is that David Heinemeier Hansson (who created rails) is kind of the figurehead of this community and he has controversial opinions[1] which people believe make him unfit to represent their community. The controversy has manifested as people speaking out against DHH in his position. So this post seems to have been flagged for being "political" because it is seemingly in opposition to rubygems for the DHH reason.
Er...FYI, your [2] link is to a discussion about an article written by the person to whom you are responding.
Personally, I think the reason this post about gem.coop has been flagged is that we've reached the point at which new HN threads about things related to the recent RubyGems shake-up quickly devolve into people rehashing the DHH "aspect" of it all. So it has become less about flagging the actual target of the post and more about flagging the parts of the discussion that seem to go nowhere.
That's fair enough, I didn't actually notice. Regardless, I was offering the information for other readers, which may or may not include the person I'm replying to.
Edit:
> flagging the parts of the discussion that seem to go nowhere
This is and isn't what actually happens, though. People do flag the parts of the discussion that don't go anywhere but then people also flag the post itself because they think there's no reason to discuss it at all for the fact there's a vocal part (minority or majority doesn't really matter) that wants to discuss a topic that's not going anywhere.
People shouldn't flag the post itself just because it's likely to gather or even has gathered a crowd that will discuss such directionless topics when there are better topics to discuss, even (especially?) if they're not currently being discussed.
In short, a hostile takeover forced by Shopify through Ruby Central.
It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf against the wishes of the sponsors, losing them a lot of sponsorship money, as well as community support.
He deserves a few more titles now. Like prolific xenophobia[1] and sexism[2] proponent, and generally a person that has no connection with the real world[3].
This is a little glib, you dropped "Entirely" because you know multiple first hand accounts are actually worth something. If you want to argue the credibility of those accounts, then please be specific about it.
So you critisize Joel because he worked at Shopify. He pointed that out when he wrote the article.
Let's add here that YOU also worked at Shopify, until recently.
IF we are going to be critical, then let's be complete here.
I actually think there is a lot of validity to the statement made that Shopify is NOT a neutral party here. We can dispute how much Shopify was involved, but to assume "all is unsubstantiated" while not even disclosing one's own work at Shopify, feels super-strange here.
> It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf
This is so incredibly one-sided that it misleads more than it informs.
The person they are talking about is DHH. Inviting the creator of Rails to speak at RailsConf – a conference for Rails – is not the outlandish behaviour this comment makes it sound like.
Agreed. There is a lot of conflation of statements that are not directly connected.
The whole DHH argument, for instance, as well as some people having a vendetta about him, is not, or not directly, related to the hostile take-over of rubygems.org. There is a slight partial overlap, but it is a separate discussion (even if DHH was involved with the take-over via Shopify because he does not like Arko or Shopify wanting more power-control to bully the independent developers at rubygems.org with more corporate rules and restrictions; and, by the way, DHH never mentions Arko's name, but even this is a separate discussion still. For instance I specifically do not care about rails nor DHH really, but the hostile take-over was a complete no-go. Ruby Central really pissed off too many people here and unfortunately there are still many open questions that ruby-core has to think about. I am not necessarily saying all came with malicious intent, because I think there is an english language barrier too in regards to Hiroshi Shibata, but even then it may be better to have someone with better knowledge about the english language in charge of gems; there seems to be some strange disconnect or translation going on between english, into japanese and japanese culture, and it is super-confusing.)
As I understood it, to secure (their words) the supply chain, they took ownership of the code and repo (which others disputed as being owned by them) and kicked out users from Github.
It is said the underlying cause is that devs push rv which is threatening RubyGems.
How is rv threatening rubygems? I am pretty excited about rv on first glance, I tried it and it was too beta when I did to work nicely, but definitely good to have a uv type tool for ruby.
"Yes, I agree. And some of the “admins” even announced publicly many days ago they were launching a competitor tool and were funding raising for it. I’d not trust the system to such “admin”."
But how is this a conflict? Both are not-for-profit projects with the same goal? How can one even use the term 'competition' in this context? What if the Ruby community embraces a new and better package manager? This is, again, a net win for the Ruby community, and both projects strive for that?
Is Rubygems a company? My mind cannot comprehend why are people conflating not-for-profit open-source projects with for-profit companies...
If Rubygems was a company, they'd have a trademark, they'd have patents, they'd have lawyers to protect the money they were making from their brand and product. But we are speaking about not-for-profit open-source projects, not for for-profit corporations!
The response you link to was published on September 30, 2025, so it's not the response to gem.coop? I'd say gem.coop is the response to Ruby Central's actions?
So, ignoring everything that got us here, what do people think about this?
As I see it, there is the original rubygems, which has lost all of it's maintainers, and this new one, that has most of the original active maintainers? (how many were there before? it has most of the ones I think about, but I didn't know who was active over there. I mostly saw activity from deivid and didn't know about most of the others to be honest).
It kind feels like this fork is the better maintained piece of software now.
Does anyone have any thoughts on this? Are any people thinking of moving over soon?
Is there any information on what the funding model will be? Also @joeldrapper/anyone is there anything you can share about how the hosting is being covered?[0]
[0] https://news.ycombinator.com/item?id=45490386
>It kind of feels like this fork is the better-maintained piece of software now.
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?
Trustworthiness is far more important for a package manager. No amount of storage or bandwidth can compensate for an untrustworthy package manager.
With this is in place. A ".coop" domain does not signal trustworthiness. It's more like a childish revenge attempt. Don't get me wrong. I think it's a great idea for the original maintainers to begin work on a form. However, they could have chosen a better domain name.
Read https://en.wikipedia.org/wiki/.coop
Think about all of the organisational structures you know of.
Then ask yourself how is a cooperative fundamentally untrustworthy?
I saw someone else saying something about the domain name, but I didn't really give it a second thought when I read it.
Can you explain what the issue is?
I'd only say it's a real issue if this were a "normie-facing" website. But being a developer tool, we all know that there are legitimate domains other than .com, .org, and .net.
What? Which part of the word "co-op" sounds like a "childish revenge attempt"?
https://en.wikipedia.org/wiki/Cooperative
It's a word that nicely captures their objectives.
Maybe they read it like “coup”?
> It's more like a childish revenge attempt.
Gaslight much? "coop" implies intention and direction...you know, that thing that rubygems.org could have used?
Isn't that how golang works?
I remember some complaints about the traffic that it produced[0] (though I don't think it's a bad idea. Basically federated downloads).
[0] https://sourcehut.org/blog/2023-01-09-gomodulemirror/
Combining this with something like tangled.sh/bluesky's AT protocol or what forejo is working on in their activitypub federation integration can actually make it genuinely federated as well
Or maybe radicle as well if someone is okay with swapping in a custom software but the hiccups can be too much imo so tangled.sh is the most interesting thing to me right now
What is stopping something like gem.coop to exist with the at protocol/tangled.sh??
re: funding model, looks like it's TBD[0]
[0] https://bsky.app/profile/indirect.io/post/3m2j2pcinz22j
I personally cannot think of a new ruby gems or bundler feature from the past decade that I noticed or cared about. That isn't to say that there aren't any; I just don't know what they are.
I think I basically agree with this, but my thoughts are more on which org is better placed now to respond to things like the recent supply chain attacks (ref for the specific recent ruby one[0][1]).
I'm unsure on who is better placed to handle that stuff now. My view is that the people that were doing that are now with gem.coop, but rubygems still has the infra (i.e. you'd email security@rubygems.org still for now).
I'm unsure about what to think about longer term (my personal approach is currently "wait and see").
Similarly, I'm perfectly happy with bundler for now, but if `rv` turns out to be like `uv`, I'd happily switch (drop-in replacement, but faster/some better features).
[0] https://www.bleepingcomputer.com/news/security/60-malicious-...
[1] https://blog.rubygems.org/2025/08/08/malicious-gems-removal....
Socket.dev states "Since at least March 2023". RubyGems says "Our team first detected this activity on July 20th". This attack has ran for almost 5 months undetected. I wouldn't feel reassured at all.
There have been several releases with incremental but still notable performance improvements. The overall cadence has been pretty steady, intentionally targeting roughly one minor release per year since 2019-ish, with handfuls of quality of life improvements in each. Arguably RubyGems and Bundler are infrastructure, so the major feature is stability. What sort of big feature are you imagining is missing from your dependency management system?
André is working on a combination of rbenv/asdf, bundler, and gem that I think is interesting. Not that they're wildly broken, but I'd rather have fewer tools and it always seemed a bit odd that they're separate when they're notionally managing the environment in which your ruby code executes.
Given the rise in supply chain attacks, I'd also like a private rubygem instance where I can whitelist gems and even versions for my company in a way that doesn't let anything else install. I'm not sure if they're taking that on or not, but I'd like it.
the rv thesis is here: https://andre.arko.net/2025/08/25/rv-a-new-kind-of-ruby-mana...
> I'd also like a private rubygem instance
that was always possible https://guides.rubygems.org/run-your-own-gem-server/
(there's also "gem server")
That's basically my point. I'm not missing anything, so I'm happy if it just gets small / stability fixes, which doesn't seem like it needs a six member maintainer group. That team should go off and do a great job with 'rv' or whatever the next brand new idea is, and just let rubygems sit there with minor updates, same as we do for the ruby logger or date class.
Lockfile checksums are quite new and useful.
They made bundler output compact, previously it spammed all installed versions and updates mixed, now you can see just updates if you do those for example.. or quite concise "all OK" if everything is as it should be. Small but really nice quality of life change imo
The main page itself provides little to no info so I’m going to make a few assumptions that, to me, seem logical:
1. It must depend on RubyGems in order to stay in sync, because people publish to RubyGems.
2. It has no UI to search or view gems, so still depends on RubyGems for that.
Ignoring any question about technical detail or implementation: there is zero practical reason or motivation to switch unless I am ideologically aligned with the maintainers and their reasoning.
As such, there is zero reason to even entertain the idea of switching in a professional context. At best I’d have to care enough to remember it for personal projects.
So it is with almost any fork. It’ll either converge with the mainline after achieving its goals, take over as the new status quo, or fade into obscurity. If I don’t have any direct stake in that then I’m going to wait it out.
This isn’t to discredit or discount the work or the reasoning, of course. It arguably has a far better standing than forking Rails because of DHH.
True, but this is a new beginning.Give time and credit to build an alternative. I think another repo server will not harm anyone in the long run
I think right off the bat since they chose .coop as their TLD, a lot of corporate firewalls auto-block them and they have immediately decided to fight an uphill battle to get allow-listed to be a gem repo.
This does not bode well for the team having the socio-technical savviness to see this project through.
Really? Maybe I'm naive, but why would .coop be blocked?
It is pretty common that "weird" tlds get blocked more or less whole sale in places you might not expect.
The reason is spam. Before these can get wide spread "normal" adoption they can be heavily used by spammers. Its hard to say if that is because they have desirable look-a-likes available, or if its because the first year is offered at a deep discount. So, systems will get flooded, and on inspection they will see that they don't have any legit traffic from those tlds and will whole sale block them.
.xyz is kind of infamous for being in this situation. https://news.ycombinator.com/item?id=28554400
I have no idea if that applies to .coop though.
How will anything ever change we're still guilted into thinking about crappy default corporate firewalls when choosing a TLD?
Though there's no way that this is something you care about, cmon.
Most places seem to manage.
But thinking that they can disregard all prior Internet history and just slam into the situation with no concern about what came before is pretty on-brand for a project in the Ruby ecosystem.
Ah yes, "slam in" to a situation is definitely the correct terminology for forking a project that was seized from you by a hostile party.
I mean regarding the choice of TLD. Forking the package repository ecosystem I fully understand the incentives; it just strikes me as a very Ruby-ecosystem thing to just assume that `.coop` is a good enough TLD with no consequences for using it relative to choosing to use .org, .com, or .net.
seems like an easy fix in a month with a new TLD though.
I don't plan on switching to a rubygems fork that does not offer technical/security benefits over the original.
They can win me over with a gem distribution site that requires code signing out of the box and a bundler that enforces it out of the box.
Which part of a project that kicked out its original maintainers still feels "original" to you? At this point, rubygems.org is the fork.
Oh, how times have changed. If Oracle were to close source OpenSolaris today, many here would likely rally behind it, especially if Larry Ellison appeared to align with the right. Submissions about Illumos would have been heavily flagged, much like this one has been for a while.
Excellent point, I can't help but feel gem.coop is essentially Ruby Together 2.0 which reinforces my opinion that the merger of RT with RC was a huge mistake. (It certainly made sense at the time…hindsight is always 20/20…etc.…but still.)
They had a minor security incident right off the bat, demonstrating they don’t even fully understand what they stole. They aren’t equipped to do the job.
I expect a lot of people will stop pushing gem updates to `rubygems.org` once `gem.coop` supports publishing directly to namespaces.
For me, having the software be maintained (and have a security engineer working on it) feels like a security benefit.
Does the original have many maintainers left?
It has allegedly been taken over by Shopify. I expect it to be very well maintained. The issues are of ethical character.
Well maintained? Rubygems has had no commits in the last 10 days and that's not a good sign. I don't think you can find a window with no commits for 10 days in its 15+ year history.
History has shown over and over that when a for-profit org takes over public infrastructure, maintenance is cut to the bone.
> Rubygems has had no commits in the last 10 days and that's not a good sign.
I honestly can't tell if this is satire.
You think no commits for 10 days for a piece of software that has existed for around 20 years is a sign that it's dead?
What kind of code churn do you think this project requires? Perhaps the old development was too unstable if there wasn't a single 10 day window without a commit in 15 years, for what is essentially a solved problem and a tool that people depend on to be stable.
I'm starkly opposed to this ridiculous fragmenting of the community. They can and should all go work out contribution agreements with RubyCentral and get over their egos.
What makes you think they _haven't_ tried to work things out with Ruby Central? As per a separate article[1], this seems to be a last resort:
> “Since Ruby Central has informed us they will never allow us to continue working on the projects they now claim they own, that we successfully maintained and operated for the last ten years, the former RubyGems team is launching gem.coop today.”
[1]: https://socket.dev/blog/gem-cooperative-emerges-as-a-communi...
I suspect many of these maintainers are making absurd ultimatums of RubyCentral.
That's a strange suspicion. Why?
Because many mass-resigned unless Andre was re-instated.
I think many mass resigned when their commit access was taken away from their own project by a company that doesn't have a right to do that.
Some people might consider that a dick move.
Given some of the ways Andre Arko gets described (See https://justin.searls.co/posts/why-im-not-rushing-to-take-si... for a recent overview) I'm a little wary of what the motivation behind this is.
This reads like a hit piece based on a personal vendetta. I'd be careful how much weight to give this.
> When Ruby Together first launched in 2015, the website suggested donations went to pay "our team" (...) This resulted in a nonzero number of donors believing they were funding the work of people like Steve Klabnik, Aaron Patterson, and Sarah Mei, when in fact only Andre was being paid at the time.
This a fact. By this alone I don't think Andre Arko is an honest person.
Back in the day, nobody ever had said to me that they believed I was earning money from Ruby Together. This whole thing was speculation at best. And regardless, once it was suggested that this may be a possibility, it was immediately changed to be unambiguous.
André is absolutely a standup individual.
I have tried to stay in good terms with the other people involved in this (except DHH), but this claim was always ridiculous.
This absolutely happened and is not speculation. I can't find the emails from the individuals that emailed me, but I did find my email to the board of directors asking that the website language be changed because people had pinged me thinking I would be getting money, or that the money would go to fund rubygems.org.
At the time I'd sent the email I was unaware Ruby Together was on HN front page (and that's why people were pinging me)
Okay, if you got emails, you got emails, but I did not.
I absolutely wouldn't want people to think that I'd be getting the money, so I think clarifying it was a good thing, regardless.
I was misremembering it. Now that I've checked, it's clear that the claim was that the money was for paying "the team" [1], which consisted of André Arko and David Radcliffe [2]
[1] https://web.archive.org/web/20150919025358/https://rubytoget...
[2] https://web.archive.org/web/20150919025603/https://rubytoget...
It's all good, you were quoting the blog post.
Frankly that page is even more clear than I remembered. All of this happened so long ago.
I just want to know how much was David Radcliffe getting paid for his time?
TBH the whole thing is pretty opaque. There are a lot of accusations floating around. It's pretty easily to capitalize on "Big evil shopify is making a takeover", but I suspect there's a lot more happening behind the scenes.
To take the maximally negative view of things:
The Ruby ecosystem is already decentralised in that there is no single source of truth for published gems. You can pull the source from any software forge that uses git, you can point to any self hosted gem server or use something like Artifactory or GitHub package registry. You can vendor the code if you want.
This entire post is practically the case in point, except I’m not clear on how they got real time sync with RubyGems and if any other competitor would have the same capability.
To use Astral and uv as an example, they would have to fork PyPI and maintain all the infra for that and not just the tool that manages the dependencies.
By "Astral" do you mean "Spinel"? Also, what paid services? So far the only paid services they've mentioned is retainer services that essentially amount to priority customer support. The tools themselves are only ever described as free
EDIT: Misread the comment and thought it was only about `rv`, not both `uv` and `rv`
What is Spinel? Astral is the developer of uv, and they have announced their hosted platform service, pyx [0]. It appears it will be FOSS as well, but they'll have a hosted version of it.
[0]: https://astral.sh/blog/introducing-pyx
My mistake, I completely misread your comment and thought you were _only_ talking about `rv` as opposed to both `uv` and `rv`!
spinel is the company spun up around rv, ruby's uv version.
https://spinel.coop/
"If it's free, you're the product"
It’s amazing to see the open source community step up like this. Kudos and gratitude to everyone that made this happen!
yeah, but still, the maintainers need to be paid for their time and expertise. not to mention, although bandwidth and storage is cheap, somebody still have to foot the bill. i suggest people donate to this project.
Just a thought of mine: why don’t we switch fully to git? Commit signing, tag signing, Decentralize. Doesn’t that sound like a good alternativ?
The git protocol is more complex and harder to scale. It's especially wasteful if people are going to redownload all packages every time their amnesiac CI runs.
Single-file archives are much easier to distribute.
Digests and signatures have standard algorithms, not unique to git. Key/identity management is the hard part, but git doesn't solve it for you (if you don't confuse git with GitHub).
git bundles exist to solve the single-file caching and distribution problems
Someone has to run the git server. Then, someone has to find the git server to pull each gem from, since not every git server is likely to be up-to-date with the each gem, or the correct version. Since these are all decentralized, each individual owner of a git server has to independently scale as more people start using each one.
The benefit to being centralized is... everything is in one place. Everything scales at once. Every update is available at the same time.
We did this back in the day using artifactory and co. to proxy NPM and a few other package managers as well as docker containers and some other things. No third party service going down could keep us from deploying.
Not everyone does it because as a solo developer or a small team, as it feels like pointless overhead.
If we isolate this from the recent controversy: in general, is an alternative (yet mostly compatible) package source, package manager, and/or language version manager neutral, good, or bad for an open source ecosystem?
Mostly good. Monopolies stagnate. Competition helps drive innovation.
In open source too.
I understand forking is sometimes needed, but it's also somewhat discouraging to see that the differences couldn't be reconciled.
As long as people are aligned on advancing the Ruby ecosystem, I think it should be possible to cooperate even if there are disagreement in other areas [which political party you support, differences in personal opinions, etc].
Maybe it'll be resolved eventually, just like Merb <> Rails, Bundler <> RubyGems and RubyTogether <> RubyCentral were eventually merged. That's what I'm hoping for!
Here's the thing. They could have put up link to a git repository where others can follow along with the maintenance of this project, but here isn't one. There is a list of maintainers explicitly mentioned on this page but no link to the git repository. This leads me to think this project is not about the code but about the people.
It's a package repository. A link to an Ansible repository or whatever doesn't need to be in the first announcement.
> This leads me to think this project is not about the code but about the people.
Trust is of utmost importance to a package repository. Even more so than code. A hostile takeover, like the one that occurred with RubyGems, fundamentally undermines that trust. In contrast, an alternative run by the original maintainers who have built years of trust, represents a positive shift.
Unfortunately, it seems that your conclusion was drawn before your justifications. When you invent justification though, at least make sure you don't undermine your own position. Where's the prominent link to the Git repo on rubygems.org top page?
https://web.archive.org/web/20251003112525/https://rubygems....
Source lives here: https://github.com/gem-coop
The only public repo is a static website.
Ah! Good catch. I saw the repo exists but didn't dig into the contents, given that it's (as far as I know) purely a proxy for rubygems at the moment, I figured it would be pretty simple.
I agree they should post the whole source, regardless.
Is this not an overreaction to the rubygems rubycentral fiasco?
No.
Imagine if someone came into your house and changed all of the locks on you/your family, because "security". You had built that house from your original designs but the other party claims they own it now because they happen to manage a series of rental listings for houses built to your design. You had even made it so the plans could be copied and modified in private; if "security" were a real concern with about 10 minutes effort to do so.
Would you agree that it is right, do nothing? Or would you rebuild something new, given how little time it takes to copy the plans.
Swap "house design" for "software project" and "rental listings" for "running an instance of your software project" and you have the current situation.
Developers are free to choose the party they trust more.
A brief announcement post: https://andre.arko.net/2025/10/05/announcing-gem-coop/
Great move to counter the hostile takeover of the RubyGems GitHub repo (not the rubygems.org repo) and organization by Ruby Central.
I hope they find financing to cover hosting costs.
I believe the hosting is already covered.
Is there anything more you can share about that? I guess I should just sign up to the newsletter and wait and find out...
I'm really pleased to see this happening, but sad that it has come to this.
What I'd really like to see is a whole bunch of people acting more professionally. Who you pray to, who you vote for, and who you sleep with are irrelevant to a professional context - and open source development is a professional context. So everyone needs to keep their professional and personal lives separate. I know that at best I would be disciplined, and at worst sacked if I made comments on the lines that some of the lead players in this sorry saga have made. And that's not pointing the finger at any one person.
If who you vote for will put me into a torture camp (or otherwise devalues my life or personhood), then I can't work with you, so no it is not irrelevant.
(neither the "me" nor the "you" here refer to you or me personally ofc.)
"will put me into a torture camp" for sure, but "devalues my life or personhood" is pretty vague. So, for example, if I value guns and consider them necessary for my well being and personal safety, should I refuse to work with anyone who votes for increased gun control? This sounds like a recipe for very fragmented, unstable society.
If gun owners are being denied health care or being told who they can marry ("it's illegal to marry a fellow gun owner"), then yes, they'll probably want to avoid anyone wretched enough to advocate that.
Short of that, it's NBD right? Not really comparable.
It's absolutely comparable. They both involve limiting rights and freedoms.
> being told who they can marry
I consider this somewhat unfortunate example, since we, as a society, are putting limits on this very thing. For example age, or species. How is that supposed to work if people are not allow to debate and express their opinions on where those limits are supposed to be?
Similar with the health care. What is covered and what is not, and who has to pay and who has it (almost) free, should very much be up for a debate. Otherwise, how do you improve anything?
I think the salient meta-concept here is "Open source development is an inherently collaborative enterprise, and if people cannot collaborate, it stifles creation of open source projects and software."
There may very well simply be political eras where the floor of trust isn't there for open source to spring forward by leaps and bounds.
Agreed. Your example could sound like exaggerated, but silence is a form of opinion, of vote, of approval. Even in a professional context, because work is part of the society we live in.
This whole "DHH situation" with Rails has put my mind in weird position. I admire the Rails creator, the business man, the speaker. I admire what he builds, how passionate he is about his work and open-source software. But I very strongly disagree with his vision of immigration, nationalism, parenting, well most of his vision of society.
I was made aware about these opinions because people talked about it. Thanks to these people, I read and listen to him with more nuance, more critical thinking. That does not necessarily mean I would discard Rails, cancel the dude or write shit about him, but that surely means that I will be more careful about how the opinions of this 1 person could impact mine, the ecosystem I work with and the larger ecosystem I live in that is society.
> but silence is a form of opinion, of vote, of approval.
I disagree. We don't have to have an opinion on everything. And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval. It's getting very close to "those who are not with us are against us". And that's a worldview I have very little time for.
> that's a worldview I have very little time for
Only people who already live in a position of privilege get to have "little time" and settle for worldviews which advocate for a sort of bland tolerance of extremism. I can assure you, for people who are being actively harmed by hateful rhetoric and political policies, "those who are not with us are against us" is absolutely a reality.
Yes, I agree with you. Silence, when you do not have an opinion, is totally fine. And yes, not having an opinion on everything is absolutely fine, probably sane even.
I was answering a comment about a vote that would put you in a torture camp, so a vote on which you are certainly opinionated about.
In other words, don't self-censor when you think something is not right.
I'll put it like this.
Close by where I live is a monument for civilians who were taken from their houses and shot by the German occupiers during the last months of WWII. Simply because they were suspected of having distributed pamphlets. There wasn't even evidence to that claim, and retribution was a thing.
I passed that monument countless of times during my youth, giving me pause to contemplate.
It's a tangible reminder of what ultimately happens when people stay silent about something as final and poignant as one group denying the existence of another group for whatever reasons.
I have no problem with expressing differences over world views. I take issue when that world view entails denying the other side's existence because of differences, and a fervent intent to act on that notion.
It's a matter of boundaries, and speaking up.
> And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval.
Definitely definitely. When a racist paramilitary is disappearing my neighbors my primary concern is whether people will consider me complicit for publicly stating that I have no duty to interfere.
You don't have to have an opinion on everything but you do have to have an opinion on some things. Or I mean, obviously you don't, but then you have to accept the social consequences of cowardice.
Silence can also indicate disapproval.
> but silence is a form of opinion, of vote, of approval.
No it’s not. Indifference is not approval.
Open source is global and someone in a university in Argentina contributing some features does not “approve” of anything because she didn’t participate in some bickering about US identity politics.
Indifference is acceptance of the status quo, though, yeah? Whether that be on a conscious level of active avoidance or on a subconscious level of never mentally aligning it as a priority to build further understanding to form a thought-out opinion.
There actually is a binary view on your stance against things when you see unfettered hate spread by others and choose (at some level) to not have an opinion. We've seen it before, we see it now, we'll see it again. Not everyone has the same privilege as you to remain head under sand until there's no commotion left to dodge.
This is a lot more than just US identity politics, as shown by the fully idiotic take on London he did.
Please stop with this type of ridiculous hyperbole.
People would be less inclined to say ridiculous things like this if they didn't keep happening.
I've been in the "keep work and politics" separate camp most of my life. However, with the lines that have been crossed recently, where literal democracy and freedom are at stake, I don't think people have the luxury of keeping work and politics separate any longer. Fascism is bad and people cannot be silent.
If you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless.
If you say something like “if you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless”, your opinion is immediately worthless.
Not everyone involved in open source has a boss. I don't care what a boss would hypothetically do to me, so that's not helpful guidance.
Completely agreed. Sorry, other folks, but you have no right to gatekeep my speech in any way in a professional context. Are you a family member? Then sure, we can have a discussion. Am I a member of your private club or otherwise dependent on your approval of my thoughts or beliefs? Then let's talk. Otherwise, leave me alone. You (the collective you) don't get to decide what I am and am not allowed to think and believe.
Nobody is constraining your beliefs or expressions of them. People are exercising their own individual right not to associate with people who express certain beliefs.
Ah. So just good old fashioned bigotry.
Generally, bigotry is bias based on immutable traits. Beliefs are not immutable.
No, bigotry is bigotry, it doesn’t matter what you’re being bigoted about. But I could see why a bigot might say that.
Oh, of course.
To a right-winger, safety is bigotry and hatred is love. Of course, how else could it ever be.
Do you really care about freedom if you don't let white nationalists abuse everyone and everything in their power all the time?
Is this political or does it have actual technical merit?
The best "technical" benefit from this is that if one goes down, you could switch to the other in a pinch, so arguably better than the status quo even if you disagree with the organizational/"political" motives.
Important move to maintain a free community. I'm switching over to Gem.coop now.
I hope they tackle the actual main issue with Rubygems -- lack of any sort of code signing... (I know the functionality exists, but it's not required to publish in Rubygems, and off by default on gem install. In other words it's as if it doesn't exist)
The fash problem in the Rails ecosystem is next on the list, and I hope there is community consensus to fork this as well.
It has code signing. It's just optional, inconvenient, and so unused because of Tragedy of the Commons and complacency. https://guides.rubygems.org/security/
https://www.benjaminfleischer.com/2013/11/08/how-to-sign-you...
As I said, it's as good as no code signing. The very lack of a chain of trust stemming from rubygems that can be used to verify gem authenticity makes the whole thing useless.
What does “fash problem” mean?
There's some weird opinions coming from mostly DHH. My personal take is that they're blatantly racist, but everyone can have their own
Here's some fun facts:
- DHH enforced a "No Politics at Work" policy.
- DHH wrote a post expressing that he wouldn't want to live in London anymore because it's "no longer full of native Brits", and expressed support for a Tommy Robinson march he called "heartwarming". Tommy Robinson is described as "an anti-Islam campaigner and one of the UK's most prominent far-right activists.". The march DHH praised featured speakers calling for ethnic cleansing via "remigration" and banning all non-Christian religions.
- DHH also promoted "demographic replacement" conspiracy theories and used language connecting immigration to crime, particularly regarding "Pakistani rape gangs" and street theft.
- DHH has been publicly critical of Diversity, Equity, and Inclusion initiatives. This one isn't backed by facts, so take it with a grain of salt.
Cannot speak for the US, but in Europe immigration is connected to crime increase in general. The Ukraine refugees are one of few statistical exceptions.
Have you got any references for this claim?
Well, https://link.springer.com/article/10.1007/s10611-024-10144-y seems to claim there is a link for sexual crimes. This paper suggests that there is some delayed effect https://www.sciencedirect.com/science/article/pii/S092753712....
I think a lot of people are forgetting or at least choose to ignore that DHH is Danish (and specifically a Danish expat) and is probably more inclined to have controversial views on immigration from majority Islamic countries. That's not to give his statements a pass, but to give them some needed context.
And no, I'm not saying that Danes are racist.
I think a lot of people don't know why being Danish is relevant. Is there some reason why controversial views on immigration might be less suprising coming from a Dane?
Denmark is the rare case of a European nation where its center-left listened to feedback from the electorate early on and earnestly adopted policies restricting immigration and refugee admission. As a result they had no populist backlash, and that policy position is uncontroversial to hold publicly.
He doubled down on his opinion by sharing a sequence of posts from a X account that denounces "woke activism" in the software industry and open source projects. He criticised the political activism in open source projects, then, ironically, suggested Palmer Luckey should step in to steward NixOs.
Ironic that DHH is politically active enough that it affects his day to day activities and public perception of his company - kind of the exact opposite of his own policy he expects his employees to abide by.
He posts about it on his personal blog, not on his company Slack.
That's the part where the term "fascist" is misused to smear somebody they disagree with. It can be safely ignored.
If you know you know.
So RubyGems has betrayed its community by ousting its maintainers. When a community-focused alternative created by the original maintainers is announced, it gets flagged on HN. What is wrong with people?
This situation is eerily similar to the Freenode takeover[1] and the subsequent formation of Libera Chat[2] a few years ago, even down to the political leanings of those behind the takeover. Except if the Freenode incident occurred today, there would be a vocal portion on HN vehemently siding with Freenode solely based on the perceived political affiliations of its owners. Submissions about Libera Chat would face heavy flagging, much like this one has.
It seems the Freenode team may have advanced their plans just a bit too early.
[1]: https://news.ycombinator.com/item?id=27286628
[2]: https://news.ycombinator.com/item?id=27207734
I could be wrong but it may be that some have an additional agenda to try to make e. g. competition to Ruby Central fail. You can see this on ruby-reddit, e. g. by u/f9ae8221b - either way I think the by far best strategy for gem.coop is to address all concerns and statements made, including the wrong ones. Simply be better than rubygems.org - everywhere. (Also, u/f9ae8221b is super-impatient; why can't he wait for a while? Rome was not built in a day, it is strange how he thinks to know the future. I don't know the future - let's wait and see. In the worst case gem.coop will fail; in the best case it'll fix numerous issues, including, by the way, gem/bundler not having had the same functionality. And namespacing too; and inactive accounts, and so on, and so forth. There is a ton of things to do.)
Flagging is definitely getting abused more on HN lately. The consensus seems to be that politics and/or morals are irrelevant outside of personal affairs so we must not have these conversations here.
Which is absurd because the hostile takeover of RubyGems primarily involves technology, with serious implications for the security and trust of nearly all Ruby code. Those flagging this submission are the ones prioritizing politics over this critical issue.
Politically-charged ultimatums _caused_ the hostile takeover of RubyGems. This whole thing is politics all the way down.
Someone withdrawing funding from Ruby Central doesn't necessitate a hostile takeover of RubyGems. The responsibility lies squarely on people doing the takeover. Needless to say, you haven't shown me any convincing arguments for suppressing the announcement of gem.coop.
Why is this flagged? This is super relevant to HN!
I wrote this comment with what I understand to be the relevant context: https://news.ycombinator.com/item?id=45490531
+1.
Brigading
Why has this been flagged?
Remove flags 2025, all the best stuff is in https://news.ycombinator.com/active. I don't even use Ruby right now, have no dog in whatever drama is behind this, but I don't see what's so offensive about knowing Gem.coop is now a thing.
Just some background: there is a controversy in the Ruby community[0][2] around the governance of the rubygems project. It has been maintained for a long time by employees of Ruby Central but not in a corporate capacity. There was a recent hostile takeover of this project by the Ruby Central corporate arm.
The most likely reason it was flagged from my perspective is that David Heinemeier Hansson (who created rails) is kind of the figurehead of this community and he has controversial opinions[1] which people believe make him unfit to represent their community. The controversy has manifested as people speaking out against DHH in his position. So this post seems to have been flagged for being "political" because it is seemingly in opposition to rubygems for the DHH reason.
0: https://hn.algolia.com/?dateRange=pastMonth&page=0&prefix=fa...
1: https://davidcel.is/articles/rails-needs-new-governance (this article has a lot of examples from DHH's blog)
2: https://news.ycombinator.com/item?id=45348390
Er...FYI, your [2] link is to a discussion about an article written by the person to whom you are responding.
Personally, I think the reason this post about gem.coop has been flagged is that we've reached the point at which new HN threads about things related to the recent RubyGems shake-up quickly devolve into people rehashing the DHH "aspect" of it all. So it has become less about flagging the actual target of the post and more about flagging the parts of the discussion that seem to go nowhere.
EDIT: expanded
That's fair enough, I didn't actually notice. Regardless, I was offering the information for other readers, which may or may not include the person I'm replying to.
Edit:
> flagging the parts of the discussion that seem to go nowhere
This is and isn't what actually happens, though. People do flag the parts of the discussion that don't go anywhere but then people also flag the post itself because they think there's no reason to discuss it at all for the fact there's a vocal part (minority or majority doesn't really matter) that wants to discuss a topic that's not going anywhere.
People shouldn't flag the post itself just because it's likely to gather or even has gathered a crowd that will discuss such directionless topics when there are better topics to discuss, even (especially?) if they're not currently being discussed.
Is there any context on why? Is there some controversy regarding RubyGems.org I'm not aware of?
This article was the most nuanced I found while everything was still hot. https://archive.ph/SEzoV
In short, a hostile takeover forced by Shopify through Ruby Central.
It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf against the wishes of the sponsors, losing them a lot of sponsorship money, as well as community support.
https://joel.drapper.me/p/rubygems-takeover/
Might be worth noting the figure in question is the creator of Ruby on Rails.
He deserves a few more titles now. Like prolific xenophobia[1] and sexism[2] proponent, and generally a person that has no connection with the real world[3].
[1] https://web.archive.org/web/20250920061923/https://world.hey...
[2] https://web.archive.org/web/20250920061926/https://world.hey...
[3] https://web.archive.org/web/20250918051013/https://world.hey...
> a hostile takeover forced by Shopify through Ruby Central.
That's entirely unsubstantiated.
I heard it directly from people directly involved.
So it is unsubstantiated.
This is a little glib, you dropped "Entirely" because you know multiple first hand accounts are actually worth something. If you want to argue the credibility of those accounts, then please be specific about it.
I dropped the entirely because I am on mobile.
We don’t have multiple first hand accounts. All we have is second hand account being relayed by someone with a massive axe to grind against Shopify.
There are a lot of truly committed Rubyists at Shopify, particularly the one handling the relationship with Ruby Central.
The idea that Shopify had done what Joel aledges without a single one of the involved parties on the Shopify side blowing the whistle is preposterous.
So you critisize Joel because he worked at Shopify. He pointed that out when he wrote the article.
Let's add here that YOU also worked at Shopify, until recently.
IF we are going to be critical, then let's be complete here.
I actually think there is a lot of validity to the statement made that Shopify is NOT a neutral party here. We can dispute how much Shopify was involved, but to assume "all is unsubstantiated" while not even disclosing one's own work at Shopify, feels super-strange here.
> He pointed that out when he wrote the article.
Did he point out how it ended, and how he spent the better part of two years having public tantrums about it on Twitter?
Disclosing that you worked somewhere isn't relevant. Worse, it can easily give the impression that there is some insider knowledge involved.
What is relevant is how the relationship ended.
> Let's add here that YOU also worked at Shopify, until recently.
Yes, and I left over some major disagreements, hence if I have a bias, it would be against Shopify, not in favor.
> It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf
This is so incredibly one-sided that it misleads more than it informs.
The person they are talking about is DHH. Inviting the creator of Rails to speak at RailsConf – a conference for Rails – is not the outlandish behaviour this comment makes it sound like.
Agreed. There is a lot of conflation of statements that are not directly connected.
The whole DHH argument, for instance, as well as some people having a vendetta about him, is not, or not directly, related to the hostile take-over of rubygems.org. There is a slight partial overlap, but it is a separate discussion (even if DHH was involved with the take-over via Shopify because he does not like Arko or Shopify wanting more power-control to bully the independent developers at rubygems.org with more corporate rules and restrictions; and, by the way, DHH never mentions Arko's name, but even this is a separate discussion still. For instance I specifically do not care about rails nor DHH really, but the hostile take-over was a complete no-go. Ruby Central really pissed off too many people here and unfortunately there are still many open questions that ruby-core has to think about. I am not necessarily saying all came with malicious intent, because I think there is an english language barrier too in regards to Hiroshi Shibata, but even then it may be better to have someone with better knowledge about the english language in charge of gems; there seems to be some strange disconnect or translation going on between english, into japanese and japanese culture, and it is super-confusing.)
As I understood it, to secure (their words) the supply chain, they took ownership of the code and repo (which others disputed as being owned by them) and kicked out users from Github.
It is said the underlying cause is that devs push rv which is threatening RubyGems.
How is rv threatening rubygems? I am pretty excited about rv on first glance, I tried it and it was too beta when I did to work nicely, but definitely good to have a uv type tool for ruby.
"Yes, I agree. And some of the “admins” even announced publicly many days ago they were launching a competitor tool and were funding raising for it. I’d not trust the system to such “admin”."
https://bsky.app/profile/rmfranca.bsky.social/post/3lz7alpob...
See https://spinel.coop/
"Spinel develops rv, the next-generation Ruby version manager"
This doesn't explain how rv is threatening rubygems in any way.
They were using the name "rubygems" to fund-raise for not-"rubygems."
But how is this a conflict? Both are not-for-profit projects with the same goal? How can one even use the term 'competition' in this context? What if the Ruby community embraces a new and better package manager? This is, again, a net win for the Ruby community, and both projects strive for that?
It doesn't really matter if it's a non-profit. How do you think your company would react if you started raising money using their name?
Is Rubygems a company? My mind cannot comprehend why are people conflating not-for-profit open-source projects with for-profit companies...
If Rubygems was a company, they'd have a trademark, they'd have patents, they'd have lawyers to protect the money they were making from their brand and product. But we are speaking about not-for-profit open-source projects, not for for-profit corporations!
Flagging this post is quite disturbing.
There is a conversation around this which needs to be had. Maybe on bsky or x?
https://x.com/africajam/status/1975206106738901110
https://bsky.app/profile/indirect.io/post/3m2iq5p7eoc2j
flagged??
Based on the comments getting downvoted, it feels like some brigading going on.
FYI, this is Ruby Central's response: https://rubycentral.org/news/our-stewardship-where-we-are-wh...
This cannot be a response, as it was posted days before this was released.
The response you link to was published on September 30, 2025, so it's not the response to gem.coop? I'd say gem.coop is the response to Ruby Central's actions?