ruby-lang.org
→
RubyGems repository transitions to the Ruby organization
Despite being a mission-critical part of Ruby since it was created by Chad Fowler, Rich Kilmer, and others at RubyConf in 2003, RubyGems has remained outside the core Ruby community. At least until now.
To provide the community with long-term stability and continuity, the Ruby core team, led by Matz, has decided to assume stewardship of these projects from Ruby Central. We will continue their development in close collaboration with Ruby Central and the broader community.
Oh thank god. This is probably twenty years overdue.
For a while after its creation, RubyGems was loosely supported by the community. Then, Rails-hosting provider Engine Yard stepped in and provided support until 2015 or so. At that point, André Arko and several others formed Ruby Together to serve as a vehicle for sponsorship of the work on RubyGems and Bundler. But, Ruby Together had challenges with securing consistent funding, and ended up merging with Ruby Central in 2022.
That didn’t help as much as it should have and things have been in an uncomfortable state since then. During my entire tenure at Shopify, I worked closely with the Ruby and Rails teams there and we were incredibly concerned about the security of the Ruby ecosystem software supply chain and I know that concern has remained since I left Shopify.
Finally, last month Ruby Central took some much needed steps to consolidate control and accountability over the RubyGems GitHub repositories. It was the right general thing to do but the execution of it was… not the greatest. Blame flew hard and fast, with Shopify being labeled the bad guy by Joel Draper, Jean Boussier retorting that Shopify isn’t the enemy, André Arko defending his side, and eventually Ruby Central publishing their side of the story in the form of a security incident report that illustrated the untenable position of many RubyGems systems being controlled by a single person.
What a mess. I personally believe that everyone was acting with the best of intent from their point of view under a lot of pressure. I can’t help but think how much better this would have gone if everyone had sat down first over a meal and a beverage to talk through how to accomplish this. In the end, however, I think putting the RubyGems repository under the main Ruby organization is the right move. The next question is what happens with the RubyGems service. It’s been a bulletproof service for a long time and I hope it remains so for a long time.
