Investigation reveals Shopify manipulated Ruby Central to force takeover of Bundler and RubyGems
Ruby Central, a non-profit organization that manages a package management system for Ruby, has expelled the maintainer of a related system called RubyGems, sparking controversy over a 'takeover.' A new investigation has revealed that the e-commerce site Shopify is involved in the incident.
Shopify, pulling strings at Ruby Central, forces Bundler and RubyGems takeover
Ruby Central is an organization that builds Ruby-related communities, and is responsible for maintaining and securing tools such as the aforementioned RubyGems and Bundler, as well as providing infrastructure support.
On September 9, 2025, a RubyGems maintainer renamed the RubyGems GitHub organization to 'Ruby Central,' added Marty Haught of Ruby Central, who had not previously been a RubyGems maintainer, to the RubyGems maintainers, and expelled all other maintainers.
On September 15, the maintainer announced that he had spoken with Haught and had his previous permissions restored. Haught apologized, saying, 'It was a mistake to remove the other maintainers, and it should never have happened.' However, even though the restoration was implemented, Haught had somehow become the owner of the GitHub project.
In response to this sudden turn of events, the RubyGems team immediately began work on formulating a formal governance policy, which had been delayed. However, on September 18, Hort stripped the entire RubyGems and Bundler maintainer team of membership, effectively giving Hort and Ruby Central full control of RubyGems.
Ellen, who was a Ruby Central maintainer and the first to report the incident, called it a 'hostile takeover and a threat to the entire Ruby community,' and announced that she had resigned from her position at Ruby Central.
Following the backlash from the community, Ruby Central
According to Dumlao, the Ruby supply chain is under attack, and companies using Ruby have begun to seek assurances from Ruby Central about its security. These companies, including Ruby Central's sponsors, have also begun to turn to RubyGems and Bundler, which are part of the Ruby supply chain.
Ruby Central investigated the entire Ruby supply chain and discovered that individuals with no formal partnerships or contracts held the highest level of authority over RubyGems and other projects. Having such authority in the hands of unknown individuals was problematic, so Ruby Central decided to implement the following internal policy: 'We will enter into contracts with anyone who wants access to the supply chain, and remove access from those who do not need it. Meanwhile, like many open source projects, we will fully accept pull requests from anyone. If maintainers decide they want to return in the future, we will consider welcoming them back.'
However, there was concern that suddenly telling the people involved in RubyGems that 'we're going to remove access' might upset them, or they might make emotional claims such as 'If you remove it, I'll stop development' or 'Even if you remove it, we'll just add it back on our own.'
Ultimately, the deadline for making a decision on this matter came and went without Ruby Central being able to convince the maintainers of its intentions. To prevent the loss of funding, Ruby Central decided to remove all maintainers at once, in accordance with the demands of the sponsoring companies. In other words, Hort simply acted as instructed by the board of directors. Dumlao said, 'There was undoubtedly a lack of communication, and if we had communicated properly, we would have been able to properly convey the concerns we had heard from companies and sponsors who use Ruby.'
After both Ruby Central and RubyGems had released their opinions, new information from a different perspective came out. Joel Draper, who used to work at the e-commerce site Shopify, revealed that Shopify was behind the turmoil.
According to sources, Draper said Ruby Central had been struggling financially and had become dependent on Shopify for funding. The reason was that the developer of Sidekiq, a system that donated a significant amount of money ($250,000 a year) to Ruby Central, withdrew his funding after Ruby Central invited David Heinemeier Hansson (DHH), a controversial figure known for his often racist comments, to its conferences. Sidekiq was run by a single developer, Mike Parham, who
According to Draper, with no competing sponsors left, Shopify took advantage and pressured RubyGems and Bundler to be managed entirely by Ruby Central, with the idea that if they complied with their demands, they would receive a lot of funding, but if they didn't, they would never cooperate again.
Furthermore, at a meeting of Ruby Central's board members, one voice was heard stating, 'Contributions to open source are acceptable, but the production service 'RubyGems.org' run by Ruby Central is a critical piece of infrastructure with many users and should be managed by Ruby Central.' However, the RubyGems.org referenced by this member was the source code, not the service, and was confused with another service run by Ruby Central. Due to this confusion, board members apparently moved to acquire RubyGems, which Ruby Central did not actually own. Furthermore, Haught, who carried out the acquisition, reportedly proposed alternatives, such as forking the RubyGems project, and warned Ruby Central of the consequences of a takeover.
Draper also points out that 'Shopify strongly demanded that Andre Alco, one of the maintainers and a long-time contributor to RubyGems, be removed from the project.' Shortly before the incident, Alco had begun development of a new Ruby management tool called ' rv ,' but Shopify's Rafael França saw this as a threat, saying, 'Such a competing tool could interfere with RubyGems and Bundler, and we cannot trust the RubyGems system to such a developer.'
Related Posts:
in Software, Posted by log1p_kr