So, ignoring everything that got us here, what do people think about this?
As I see it, there is the original rubygems, which has lost all of it's maintainers, and this new one, that has most of the original active maintainers? (how many were there before? it has most of the ones I think about, but I didn't know who was active over there. I mostly saw activity from deivid and didn't know about most of the others to be honest).
It kind feels like this fork is the better maintained piece of software now.
Does anyone have any thoughts on this? Are any people thinking of moving over soon?
Is there any information on what the funding model will be? Also @joeldrapper/anyone is there anything you can share about how the hosting is being covered?[0]
>It kind of feels like this fork is the better-maintained piece of software now.
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?
soraminazuki 13 hours ago [-]
Trustworthiness is far more important for a package manager. No amount of storage or bandwidth can compensate for an untrustworthy package manager.
akerl_ 10 minutes ago [-]
Is it? Anybody could publish to Rubygems. Baring obviously malicious packages that happened to get noticed by a researcher, what trust were folks placing in Rubygems?
stanislavb 9 hours ago [-]
With this is in place. A ".coop" domain does not signal trustworthiness. It's more like a childish revenge attempt. Don't get me wrong. I think it's a great idea for the original maintainers to begin work on a form. However, they could have chosen a better domain name.
Think about all of the organisational structures you know of.
Then ask yourself how is a cooperative fundamentally untrustworthy?
hatthew 7 hours ago [-]
My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io). In general, why should I trust domain_name.xyz over domain_name.com? There are obvious caveats, e.g. it doesn't matter as much for generic words like "gem" and for personal sites that I don't trust much in the first place. In this case, 3 seconds of critical thinking makes it clear that they have a plausible reason for choosing .coop. But given that much of this controversy is premised on toolchain trust, there's plenty of other domains that seem even more trustworthy to me at first glance, e.g. gem-lib.org, gemcoop.org, stuff like that.
Again, a domain name is pretty minor in the scope of this whole fiasco, and I wouldn't have bothered with bringing up this point, but on balance I agree with it.
ajb 6 hours ago [-]
Using .coop is actually a costly signal that you are, in fact and in law, a cooperative; and intend to stay one; since non-cooperatives are not allowed to occupy those domains. Dot Org, while it's used by a lot of well known organisations, is an open domain that anyone can register in.
Of course, it's also true that many people won't have the spare time to find that out.
krainboltgreene 3 hours ago [-]
> My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io)
This is so funny to hear after 18 years in the west coast silicon-valley lead tech industry. All of the app, io, tv, tech, guru, and now ai I've seen and only when it's "coop" does anyone complain.
gowld 4 hours ago [-]
Nothing here instills trust or makes me want to learn more.
I saw someone else saying something about the domain name, but I didn't really give it a second thought when I read it.
Can you explain what the issue is?
LexiMax 46 minutes ago [-]
It's one of those "attractive distractions" that us nerds like to bikeshed over.
Honestly, after "tweet" caught on as a verb, I've given up on thinking that we have any sort of crystal ball when it comes to names.
seanw444 8 hours ago [-]
I'd only say it's a real issue if this were a "normie-facing" website. But being a developer tool, we all know that there are legitimate domains other than .com, .org, and .net.
monkaiju 5 hours ago [-]
I view ".coop" quite highly given it is restricted to actual, legally recognized, cooperatives. Its definitionally more meaningful and "trustworthy" than .com or .org
soraminazuki 9 hours ago [-]
What? Which part of the word "co-op" sounds like a "childish revenge attempt"?
Combining this with something like tangled.sh/bluesky's AT protocol or what forejo is working on in their activitypub federation integration can actually make it genuinely federated as well
Or maybe radicle as well if someone is okay with swapping in a custom software but the hiccups can be too much imo so tangled.sh is the most interesting thing to me right now
What is stopping something like gem.coop to exist with the at protocol/tangled.sh??
The main page itself provides little to no info so I’m going to make a few assumptions that, to me, seem logical:
1. It must depend on RubyGems in order to stay in sync, because people publish to RubyGems.
2. It has no UI to search or view gems, so still depends on RubyGems for that.
Ignoring any question about technical detail or implementation: there is zero practical reason or motivation to switch unless I am ideologically aligned with the maintainers and their reasoning.
As such, there is zero reason to even entertain the idea of switching in a professional context. At best I’d have to care enough to remember it for personal projects.
So it is with almost any fork. It’ll either converge with the mainline after achieving its goals, take over as the new status quo, or fade into obscurity. If I don’t have any direct stake in that then I’m going to wait it out.
This isn’t to discredit or discount the work or the reasoning, of course. It arguably has a far better standing than forking Rails because of DHH.
daitangio 9 hours ago [-]
True, but this is a new beginning.Give time and credit to build an alternative. I think another repo server will not harm anyone in the long run
6 hours ago [-]
bradgessler 5 hours ago [-]
It's bittersweet.
The suckiest thing is if the fork pans out, it will look a lot like JS: "Which package manager do you want to use?". That beautiful simplicity of "just use bundler and ruby gems" will be gone.
One thing I will give them massive credit for is walking-the-walk. There wasn't really that much complaining for the aggrieved maintainers of RubyGems. They made a public statement describing their grievances, then quietly got to work on a fork. Taking on a fork of RubyGems seems impossible and foolish, but they now have a non-zero chance of succeeding because they're doing it.
Most people I've talked to inside of big orgs are going to stick with the "safe boring" thing, which will probably be RC backed by Shopify. They will probably throw security bureaucracy at the problem, which will make SOC 2, ISO 270001 auditors. I don't think we'll see a lot of innovation coming from RC since the executive director is non-technical and has demonstrated a very ham-fisted approach to running the organization that seems to be out of touch with developers.
On the flip side, I think if gems.coop takes off, it will be because it's a "better mousetrap". One of the people behind it, André, is working on https://rv.dev, which promises to be a faster, "all-in-one", tool for managing ruby versions, gem dependencies, and even has an "npx-like" run this from from the CLI, the right version of Ruby will install, the gems will install, and it will run. That's a much better DX that I could see developers going for.
I've seen discussions on the periphery of adding namespaces to gems, bringing in checksums, and overall taking a more aggressive technical approach to security. I could see that "winning" over a long enough timeframe if RC continues on their current course.
From a fund-raising PoV, I'm starting to put together the clues that André believes organizations with the means to pay for OSS infrastructure should pay for it. I think I agree with this point-of-view and think it's a path for funding that's more transparent than "A group of donors". I hope we start to see infrastructure run in a manner where the costs are accurately estimated, then divided by the number of companies with the means to pay to arrive at the price.
There's absolutely on consensus on my final point, but I think the root cause of RC's catastrophic failure is having too much of a concentration of funding from a few donors. If you're new to this drama, a major donor pulled funding from RC because they didn't ideologically agree with a conference guest. The details are out there if you want to dive into it, but to keep this thread on point, I hope Ruby Co-op figures out how to spread out their funding model across 100's or 1000's so this doesn't happen again.
baggy_trough 14 hours ago [-]
I personally cannot think of a new ruby gems or bundler feature from the past decade that I noticed or cared about. That isn't to say that there aren't any; I just don't know what they are.
ilikepi 14 hours ago [-]
There have been several releases with incremental but still notable performance improvements. The overall cadence has been pretty steady, intentionally targeting roughly one minor release per year since 2019-ish, with handfuls of quality of life improvements in each. Arguably RubyGems and Bundler are infrastructure, so the major feature is stability. What sort of big feature are you imagining is missing from your dependency management system?
baggy_trough 9 hours ago [-]
That's basically my point. I'm not missing anything, so I'm happy if it just gets small / stability fixes, which doesn't seem like it needs a six member maintainer group. That team should go off and do a great job with 'rv' or whatever the next brand new idea is, and just let rubygems sit there with minor updates, same as we do for the ruby logger or date class.
woodruffw 3 hours ago [-]
It seems unrealistic to believe that packaging infrastructure can just “sit there,” particularly in light of changing expectations around the bare minimum a packaging ecosystem should do to protect its users. I think a more reasonable assumption would be that the (former) RubyGems team did a good job, which translated to boring normality for you.
krainboltgreene 3 hours ago [-]
> so I'm happy if it just gets small / stability fixes
Seems like you're the ideal consumer for this new service, since it actually has people who can do that.
x0x0 12 hours ago [-]
André is working on a combination of rbenv/asdf, bundler, and gem that I think is interesting. Not that they're wildly broken, but I'd rather have fewer tools and it always seemed a bit odd that they're separate when they're notionally managing the environment in which your ruby code executes.
Given the rise in supply chain attacks, I'd also like a private rubygem instance where I can whitelist gems and even versions for my company in a way that doesn't let anything else install. I'm not sure if they're taking that on or not, but I'd like it.
I think I basically agree with this, but my thoughts are more on which org is better placed now to respond to things like the recent supply chain attacks (ref for the specific recent ruby one[0][1]).
I'm unsure on who is better placed to handle that stuff now. My view is that the people that were doing that are now with gem.coop, but rubygems still has the infra (i.e. you'd email security@rubygems.org still for now).
I'm unsure about what to think about longer term (my personal approach is currently "wait and see").
Similarly, I'm perfectly happy with bundler for now, but if `rv` turns out to be like `uv`, I'd happily switch (drop-in replacement, but faster/some better features).
Socket.dev states "Since at least March 2023". RubyGems says "Our team first detected this activity on July 20th". This attack has ran for almost 5 months undetected. I wouldn't feel reassured at all.
frenkel 14 hours ago [-]
Lockfile checksums are quite new and useful.
ilvez 13 hours ago [-]
They made bundler output compact, previously it spammed all installed versions and updates mixed, now you can see just updates if you do those for example.. or quite concise "all OK" if everything is as it should be. Small but really nice quality of life change imo
shadowgovt 14 hours ago [-]
I think right off the bat since they chose .coop as their TLD, a lot of corporate firewalls auto-block them and they have immediately decided to fight an uphill battle to get allow-listed to be a gem repo.
This does not bode well for the team having the socio-technical savviness to see this project through.
chillfox 5 hours ago [-]
Don't think it will be the TLD specifically. Most corporate firewalls block domains under a certain age, so it will just be a matter of time.
spit2wind 13 hours ago [-]
Really? Maybe I'm naive, but why would .coop be blocked?
lbhdc 9 hours ago [-]
It is pretty common that "weird" tlds get blocked more or less whole sale in places you might not expect.
The reason is spam. Before these can get wide spread "normal" adoption they can be heavily used by spammers. Its hard to say if that is because they have desirable look-a-likes available, or if its because the first year is offered at a deep discount. So, systems will get flooded, and on inspection they will see that they don't have any legit traffic from those tlds and will whole sale block them.
.xyz is open registration and is known to be a spam/abuse source. .coop is restricted to legally-formed cooperatives. Apples and oranges.
chillfox 5 hours ago [-]
Pretty sure it is because they are cheep for the first year. And the blocks are often for domains younger than one year, instead of whole tld.
krainboltgreene 3 hours ago [-]
coop has around 12 years of age on xyz at least.
9 hours ago [-]
w0m 14 hours ago [-]
seems like an easy fix in a month with a new TLD though.
hombre_fatal 10 hours ago [-]
How will anything ever change we're still guilted into thinking about crappy default corporate firewalls when choosing a TLD?
Though there's no way that this is something you care about, cmon.
shadowgovt 9 hours ago [-]
Most places seem to manage.
But thinking that they can disregard all prior Internet history and just slam into the situation with no concern about what came before is pretty on-brand for a project in the Ruby ecosystem.
florkbork 9 hours ago [-]
Ah yes, "slam in" to a situation is definitely the correct terminology for forking a project that was seized from you by a hostile party.
shadowgovt 8 hours ago [-]
I mean regarding the choice of TLD. Forking the package repository ecosystem I fully understand the incentives; it just strikes me as a very Ruby-ecosystem thing to just assume that `.coop` is a good enough TLD with no consequences for using it relative to choosing to use .org, .com, or .net.
wlonkly 3 hours ago [-]
Is there evidence that corporate firewalls commonly block .coop?
phoronixrly 15 hours ago [-]
I don't plan on switching to a rubygems fork that does not offer technical/security benefits over the original.
They can win me over with a gem distribution site that requires code signing out of the box and a bundler that enforces it out of the box.
soraminazuki 10 hours ago [-]
Which part of a project that kicked out its original maintainers still feels "original" to you? At this point, rubygems.org is the fork.
Oh, how times have changed. If Oracle were to close source OpenSolaris today, many here would likely rally behind it, especially if Larry Ellison appeared to align with the right. Submissions about Illumos would have been heavily flagged, much like this one has been for a while.
jaredcwhite 8 hours ago [-]
Excellent point, I can't help but feel gem.coop is essentially Ruby Together 2.0 which reinforces my opinion that the merger of RT with RC was a huge mistake. (It certainly made sense at the time…hindsight is always 20/20…etc.…but still.)
mijoharas 14 hours ago [-]
For me, having the software be maintained (and have a security engineer working on it) feels like a security benefit.
Does the original have many maintainers left?
phoronixrly 14 hours ago [-]
It has allegedly been taken over by Shopify. I expect it to be very well maintained. The issues are of ethical character.
mperham 12 hours ago [-]
Well maintained? Rubygems has had no commits in the last 10 days and that's not a good sign. I don't think you can find a window with no commits for 10 days in its 15+ year history.
History has shown over and over that when a for-profit org takes over public infrastructure, maintenance is cut to the bone.
gkbrk 8 hours ago [-]
> Rubygems has had no commits in the last 10 days and that's not a good sign.
I honestly can't tell if this is satire.
You think no commits for 10 days for a piece of software that has existed for around 20 years is a sign that it's dead?
What kind of code churn do you think this project requires? Perhaps the old development was too unstable if there wasn't a single 10 day window without a commit in 15 years, for what is essentially a solved problem and a tool that people depend on to be stable.
RhythmFox 3 hours ago [-]
Churn is not just rate of commits it is the changing of the same lines/files/functions repeatedly, AI answers seem to get this wrong a few places I checked which is interesting. Rate of change in itself is not 'instability', it can be a sign of new ideas emerging or lot of other positive things.
Package management cannot be a 'solved problem' or there would be no innovation there, and you don't have to look far to find is not the case.
As for the idea that rubygems is 'dead' (not what mperham said), that is still too early to say for sure, as I imagine mperham would also agree, but it is definitely not a good sign. If we only get a trickle of changes to something that was once a very vibrant and lively community repo then that is to the detriment of the whole Ruby ecosystem. That would also be a bad sign.
joeldrapper 13 hours ago [-]
I expect a lot of people will stop pushing gem updates to `rubygems.org` once `gem.coop` supports publishing directly to namespaces.
sussmannbaka 8 hours ago [-]
They had a minor security incident right off the bat, demonstrating they don’t even fully understand what they stole. They aren’t equipped to do the job.
dismalaf 5 hours ago [-]
> So, ignoring everything that got us here, what do people think about this?
It's fine. Keeps all the complainers away from the larger ecosystem.
I personally trust Ruby Central, 37signals, Shopify, DHH, Tobi, Matz and others over the guy who was launching a startup to compete with rubygems while being a maintainer for rubygems.
x3n0ph3n3 13 hours ago [-]
I'm starkly opposed to this ridiculous fragmenting of the community. They can and should all go work out contribution agreements with RubyCentral and get over their egos.
davidcelis 12 hours ago [-]
What makes you think they _haven't_ tried to work things out with Ruby Central? As per a separate article[1], this seems to be a last resort:
> “Since Ruby Central has informed us they will never allow us to continue working on the projects they now claim they own, that we successfully maintained and operated for the last ten years, the former RubyGems team is launching gem.coop today.”
This reads like a hit piece based on a personal vendetta. I'd be careful how much weight to give this.
nomdep 13 hours ago [-]
> When Ruby Together first launched in 2015, the website suggested donations went to pay "our team" (...) This resulted in a nonzero number of donors believing they were funding the work of people like Steve Klabnik, Aaron Patterson, and Sarah Mei, when in fact only Andre was being paid at the time.
This a fact. By this alone I don't think Andre Arko is an honest person.
steveklabnik 11 hours ago [-]
Back in the day, nobody ever had said to me that they believed I was earning money from Ruby Together. This whole thing was speculation at best. And regardless, once it was suggested that this may be a possibility, it was immediately changed to be unambiguous.
André is absolutely a standup individual.
I have tried to stay in good terms with the other people involved in this (except DHH), but this claim was always ridiculous.
tenderlove 9 hours ago [-]
This absolutely happened and is not speculation. I can't find the emails from the individuals that emailed me, but I did find my email to the board of directors asking that the website language be changed because people had pinged me thinking I would be getting money, or that the money would go to fund rubygems.org.
At the time I'd sent the email I was unaware Ruby Together was on HN front page (and that's why people were pinging me)
steveklabnik 8 hours ago [-]
Okay, if you got emails, you got emails, but I did not.
I absolutely wouldn't want people to think that I'd be getting the money, so I think clarifying it was a good thing, regardless.
krainboltgreene 3 hours ago [-]
It's so weird of you to jump in like this, man.
hitekker 2 hours ago [-]
Can you explain what you find so weird? From what I can tell, the GP is adding useful information using his firsthand experience.
nomdep 10 hours ago [-]
I was misremembering it. Now that I've checked, it's clear that the claim was that the money was for paying "the team" [1], which consisted of André Arko and David Radcliffe [2]
Altogether, it demonstrates how Andre misled people about who was getting the money. IMO, there's a distinct pattern of him crossing boundaries and then covering it up using his social skills & friend group.
knowitnone3 10 hours ago [-]
I just want to know how much was David Radcliffe getting paid for his time?
steveklabnik 10 hours ago [-]
It's all good, you were quoting the blog post.
Frankly that page is even more clear than I remembered. All of this happened so long ago.
directionless 12 hours ago [-]
TBH the whole thing is pretty opaque. There are a lot of accusations floating around. It's pretty easily to capitalize on "Big evil shopify is making a takeover", but I suspect there's a lot more happening behind the scenes.
dismalaf 5 hours ago [-]
Does it? Seems pretty detailed with plenty of easily verifiable details...
busterarm 13 hours ago [-]
To take the maximally negative view of things:
- uv is a cool tool, but Astral has signaled their intention to have it tie in nicely to paid services.
- that's a nice moat!
- Andre & friends saw that in the Python community (and uv's success) and decided they could do the same for Ruby
- Their collective announces rv and now wants to make us dependent on them & friends for Ruby Gems.
- After Hashicorp and others, I'm extremely wary of orgs luring me in with free shit. Hashicorp is maybe the lightest example of this but they're very intentional about enterprise-walling business-essential features.
- I don't want the Ruby ecosystem dependent on one party or even a tiny collective of people. This is just as bad to me as the Ruby Central situation right now.
ljm 12 hours ago [-]
The Ruby ecosystem is already decentralised in that there is no single source of truth for published gems. You can pull the source from any software forge that uses git, you can point to any self hosted gem server or use something like Artifactory or GitHub package registry. You can vendor the code if you want.
This entire post is practically the case in point, except I’m not clear on how they got real time sync with RubyGems and if any other competitor would have the same capability.
To use Astral and uv as an example, they would have to fork PyPI and maintain all the infra for that and not just the tool that manages the dependencies.
davidcelis 12 hours ago [-]
By "Astral" do you mean "Spinel"? Also, what paid services? So far the only paid services they've mentioned is retainer services that essentially amount to priority customer support. The tools themselves are only ever described as free
EDIT: Misread the comment and thought it was only about `rv`, not both `uv` and `rv`
pityJuke 11 hours ago [-]
What is Spinel? Astral is the developer of uv, and they have announced their hosted platform service, pyx [0]. It appears it will be FOSS as well, but they'll have a hosted version of it.
It’s amazing to see the open source community step up like this. Kudos and gratitude to everyone that made this happen!
lemper 21 hours ago [-]
yeah, but still, the maintainers need to be paid for their time and expertise. not to mention, although bandwidth and storage is cheap, somebody still have to foot the bill. i suggest people donate to this project.
salzig 12 hours ago [-]
Just a thought of mine: why don’t we switch fully to git? Commit signing, tag signing, Decentralize. Doesn’t that sound like a good alternativ?
pornel 12 hours ago [-]
The git protocol is more complex and harder to scale. It's especially wasteful if people are going to redownload all packages every time their amnesiac CI runs.
Single-file archives are much easier to distribute.
Digests and signatures have standard algorithms, not unique to git. Key/identity management is the hard part, but git doesn't solve it for you (if you don't confuse git with GitHub).
salzig 5 hours ago [-]
Going crazy: we cold also adopt the container registry api for distributing gems, similar to how helm charts are also distributed nower days.
webstrand 10 hours ago [-]
git bundles exist to solve the single-file caching and distribution problems
zdragnar 12 hours ago [-]
Someone has to run the git server. Then, someone has to find the git server to pull each gem from, since not every git server is likely to be up-to-date with the each gem, or the correct version. Since these are all decentralized, each individual owner of a git server has to independently scale as more people start using each one.
The benefit to being centralized is... everything is in one place. Everything scales at once. Every update is available at the same time.
We did this back in the day using artifactory and co. to proxy NPM and a few other package managers as well as docker containers and some other things. No third party service going down could keep us from deploying.
Not everyone does it because as a solo developer or a small team, as it feels like pointless overhead.
salzig 5 hours ago [-]
So GitHub would be one option. Developers already discover all kind of things there. And each gem can still be provided by its “main repository”, but I don’t mind on whatever domain that repository is located. Somewhat how container images are referenced/distributed already. I think go already does it like that too.
having a decentralized, and maybe sometime unavailable, infrastructure would make more people think about the problem and maybe brings us more stable solutions than we have now.
dismalaf 5 hours ago [-]
Well, rubygems (the software) can pull from any git repository. So we kind of have it already anyway.
lr0 6 hours ago [-]
Exactly. Go already adopts that.
phoronixrly 6 hours ago [-]
You've seen golang's package... situation?... and you still think switching to Git is a good idea?
1. Heavy dependency on Github. AKA Microsoft owns much of the golang ecosystem. Not just the source... The package distribution as well!
2. Many packages are referencing a git (short!) commit hash instead of a version. It still boggles my mind that this is an acceptable practice. Not to mention that git tags can be deleted and recreated... A pinnacle of secure package distribution practices.
3. Stuff like ambiguous imports because apparently nothing enforces proper go.mod files? They are not packages to be compiled after all, they're just repos with some conventional structure (optional)...
Mind you, this is popular production-grade software...
I think this is much worse than even node packages, let alone bundler and rubygems...
SirSavary 2 hours ago [-]
1. GitHub dominance is a social phenomenon, not a technical requirement. The go.mod file you linked references ~14 different Git hosts other than GitHub. Go's design doesn't create this centralization; it merely reflects where developers choose to host code.
2. You complain about commit hashes while simultaneously noting that tags can be deleted and recreated. Hashes are precisely the solution to mutable tags. The "short hash" concern is a red herring; Git uses sufficient entropy that collisions are not a practical concern for dependency resolution.
As for "secure package distribution," go.sum files verify files verify consistent downloads. What additional security do you believe centralized registries provide?
3. Can you provide a concrete example of an ambiguous import you've encountered? I'm not familiar enough with Go to understand this criticism.
thomascountz 14 hours ago [-]
If we isolate this from the recent controversy: in general, is an alternative (yet mostly compatible) package source, package manager, and/or language version manager neutral, good, or bad for an open source ecosystem?
Here's the thing. They could have put up link to a git repository where others can follow along with the maintenance of this project, but here isn't one. There is a list of maintainers explicitly mentioned on this page but no link to the git repository. This leads me to think this project is not about the code but about the people.
soraminazuki 10 hours ago [-]
It's a package repository. A link to an Ansible repository or whatever doesn't need to be in the first announcement.
> This leads me to think this project is not about the code but about the people.
Trust is of utmost importance to a package repository. Even more so than code. A hostile takeover, like the one that occurred with RubyGems, fundamentally undermines that trust. In contrast, an alternative run by the original maintainers who have built years of trust, represents a positive shift.
Unfortunately, it seems that your conclusion was drawn before your justifications. When you invent justification though, at least make sure you don't undermine your own position. Where's the prominent link to the Git repo on rubygems.org top page?
I think the issue that you overlook is that you assume this group of individuals is trustworthy.
I'm not saying they aren't, but there are a LOT of conflicting opinions about what happened, why it happened, and who was right/wrong.
This it what tends to happen when money gets involved in a project without a clear structure/business plan/guarantees put in place. People just did whatever and made assumptions, and now suddenly the whole community is rocking and rolling thanks to the actions/view points of a select few.
Ah! Good catch. I saw the repo exists but didn't dig into the contents, given that it's (as far as I know) purely a proxy for rubygems at the moment, I figured it would be pretty simple.
I agree they should post the whole source, regardless.
halicarnassus 19 hours ago [-]
Great move to counter the hostile takeover of the RubyGems GitHub repo (not the rubygems.org repo) and organization by Ruby Central.
I hope they find financing to cover hosting costs.
joeldrapper 17 hours ago [-]
I believe the hosting is already covered.
mijoharas 15 hours ago [-]
Is there anything more you can share about that? I guess I should just sign up to the newsletter and wait and find out...
sandstrom 14 hours ago [-]
I understand forking is sometimes needed, but it's also somewhat discouraging to see that the differences couldn't be reconciled.
As long as people are aligned on advancing the Ruby ecosystem, I think it should be possible to cooperate even if there are disagreement in other areas [which political party you support, differences in personal opinions, etc].
Maybe it'll be resolved eventually, just like Merb <> Rails, Bundler <> RubyGems and RubyTogether <> RubyCentral were eventually merged. That's what I'm hoping for!
I feel like a change to the way gems are distributed/downloaded could fix this. Unfortunately, the very powers that could make that happen are the powers that control the software and infrastructure, and have the least incentive to improve things.
I honestly find it ridiculous that this situation happened to begin with, and I also have no clue why people are hating on DHH.
The easiest way to kill an open source project is drama and forking like this. Ruby has been around forever, obviously, however it is far from the most used languages, and drama like this just hurts the ecosystem as a whole.
As a former Ruby dev, it makes me sad.
pdntspa 12 hours ago [-]
Is this not an overreaction to the rubygems rubycentral fiasco?
florkbork 9 hours ago [-]
No.
Imagine if someone came into your house and changed all of the locks on you/your family, because "security".
You had built that house from your original designs but the other party claims they own it now because they happen to manage a series of rental listings for houses built to your design.
You had even made it so the plans could be copied and modified in private; if "security" were a real concern with about 10 minutes effort to do so.
Would you agree that it is right, do nothing? Or would you rebuild something new, given how little time it takes to copy the plans.
Swap "house design" for "software project" and "rental listings" for "running an instance of your software project" and you have the current situation.
Developers are free to choose the party they trust more.
dcchambers 4 hours ago [-]
Well the site is blocked on my company laptop (reason given: newly registered domain), so it will be a rocky start for them. I love a good vanity domain but using a traditional .org domain probably would have been better, too.
My 2c is that 95% of ruby developers aren't aware of the drama going on around Rubygems.org right now. They have probably seen emails from Ruby Central but largely ignore them and move on with life. Most people have no idea there are issues and they will just continue using Rubygems.org. Getting a project like this to critical mass is incredibly challenging.
insane_dreamer 13 hours ago [-]
Important move to maintain a free community. I'm switching over to Gem.coop now.
varispeed 7 hours ago [-]
> initially his own, but eventually others—by paying themselves a market hourly rate
This is massively flawed thinking. So called "market rate" is actually a tool for value extraction from the workers and is not connected in any shape or form with what they create for company they work at. As corporations refer to this as if it was a consensus (as in developer should earn $x an hour), they pay this much and workers have no choice but to accept (if someone has working class background and no trust fund, it is rather impossible to throw the towel and start own business, sometimes there are even regulations designed to keep workers captive).
In such a project, "founder level" people should pay themselves as much as they think their worth is. Simple as that.
I often hear VC talking that if founder takes too much money, it's a bad look. They just want to shame people into not taking the slice they deserve.
It's interesting that IT is full of intelligent people, yet they can't grasp how they are being played by the market frames set by the rich.
eek2121 7 hours ago [-]
hard disagree. For a project like this, all members should be paid a fair, but not "get rich" sum. There are companies out there that pay EVERYONE the same salary, all the way from CEO to janitor. Mysteriously, those companies don't have folks trying to hijack things, because nobody benefits.
It's almost like removing money from the equation stops all the nasty stuff that happens inside organizations. Who'd have thought?
varispeed 5 hours ago [-]
"Market rate" is not neutral. It is a wage‑fixing device that standardises labour pay while letting profits float to shareholders. Treating it as holy writ is how extraction is hidden in plain sight.
Flat salaries do not remove politics. With unequal equity and control, a flat wage simply disciplines workers while investors keep uncapped upside. If money is the poison, start by flattening carry, liquidation preferences and board vetoes. Otherwise you have only flattened one side.
Capping founder pay is class gatekeeping. It selects for people with savings or family safety nets and pushes working‑class founders out. Shaming those who take cash once they create surplus protects investor optics, not fairness.
Equal pay only makes sense when ownership, risk and power are equal. Without that, "equal pay" is theatre.
lazerwalker 4 hours ago [-]
This project is or will be a worker-owned co-op, as evidenced by the strict requirements placed on anyone who registers a .coop domain name. I imagine at least equal ownership (if not risk and power) is a given in this specific instance, and profits will explicitly not flow upwards to shareholders who are not also workers.
phoronixrly 21 hours ago [-]
I hope they tackle the actual main issue with Rubygems -- lack of any sort of code signing... (I know the functionality exists, but it's not required to publish in Rubygems, and off by default on gem install. In other words it's as if it doesn't exist)
The fash problem in the Rails ecosystem is next on the list, and I hope there is community consensus to fork this as well.
burnt-resistor 20 hours ago [-]
It has code signing. It's just optional, inconvenient, and so unused because of Tragedy of the Commons and complacency. https://guides.rubygems.org/security/
As I said, it's as good as no code signing. The very lack of a chain of trust stemming from rubygems that can be used to verify gem authenticity makes the whole thing useless.
simianparrot 20 hours ago [-]
What does “fash problem” mean?
ramon156 18 hours ago [-]
There's some weird opinions coming from mostly DHH. My personal take is that they're blatantly racist, but everyone can have their own
Here's some fun facts:
- DHH enforced a "No Politics at Work" policy.
- DHH wrote a post expressing that he wouldn't want to live in London anymore because it's "no longer full of native Brits", and expressed support for a Tommy Robinson march he called "heartwarming". Tommy Robinson is described as "an anti-Islam campaigner and one of the UK's most prominent far-right activists.". The march DHH praised featured speakers calling for ethnic cleansing via "remigration" and banning all non-Christian religions.
- DHH also promoted "demographic replacement" conspiracy theories and used language connecting immigration to crime, particularly regarding "Pakistani rape gangs" and street theft.
- DHH has been publicly critical of Diversity, Equity, and Inclusion initiatives. This one isn't backed by facts, so take it with a grain of salt.
ishouldbework 13 hours ago [-]
Cannot speak for the US, but in Europe immigration is connected to crime increase in general. The Ukraine refugees are one of few statistical exceptions.
I think a lot of people are forgetting or at least choose to ignore that DHH is Danish (and specifically a Danish expat) and is probably more inclined to have controversial views on immigration from majority Islamic countries. That's not to give his statements a pass, but to give them some needed context.
And no, I'm not saying that Danes are racist.
bsammon 11 hours ago [-]
I think a lot of people don't know why being Danish is relevant. Is there some reason why controversial views on immigration might be less suprising coming from a Dane?
drak0n1c 9 hours ago [-]
Denmark is the rare case of a European nation where its center-left listened to feedback from the electorate early on and earnestly adopted policies restricting immigration and refugee admission. As a result they had no populist backlash, and that policy position is uncontroversial to hold publicly.
mrisoli 12 hours ago [-]
He doubled down on his opinion by sharing a sequence of posts from a X account that denounces "woke activism" in the software industry and open source projects. He criticised the political activism in open source projects, then, ironically, suggested Palmer Luckey should step in to steward NixOs.
maxwellg 12 hours ago [-]
Ironic that DHH is politically active enough that it affects his day to day activities and public perception of his company - kind of the exact opposite of his own policy he expects his employees to abide by.
x3n0ph3n3 10 hours ago [-]
He posts about it on his personal blog, not on his company Slack.
phoronixrly 6 hours ago [-]
Is world.hey.com/dhh a personal blog? It's literally on his company's domain... At least in the company slack your fash opinions would reach just your poor colleagues...
dismalaf 5 hours ago [-]
Everyone with a Hey.com email gets a world.hey.com account linked to your email. So yes it's a personal blog.
Hey.com is 37Signals' Gmail, not the company's private domain.
marknutter 9 hours ago [-]
That's the part where the term "fascist" is misused to smear somebody they disagree with. It can be safely ignored.
phoronixrly 18 hours ago [-]
If you know you know.
14 hours ago [-]
sergiotapia 12 hours ago [-]
Is this political or does it have actual technical merit?
CaptainOfCoit 12 hours ago [-]
The best "technical" benefit from this is that if one goes down, you could switch to the other in a pinch, so arguably better than the status quo even if you disagree with the organizational/"political" motives.
steve_gh 20 hours ago [-]
I'm really pleased to see this happening, but sad that it has come to this.
What I'd really like to see is a whole bunch of people acting more professionally. Who you pray to, who you vote for, and who you sleep with are irrelevant to a professional context - and open source development is a professional context. So everyone needs to keep their professional and personal lives separate. I know that at best I would be disciplined, and at worst sacked if I made comments on the lines that some of the lead players in this sorry saga have made. And that's not pointing the finger at any one person.
hiimkeks 20 hours ago [-]
If who you vote for will put me into a torture camp (or otherwise devalues my life or personhood), then I can't work with you, so no it is not irrelevant.
(neither the "me" nor the "you" here refer to you or me personally ofc.)
ishouldbework 13 hours ago [-]
"will put me into a torture camp" for sure, but "devalues my life or personhood" is pretty vague. So, for example, if I value guns and consider them necessary for my well being and personal safety, should I refuse to work with anyone who votes for increased gun control? This sounds like a recipe for very fragmented, unstable society.
bronson 13 hours ago [-]
If gun owners are being denied health care or being told who they can marry ("it's illegal to marry a fellow gun owner"), then yes, they'll probably want to avoid anyone wretched enough to advocate that.
Short of that, it's NBD right? Not really comparable.
marknutter 9 hours ago [-]
It's absolutely comparable. They both involve limiting rights and freedoms.
ishouldbework 12 hours ago [-]
> being told who they can marry
I consider this somewhat unfortunate example, since we, as a society, are putting limits on this very thing. For example age, or species. How is that supposed to work if people are not allow to debate and express their opinions on where those limits are supposed to be?
Similar with the health care. What is covered and what is not, and who has to pay and who has it (almost) free, should very much be up for a debate. Otherwise, how do you improve anything?
20 hours ago [-]
pil0u 19 hours ago [-]
Agreed. Your example could sound like exaggerated, but silence is a form of opinion, of vote, of approval. Even in a professional context, because work is part of the society we live in.
This whole "DHH situation" with Rails has put my mind in weird position. I admire the Rails creator, the business man, the speaker. I admire what he builds, how passionate he is about his work and open-source software. But I very strongly disagree with his vision of immigration, nationalism, parenting, well most of his vision of society.
I was made aware about these opinions because people talked about it. Thanks to these people, I read and listen to him with more nuance, more critical thinking. That does not necessarily mean I would discard Rails, cancel the dude or write shit about him, but that surely means that I will be more careful about how the opinions of this 1 person could impact mine, the ecosystem I work with and the larger ecosystem I live in that is society.
steve_gh 17 hours ago [-]
> but silence is a form of opinion, of vote, of approval.
I disagree. We don't have to have an opinion on everything. And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval. It's getting very close to "those who are not with us are against us". And that's a worldview I have very little time for.
jaredcwhite 8 hours ago [-]
> that's a worldview I have very little time for
Only people who already live in a position of privilege get to have "little time" and settle for worldviews which advocate for a sort of bland tolerance of extremism. I can assure you, for people who are being actively harmed by hateful rhetoric and political policies, "those who are not with us are against us" is absolutely a reality.
baggy_trough 6 hours ago [-]
Extremism is in the eye of the beholder. Trying to kick a founder out of a hugely successful project because he thinks there has been too much immigration to London is also an extremist view.
pil0u 17 hours ago [-]
Yes, I agree with you. Silence, when you do not have an opinion, is totally fine. And yes, not having an opinion on everything is absolutely fine, probably sane even.
I was answering a comment about a vote that would put you in a torture camp, so a vote on which you are certainly opinionated about.
In other words, don't self-censor when you think something is not right.
CaptArmchair 13 hours ago [-]
I'll put it like this.
Close by where I live is a monument for civilians who were taken from their houses and shot by the German occupiers during the last months of WWII. Simply because they were suspected of having distributed pamphlets. There wasn't even evidence to that claim, and retribution was a thing.
I passed that monument countless of times during my youth, giving me pause to contemplate.
It's a tangible reminder of what ultimately happens when people stay silent about something as final and poignant as one group denying the existence of another group for whatever reasons.
I have no problem with expressing differences over world views. I take issue when that world view entails denying the other side's existence because of differences, and a fervent intent to act on that notion.
It's a matter of boundaries, and speaking up.
giraffe_lady 13 hours ago [-]
> And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval.
Definitely definitely. When a racist paramilitary is disappearing my neighbors my primary concern is whether people will consider me complicit for publicly stating that I have no duty to interfere.
You don't have to have an opinion on everything but you do have to have an opinion on some things. Or I mean, obviously you don't, but then you have to accept the social consequences of cowardice.
blast 13 hours ago [-]
Silence can also indicate disapproval.
kortilla 19 hours ago [-]
> but silence is a form of opinion, of vote, of approval.
No it’s not. Indifference is not approval.
Open source is global and someone in a university in Argentina contributing some features does not “approve” of anything because she didn’t participate in some bickering about US identity politics.
yxhuvud 18 hours ago [-]
This is a lot more than just US identity politics, as shown by the fully idiotic take on London he did.
zen928 11 hours ago [-]
Indifference is acceptance of the status quo, though, yeah? Whether that be on a conscious level of active avoidance or on a subconscious level of never mentally aligning it as a priority to build further understanding to form a thought-out opinion.
There actually is a binary view on your stance against things when you see unfettered hate spread by others and choose (at some level) to not have an opinion. We've seen it before, we see it now, we'll see it again.
Not everyone has the same privilege as you to remain head under sand until there's no commotion left to dodge.
shadowgovt 9 hours ago [-]
I think the salient meta-concept here is "Open source development is an inherently collaborative enterprise, and if people cannot collaborate, it stifles creation of open source projects and software."
There may very well simply be political eras where the floor of trust isn't there for open source to spring forward by leaps and bounds.
kortilla 19 hours ago [-]
[flagged]
mzajc 19 hours ago [-]
> If you actually cared about people devaluing your life you should also be outraged at any Mormons/Muslims/etc in power.
Not everyone is a fundamentalist.
fourseventy 14 hours ago [-]
Please stop with this type of ridiculous hyperbole.
wizzwizz4 14 hours ago [-]
People would be less inclined to say ridiculous things like this if they didn't keep happening.
tensor 12 hours ago [-]
I've been in the "keep work and politics" separate camp most of my life. However, with the lines that have been crossed recently, where literal democracy and freedom are at stake, I don't think people have the luxury of keeping work and politics separate any longer. Fascism is bad and people cannot be silent.
marknutter 9 hours ago [-]
If you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless.
jaredcwhite 8 hours ago [-]
If you say something like “if you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless”, your opinion is immediately worthless.
marknutter 4 hours ago [-]
Do you really not understand how unhinged you sound when you resort to such histrionics?
wahnfrieden 20 hours ago [-]
Not everyone involved in open source has a boss. I don't care what a boss would hypothetically do to me, so that's not helpful guidance.
nathanaldensr 17 hours ago [-]
Completely agreed. Sorry, other folks, but you have no right to gatekeep my speech in any way in a professional context. Are you a family member? Then sure, we can have a discussion. Am I a member of your private club or otherwise dependent on your approval of my thoughts or beliefs? Then let's talk. Otherwise, leave me alone. You (the collective you) don't get to decide what I am and am not allowed to think and believe.
giraffe_lady 13 hours ago [-]
Nobody is constraining your beliefs or expressions of them. People are exercising their own individual right not to associate with people who express certain beliefs.
marknutter 9 hours ago [-]
Ah. So just good old fashioned bigotry.
shadowgovt 9 hours ago [-]
Generally, bigotry is bias based on immutable traits. Beliefs are not immutable.
marknutter 8 hours ago [-]
[flagged]
erxam 8 hours ago [-]
Oh, of course.
To a right-winger, safety is bigotry and hatred is love. Of course, how else could it ever be.
Do you really care about freedom if you don't let white nationalists abuse everyone and everything in their power all the time?
marknutter 4 hours ago [-]
Ah, another bigot. Comin’ out of the woodwork.
5 hours ago [-]
colechristensen 6 hours ago [-]
Why?
Mystery-Machine 3 hours ago [-]
why's (poignant) Guide to Ruby
soraminazuki 14 hours ago [-]
So RubyGems has betrayed its community by ousting its maintainers. When a community-focused alternative created by the original maintainers is announced, it gets flagged on HN. What is wrong with people?
This situation is eerily similar to the Freenode takeover[1] and the subsequent formation of Libera Chat[2] a few years ago, even down to the political leanings of those behind the takeover. Except if the Freenode incident occurred today, there would be a vocal portion on HN vehemently siding with Freenode solely based on the perceived political affiliations of its owners. Submissions about Libera Chat would face heavy flagging, much like this one has.
It seems the Freenode team may have advanced their plans just a bit too early.
I could be wrong but it may be that some have an additional agenda to try to make e. g. competition to Ruby Central fail. You can see this on ruby-reddit, e. g. by u/f9ae8221b - either way I think the by far best strategy for gem.coop is to address all concerns and statements made, including the wrong ones. Simply be better than rubygems.org - everywhere. (Also, u/f9ae8221b is super-impatient; why can't he wait for a while? Rome was not built in a day, it is strange how he thinks to know the future. I don't know the future - let's wait and see. In the worst case gem.coop will fail; in the best case it'll fix numerous issues, including, by the way, gem/bundler not having had the same functionality. And namespacing too; and inactive accounts, and so on, and so forth. There is a ton of things to do.)
sosodev 13 hours ago [-]
Flagging is definitely getting abused more on HN lately. The consensus seems to be that politics and/or morals are irrelevant outside of personal affairs so we must not have these conversations here.
soraminazuki 13 hours ago [-]
Which is absurd because the hostile takeover of RubyGems primarily involves technology, with serious implications for the security and trust of nearly all Ruby code. Those flagging this submission are the ones prioritizing politics over this critical issue.
busterarm 12 hours ago [-]
Politically-charged ultimatums _caused_ the hostile takeover of RubyGems. This whole thing is politics all the way down.
soraminazuki 12 hours ago [-]
Someone withdrawing funding from Ruby Central doesn't necessitate a hostile takeover of RubyGems. The responsibility lies squarely on people doing the takeover. Needless to say, you haven't shown me any convincing arguments for suppressing the announcement of gem.coop.
sleight42 17 hours ago [-]
Why is this flagged? This is super relevant to HN!
Remove flags 2025, all the best stuff is in https://news.ycombinator.com/active. I don't even use Ruby right now, have no dog in whatever drama is behind this, but I don't see what's so offensive about knowing Gem.coop is now a thing.
lcnPylGDnU4H9OF 17 hours ago [-]
Just some background: there is a controversy in the Ruby community[0][2] around the governance of the rubygems project. It has been maintained for a long time by employees of Ruby Central but not in a corporate capacity. There was a recent hostile takeover of this project by the Ruby Central corporate arm.
The most likely reason it was flagged from my perspective is that David Heinemeier Hansson (who created rails) is kind of the figurehead of this community and he has controversial opinions[1] which people believe make him unfit to represent their community. The controversy has manifested as people speaking out against DHH in his position. So this post seems to have been flagged for being "political" because it is seemingly in opposition to rubygems for the DHH reason.
Er...FYI, your [2] link is to a discussion about an article written by the person to whom you are responding.
Personally, I think the reason this post about gem.coop has been flagged is that we've reached the point at which new HN threads about things related to the recent RubyGems shake-up quickly devolve into people rehashing the DHH "aspect" of it all. So it has become less about flagging the actual target of the post and more about flagging the parts of the discussion that seem to go nowhere.
EDIT: expanded
lcnPylGDnU4H9OF 14 hours ago [-]
That's fair enough, I didn't actually notice. Regardless, I was offering the information for other readers, which may or may not include the person I'm replying to.
Edit:
> flagging the parts of the discussion that seem to go nowhere
This is and isn't what actually happens, though. People do flag the parts of the discussion that don't go anywhere but then people also flag the post itself because they think there's no reason to discuss it at all for the fact there's a vocal part (minority or majority doesn't really matter) that wants to discuss a topic that's not going anywhere.
People shouldn't flag the post itself just because it's likely to gather or even has gathered a crowd that will discuss such directionless topics when there are better topics to discuss, even (especially?) if they're not currently being discussed.
splittydev 21 hours ago [-]
Is there any context on why? Is there some controversy regarding RubyGems.org I'm not aware of?
pil0u 21 hours ago [-]
This article was the most nuanced I found while everything was still hot. https://archive.ph/SEzoV
splittydev 21 hours ago [-]
[flagged]
phplovesong 20 hours ago [-]
Afaik rubygems kicked some long term contributors and stole the entire project. Thats some serious red flags for me. At what point rubyruby gems does something nasty is only a matter of time. They could start to gatekeep or even worse add some sort of paid version.
Anyway.. a core piece of infra like this needs to be open for anyone and not closed for some shady entrerprize.
byroot 20 hours ago [-]
That's a particularly one sided account of the events.
Ruby Central wanted to oust one or two specific maintainers because of a rocky relationship (whether it was warranted or not is not my point).
It later backfired when a majority of the other maintainers resigned.
> They could start to gatekeep or even worse add some sort of paid version.
That's a funny accusation given that's something the ousted maintainers now behind gem.coop wanted to do a while ago.
wallmountedtv 21 hours ago [-]
In short, a hostile takeover forced by Shopify through Ruby Central.
It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf against the wishes of the sponsors, losing them a lot of sponsorship money, as well as community support.
Might be worth noting the figure in question is the creator of Ruby on Rails.
wahnfrieden 20 hours ago [-]
[flagged]
simianparrot 20 hours ago [-]
[flagged]
phoronixrly 20 hours ago [-]
He deserves a few more titles now. Like prolific xenophobia[1] and sexism[2] proponent, and generally a person that has no connection with the real world[3].
> a hostile takeover forced by Shopify through Ruby Central.
That's entirely unsubstantiated.
joeldrapper 20 hours ago [-]
I heard it directly from people directly involved.
byroot 19 hours ago [-]
So it is unsubstantiated.
Kudos 15 hours ago [-]
This is a little glib, you dropped "Entirely" because you know multiple first hand accounts are actually worth something. If you want to argue the credibility of those accounts, then please be specific about it.
byroot 14 hours ago [-]
I dropped the entirely because I am on mobile.
We don’t have multiple first hand accounts. All we have is second hand account being relayed by someone with a massive axe to grind against Shopify.
There are a lot of truly committed Rubyists at Shopify, particularly the one handling the relationship with Ruby Central.
The idea that Shopify had done what Joel aledges without a single one of the involved parties on the Shopify side blowing the whistle is preposterous.
shevy-java 13 hours ago [-]
So you critisize Joel because he worked at Shopify. He pointed that out when he wrote the article.
Let's add here that YOU also worked at Shopify, until recently.
IF we are going to be critical, then let's be complete here.
I actually think there is a lot of validity to the statement made that Shopify is NOT a neutral party here. We can dispute how much Shopify was involved, but to assume "all is unsubstantiated" while not even disclosing one's own work at Shopify, feels super-strange here.
byroot 13 hours ago [-]
> He pointed that out when he wrote the article.
Did he point out how it ended, and how he spent the better part of two years having public tantrums about it on Twitter?
Disclosing that you worked somewhere isn't relevant. Worse, it can easily give the impression that there is some insider knowledge involved.
What is relevant is how the relationship ended.
> Let's add here that YOU also worked at Shopify, until recently.
Yes, and I left over some major disagreements, hence if I have a bias, it would be against Shopify, not in favor.
JimDabell 21 hours ago [-]
> It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf
This is so incredibly one-sided that it misleads more than it informs.
The person they are talking about is DHH. Inviting the creator of Rails to speak at RailsConf – a conference for Rails – is not the outlandish behaviour this comment makes it sound like.
shevy-java 13 hours ago [-]
Agreed. There is a lot of conflation of statements that are not directly connected.
The whole DHH argument, for instance, as well as some people having a vendetta about him, is not, or not directly, related to the hostile take-over of rubygems.org. There is a slight partial overlap, but it is a separate discussion (even if DHH was involved with the take-over via Shopify because he does not like Arko or Shopify wanting more power-control to bully the independent developers at rubygems.org with more corporate rules and restrictions; and, by the way, DHH never mentions Arko's name, but even this is a separate discussion still. For instance I specifically do not care about rails nor DHH really, but the hostile take-over was a complete no-go. Ruby Central really pissed off too many people here and unfortunately there are still many open questions that ruby-core has to think about. I am not necessarily saying all came with malicious intent, because I think there is an english language barrier too in regards to Hiroshi Shibata, but even then it may be better to have someone with better knowledge about the english language in charge of gems; there seems to be some strange disconnect or translation going on between english, into japanese and japanese culture, and it is super-confusing.)
IshKebab 21 hours ago [-]
[flagged]
sunshine-o 18 hours ago [-]
Interesting, I only knew who he was through his "Leaving the cloud" serie of posts.
I am just trying to draw a parallel between the two to try to understand its broader ideology. So some might say both big cities like London and hyperscaler like AWS are:
- very expensive and have become unaffordable for many actors
- limit your freedom to scale and accommodate a very broad range of guests
- under massive surveillance and control
where the comparison stops is:
- AWS offers pretty good security but London is not (and hasn't for a long time)
- It is pretty easy to get kicked out of AWS if you do not follow the rule or pay
rossriley 21 hours ago [-]
The population of London at the last census was still 60% British born. The difference between 2000 is that the figure was 60% white British.
He's not saying London doesn't have enough British people, he's saying it doesn't have enough white people in it.
That and saying it was heartwarming to see a Tommy Robinson march who represents the most extreme fringe of British right wing politics.
jmcgough 21 hours ago [-]
NYC has roughly the same stats - 40% of the residents there are foreign-born. This is more to do with low birth rates by natives, so population growth in NYC and London is entirely driven by immigration. The biggest problem is that it's too expensive for most people to have and raise kids in major cities.
What was more troubling to me was that he called the Tommy Robinson rallies "heartwarming". TR was a member of an explicitly fascist, white nationalist party. The rallies were full of signs calling for death to Muslims. Or, in the same blog post, his disproven claims of migrant gang r*pes. On top of that, he has written some really vile things about transgender people.
I would like to go to a tech conference and focus on Ruby, not politics. I'd like to leave my identity home and discuss software engineering and interesting technical ideas. DHH has made that impossible.
sad-pack 20 hours ago [-]
"I care about Ruby and want it to die…”
“I try to discourage them because I don’t want more Ruby code in the world…”
I wouldn't bother replying to that account, it's not arguing in good faith. Ishkebab has stated many times its goal is to kill ruby and its community.
I'm not. It's true that I dislike Ruby and prefer everyone would abandon it, but that's orthogonal to the issue we're discussing. In fact I'm saying that the Ruby community is being stupid and shooting themselves in the foot by characterizing relatively mainstream right wing views as "extremism".
If I was being disingenuous I should really encourage this schism!
> It
Dunno if you're a native English speaker or not but the normal way to refer to someone of unknown gender is "they". "It" is offensive.
lcnPylGDnU4H9OF 13 hours ago [-]
> relatively mainstream
This doesn't preclude extreme. Not commenting on whether the community's is shooting themselves in the foot or not, just that the reason provided is not a good one for believing so.
> If I was being disingenuous I should really encourage this schism!
I do not think that you are necessarily being disingenuous but misunderstanding the difference of opinion in this way actually seems to encourage said schism.
IshKebab 12 hours ago [-]
> This doesn't preclude extreme.
Uhm yeah it literally does. Mainstream views can't be extreme by definition. You might not agree with them, but that's a different thing.
> misunderstanding the difference of opinion in this way
I haven't misunderstood anything.
lcnPylGDnU4H9OF 11 hours ago [-]
> I haven't misunderstood anything.
You have misunderstood why people use the term "extremism".
> Mainstream views can't be extreme by definition.
Of course they can; mainstream views can't be uncommon by definition. Extreme doesn't strictly mean uncommon (not even in a political context), it is also used to mean "high degree", which can include distance from political centrism but can also include, e.g., frustration or flavor of cookie. To give another example, various online "challenges" like the "ice bucket challenge" are extreme but were also relatively mainstream when they were commonly performed and posted online; the term "ice bucket challenge" is still mainstream and the challenge itself is extreme (in fact, the reason it's called a "challenge" is because it is extreme).
Thinking there's too many immigrants might be mainstream (it currently is) but whether or not it's extreme depends on the degree to which it's believed. If it's believed to a high degree (such as "immigration is the worst thing about the capital city of this nation") by a large number of people then it is an extreme mainstream view by definition.
IshKebab 7 hours ago [-]
> various online "challenges" like the "ice bucket challenge" are extreme
Ok I think you just have a very abnormal (extreme even?) definition of the word "extreme".
In a political context it literally means "far from the norm". His views are not far from the norm, as much as you might hate that. (I'm not a huge fan either but I'm not going to distort reality to make myself feel better.)
lcnPylGDnU4H9OF 6 hours ago [-]
> In a political context it literally means "far from the norm".
No, this is simply what you want it to mean, keeping in mind you're trying to tell other people what they mean with their word choice. Extreme views can be normal and mainstream and typical. There are many normalized-but-extreme views in current mainstream politics.
> Ok I think you just have a very abnormal (extreme even?) definition of the word "extreme".
Pouring a bucket of ice water on your head to bring attention to something is extreme. Like, it's over-the-top and exaggerated. You can disagree but that's kinda moot: someone isn't strictly wrong that it's extreme, you just disagree. You still didn't address the greater point that extreme, as it's being used, is orthogonal to mainstream.
But I guess I can link to a dictionary so you can see that I have a pretty normal (and mild) definition of the word in question. I hope you don't cherry-pick definition 1c, ignoring definitions 1a and 1b, which are, of course, valid.
Maybe 4 is the best definition, seeing as it gives "the extreme political left" as an example usage. It's not obvious to me how "advanced and thoroughgoing" means "not mainstream", though. I wouldn't mind an explanation.
> he has written some other really vile things about transgender people.
Do you have a link? I suspect these "really vile things" will turn out to be not so vile (like JKR), just things you don't agree with.
> I'd like to leave my identity home and discuss software engineering and interesting technical ideas. DHH has made that impossible.
Really? Did he talk about politics at this Ruby conference? Seems like it is you that can't focus on Ruby.
soraminazuki 9 hours ago [-]
> I suspect these "really vile things" will turn out to be not so vile (like JKR)
"Not so vile" things like spreading lies about a female Olymics Boxer's gender, calling her terrible names, and inciting her online followers to harass her? She not only bullies transgender individuals but also targets other women who don't meet her own standards of femininity. If you have no problems with people like that, no wonder you can't fathom why the Ruby community has trouble accepting similar people with open arms.
IshKebab 7 hours ago [-]
Again, link? It's no good just talking about what heinous things someone has done. That kind of talk is always incredibly unreliable.
soraminazuki 1 hours ago [-]
Evidence for thee, but not for me? You write with such authority on this topic, yet you insist on demanding evidence for even the most basic knowledge surrounding it.
Consider what this conversation was actually about - a male sexual predator, caught pleasuring himself in the showers attached to a girls' changing room, who claimed, when caught, to have a female gender identity:
Setting aside that you're passing claims from a far-right troll as facts, that still doesn’t make it acceptable to equate trans women with sexual predators, both morally and logically. Or are you suggesting that if you can find one male sexual predator, it justifies equating all males with predators? I have a feeling you’d be up in arms about that.
Anyways, it's clear that you're intent on dehumanizing others, even creating a new account for the sole purpose of saying the most vile things, so I'll stop replying here.
43 minutes ago [-]
bobalob 6 hours ago [-]
[flagged]
soraminazuki 2 hours ago [-]
Shame on you for promoting libel by spreading unverified claims as fact. Have you even paused to consider what it's like for those on the receiving end of such harmful lies? Or do you, like JKR, revel in it even more after you've thought about it?
The evidence indicates that Khelif is male, with male physiological advantage, and therefore should never have been competing in women's boxing. And it is a matter of record that Khelif withdrew from the Eindhoven Cup rather than take the sex verification tests required to compete.
That proposed lawsuit mentioned in your BBC article near the end of 2024 went nowhere, by the way. How could it? The facts show there was no libel.
Couldn't find anything there, can you be more specific?
dustedcodes 21 hours ago [-]
[flagged]
dustedcodes 21 hours ago [-]
[flagged]
KingOfCoders 21 hours ago [-]
As I understood it, to secure (their words) the supply chain, they took ownership of the code and repo (which others disputed as being owned by them) and kicked out users from Github.
It is said the underlying cause is that devs push rv which is threatening RubyGems.
mosselman 21 hours ago [-]
How is rv threatening rubygems? I am pretty excited about rv on first glance, I tried it and it was too beta when I did to work nicely, but definitely good to have a uv type tool for ruby.
KingOfCoders 21 hours ago [-]
"Yes, I agree. And some of the “admins” even announced publicly many days ago they were launching a competitor tool and were funding raising for it. I’d not trust the system to such “admin”."
"Spinel develops rv, the next-generation Ruby version manager"
phoronixrly 20 hours ago [-]
This doesn't explain how rv is threatening rubygems in any way.
x3n0ph3n3 10 hours ago [-]
They were using the name "rubygems" to fund-raise for not-"rubygems."
phoronixrly 9 hours ago [-]
But how is this a conflict? Both are not-for-profit projects with the same goal? How can one even use the term 'competition' in this context? What if the Ruby community embraces a new and better package manager? This is, again, a net win for the Ruby community, and both projects strive for that?
x3n0ph3n3 9 hours ago [-]
It doesn't really matter if it's a non-profit. How do you think your company would react if you started raising money using their name?
phoronixrly 8 hours ago [-]
Is Rubygems a company? My mind cannot comprehend why are people conflating not-for-profit open-source projects with for-profit companies...
If Rubygems was a company, they'd have a trademark, they'd have patents, they'd have lawyers to protect the money they were making from their brand and product. But we are speaking about not-for-profit open-source projects, not for for-profit corporations!
dismalaf 4 hours ago [-]
Ruby Central is a company that manages rubygems.org and rubygems. The maintainers who were locked out were being paid by Ruby Central while fundraising for their startup creating a competitor.
Doesn't it seem like a bit of a security risk to you?
KingOfCoders 17 hours ago [-]
[flagged]
phoronixrly 16 hours ago [-]
Oh, don't worry, I get what you and Rafael are trying to insinuate. I just want you to spell it out so that hopefully you see how stupid it sounds.
KingOfCoders 16 hours ago [-]
[flagged]
SSLy 19 hours ago [-]
flagged??
milliams 18 hours ago [-]
Based on the comments getting downvoted, it feels like some brigading going on.
realty_geek 15 hours ago [-]
Flagging this post is quite disturbing.
There is a conversation around this which needs to be had. Maybe on bsky or x?
This cannot be a response, as it was posted days before this was released.
dubbel 11 hours ago [-]
The response you link to was published on September 30, 2025, so it's not the response to gem.coop? I'd say gem.coop is the response to Ruby Central's actions?
Rendered at 05:11:34 GMT+0000 (Coordinated Universal Time) with Vercel.
As I see it, there is the original rubygems, which has lost all of it's maintainers, and this new one, that has most of the original active maintainers? (how many were there before? it has most of the ones I think about, but I didn't know who was active over there. I mostly saw activity from deivid and didn't know about most of the others to be honest).
It kind feels like this fork is the better maintained piece of software now.
Does anyone have any thoughts on this? Are any people thinking of moving over soon?
Is there any information on what the funding model will be? Also @joeldrapper/anyone is there anything you can share about how the hosting is being covered?[0]
[0] https://news.ycombinator.com/item?id=45490386
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?
Think about all of the organisational structures you know of.
Then ask yourself how is a cooperative fundamentally untrustworthy?
Again, a domain name is pretty minor in the scope of this whole fiasco, and I wouldn't have bothered with bringing up this point, but on balance I agree with it.
Of course, it's also true that many people won't have the spare time to find that out.
This is so funny to hear after 18 years in the west coast silicon-valley lead tech industry. All of the app, io, tv, tech, guru, and now ai I've seen and only when it's "coop" does anyone complain.
https://register.coop/
https://register.coop/services/
Neither the current authorized registrar list (https://identity.coop/register) nor the archived 2013 list (https://web.archive.org/web/20131019082806/http://www.nic.co...) includes register.coop. Where did you find this site?
Can you explain what the issue is?
Honestly, after "tweet" caught on as a verb, I've given up on thinking that we have any sort of crystal ball when it comes to names.
https://en.wikipedia.org/wiki/Cooperative
It's a word that nicely captures their objectives.
Gaslight much? "coop" implies intention and direction...you know, that thing that rubygems.org could have used?
I remember some complaints about the traffic that it produced[0] (though I don't think it's a bad idea. Basically federated downloads).
[0] https://sourcehut.org/blog/2023-01-09-gomodulemirror/
Or maybe radicle as well if someone is okay with swapping in a custom software but the hiccups can be too much imo so tangled.sh is the most interesting thing to me right now
What is stopping something like gem.coop to exist with the at protocol/tangled.sh??
[0] https://bsky.app/profile/indirect.io/post/3m2j2pcinz22j
1. It must depend on RubyGems in order to stay in sync, because people publish to RubyGems.
2. It has no UI to search or view gems, so still depends on RubyGems for that.
Ignoring any question about technical detail or implementation: there is zero practical reason or motivation to switch unless I am ideologically aligned with the maintainers and their reasoning.
As such, there is zero reason to even entertain the idea of switching in a professional context. At best I’d have to care enough to remember it for personal projects.
So it is with almost any fork. It’ll either converge with the mainline after achieving its goals, take over as the new status quo, or fade into obscurity. If I don’t have any direct stake in that then I’m going to wait it out.
This isn’t to discredit or discount the work or the reasoning, of course. It arguably has a far better standing than forking Rails because of DHH.
The suckiest thing is if the fork pans out, it will look a lot like JS: "Which package manager do you want to use?". That beautiful simplicity of "just use bundler and ruby gems" will be gone.
One thing I will give them massive credit for is walking-the-walk. There wasn't really that much complaining for the aggrieved maintainers of RubyGems. They made a public statement describing their grievances, then quietly got to work on a fork. Taking on a fork of RubyGems seems impossible and foolish, but they now have a non-zero chance of succeeding because they're doing it.
Most people I've talked to inside of big orgs are going to stick with the "safe boring" thing, which will probably be RC backed by Shopify. They will probably throw security bureaucracy at the problem, which will make SOC 2, ISO 270001 auditors. I don't think we'll see a lot of innovation coming from RC since the executive director is non-technical and has demonstrated a very ham-fisted approach to running the organization that seems to be out of touch with developers.
On the flip side, I think if gems.coop takes off, it will be because it's a "better mousetrap". One of the people behind it, André, is working on https://rv.dev, which promises to be a faster, "all-in-one", tool for managing ruby versions, gem dependencies, and even has an "npx-like" run this from from the CLI, the right version of Ruby will install, the gems will install, and it will run. That's a much better DX that I could see developers going for.
I've seen discussions on the periphery of adding namespaces to gems, bringing in checksums, and overall taking a more aggressive technical approach to security. I could see that "winning" over a long enough timeframe if RC continues on their current course.
From a fund-raising PoV, I'm starting to put together the clues that André believes organizations with the means to pay for OSS infrastructure should pay for it. I think I agree with this point-of-view and think it's a path for funding that's more transparent than "A group of donors". I hope we start to see infrastructure run in a manner where the costs are accurately estimated, then divided by the number of companies with the means to pay to arrive at the price.
There's absolutely on consensus on my final point, but I think the root cause of RC's catastrophic failure is having too much of a concentration of funding from a few donors. If you're new to this drama, a major donor pulled funding from RC because they didn't ideologically agree with a conference guest. The details are out there if you want to dive into it, but to keep this thread on point, I hope Ruby Co-op figures out how to spread out their funding model across 100's or 1000's so this doesn't happen again.
Seems like you're the ideal consumer for this new service, since it actually has people who can do that.
Given the rise in supply chain attacks, I'd also like a private rubygem instance where I can whitelist gems and even versions for my company in a way that doesn't let anything else install. I'm not sure if they're taking that on or not, but I'd like it.
the rv thesis is here: https://andre.arko.net/2025/08/25/rv-a-new-kind-of-ruby-mana...
that was always possible https://guides.rubygems.org/run-your-own-gem-server/
(there's also "gem server")
I'm unsure on who is better placed to handle that stuff now. My view is that the people that were doing that are now with gem.coop, but rubygems still has the infra (i.e. you'd email security@rubygems.org still for now).
I'm unsure about what to think about longer term (my personal approach is currently "wait and see").
Similarly, I'm perfectly happy with bundler for now, but if `rv` turns out to be like `uv`, I'd happily switch (drop-in replacement, but faster/some better features).
[0] https://www.bleepingcomputer.com/news/security/60-malicious-...
[1] https://blog.rubygems.org/2025/08/08/malicious-gems-removal....
This does not bode well for the team having the socio-technical savviness to see this project through.
The reason is spam. Before these can get wide spread "normal" adoption they can be heavily used by spammers. Its hard to say if that is because they have desirable look-a-likes available, or if its because the first year is offered at a deep discount. So, systems will get flooded, and on inspection they will see that they don't have any legit traffic from those tlds and will whole sale block them.
.xyz is kind of infamous for being in this situation. https://news.ycombinator.com/item?id=28554400
I have no idea if that applies to .coop though.
Though there's no way that this is something you care about, cmon.
But thinking that they can disregard all prior Internet history and just slam into the situation with no concern about what came before is pretty on-brand for a project in the Ruby ecosystem.
They can win me over with a gem distribution site that requires code signing out of the box and a bundler that enforces it out of the box.
Oh, how times have changed. If Oracle were to close source OpenSolaris today, many here would likely rally behind it, especially if Larry Ellison appeared to align with the right. Submissions about Illumos would have been heavily flagged, much like this one has been for a while.
Does the original have many maintainers left?
History has shown over and over that when a for-profit org takes over public infrastructure, maintenance is cut to the bone.
I honestly can't tell if this is satire.
You think no commits for 10 days for a piece of software that has existed for around 20 years is a sign that it's dead?
What kind of code churn do you think this project requires? Perhaps the old development was too unstable if there wasn't a single 10 day window without a commit in 15 years, for what is essentially a solved problem and a tool that people depend on to be stable.
Package management cannot be a 'solved problem' or there would be no innovation there, and you don't have to look far to find is not the case.
As for the idea that rubygems is 'dead' (not what mperham said), that is still too early to say for sure, as I imagine mperham would also agree, but it is definitely not a good sign. If we only get a trickle of changes to something that was once a very vibrant and lively community repo then that is to the detriment of the whole Ruby ecosystem. That would also be a bad sign.
It's fine. Keeps all the complainers away from the larger ecosystem.
I personally trust Ruby Central, 37signals, Shopify, DHH, Tobi, Matz and others over the guy who was launching a startup to compete with rubygems while being a maintainer for rubygems.
> “Since Ruby Central has informed us they will never allow us to continue working on the projects they now claim they own, that we successfully maintained and operated for the last ten years, the former RubyGems team is launching gem.coop today.”
[1]: https://socket.dev/blog/gem-cooperative-emerges-as-a-communi...
Some people might consider that a dick move.
This a fact. By this alone I don't think Andre Arko is an honest person.
André is absolutely a standup individual.
I have tried to stay in good terms with the other people involved in this (except DHH), but this claim was always ridiculous.
At the time I'd sent the email I was unaware Ruby Together was on HN front page (and that's why people were pinging me)
I absolutely wouldn't want people to think that I'd be getting the money, so I think clarifying it was a good thing, regardless.
[1] https://web.archive.org/web/20150919025358/https://rubytoget...
[2] https://web.archive.org/web/20150919025603/https://rubytoget...
Since no /teams page was archived before March 2015, here's the Github commit of the overly vague team page https://github.com/rubytogether/rubytogether.org/blob/9a03c4.... This page was linked from https://web.archive.org/web/20150425040538/http://RubyTogeth... which stated "We pool funds from corporate and individual members to pay our team[github link]"
Altogether, it demonstrates how Andre misled people about who was getting the money. IMO, there's a distinct pattern of him crossing boundaries and then covering it up using his social skills & friend group.
Frankly that page is even more clear than I remembered. All of this happened so long ago.
This entire post is practically the case in point, except I’m not clear on how they got real time sync with RubyGems and if any other competitor would have the same capability.
To use Astral and uv as an example, they would have to fork PyPI and maintain all the infra for that and not just the tool that manages the dependencies.
EDIT: Misread the comment and thought it was only about `rv`, not both `uv` and `rv`
[0]: https://astral.sh/blog/introducing-pyx
https://spinel.coop/
Single-file archives are much easier to distribute.
Digests and signatures have standard algorithms, not unique to git. Key/identity management is the hard part, but git doesn't solve it for you (if you don't confuse git with GitHub).
The benefit to being centralized is... everything is in one place. Everything scales at once. Every update is available at the same time.
We did this back in the day using artifactory and co. to proxy NPM and a few other package managers as well as docker containers and some other things. No third party service going down could keep us from deploying.
Not everyone does it because as a solo developer or a small team, as it feels like pointless overhead.
having a decentralized, and maybe sometime unavailable, infrastructure would make more people think about the problem and maybe brings us more stable solutions than we have now.
1. Heavy dependency on Github. AKA Microsoft owns much of the golang ecosystem. Not just the source... The package distribution as well!
2. Many packages are referencing a git (short!) commit hash instead of a version. It still boggles my mind that this is an acceptable practice. Not to mention that git tags can be deleted and recreated... A pinnacle of secure package distribution practices.
3. Stuff like ambiguous imports because apparently nothing enforces proper go.mod files? They are not packages to be compiled after all, they're just repos with some conventional structure (optional)...
Mind you, this is popular production-grade software...
I think this is much worse than even node packages, let alone bundler and rubygems...
2. You complain about commit hashes while simultaneously noting that tags can be deleted and recreated. Hashes are precisely the solution to mutable tags. The "short hash" concern is a red herring; Git uses sufficient entropy that collisions are not a practical concern for dependency resolution.
As for "secure package distribution," go.sum files verify files verify consistent downloads. What additional security do you believe centralized registries provide?
3. Can you provide a concrete example of an ambiguous import you've encountered? I'm not familiar enough with Go to understand this criticism.
In open source too.
> This leads me to think this project is not about the code but about the people.
Trust is of utmost importance to a package repository. Even more so than code. A hostile takeover, like the one that occurred with RubyGems, fundamentally undermines that trust. In contrast, an alternative run by the original maintainers who have built years of trust, represents a positive shift.
Unfortunately, it seems that your conclusion was drawn before your justifications. When you invent justification though, at least make sure you don't undermine your own position. Where's the prominent link to the Git repo on rubygems.org top page?
https://web.archive.org/web/20251003112525/https://rubygems....
I'm not saying they aren't, but there are a LOT of conflicting opinions about what happened, why it happened, and who was right/wrong.
This it what tends to happen when money gets involved in a project without a clear structure/business plan/guarantees put in place. People just did whatever and made assumptions, and now suddenly the whole community is rocking and rolling thanks to the actions/view points of a select few.
I agree they should post the whole source, regardless.
I hope they find financing to cover hosting costs.
As long as people are aligned on advancing the Ruby ecosystem, I think it should be possible to cooperate even if there are disagreement in other areas [which political party you support, differences in personal opinions, etc].
Maybe it'll be resolved eventually, just like Merb <> Rails, Bundler <> RubyGems and RubyTogether <> RubyCentral were eventually merged. That's what I'm hoping for!
I honestly find it ridiculous that this situation happened to begin with, and I also have no clue why people are hating on DHH.
The easiest way to kill an open source project is drama and forking like this. Ruby has been around forever, obviously, however it is far from the most used languages, and drama like this just hurts the ecosystem as a whole.
As a former Ruby dev, it makes me sad.
Imagine if someone came into your house and changed all of the locks on you/your family, because "security". You had built that house from your original designs but the other party claims they own it now because they happen to manage a series of rental listings for houses built to your design. You had even made it so the plans could be copied and modified in private; if "security" were a real concern with about 10 minutes effort to do so.
Would you agree that it is right, do nothing? Or would you rebuild something new, given how little time it takes to copy the plans.
Swap "house design" for "software project" and "rental listings" for "running an instance of your software project" and you have the current situation.
Developers are free to choose the party they trust more.
My 2c is that 95% of ruby developers aren't aware of the drama going on around Rubygems.org right now. They have probably seen emails from Ruby Central but largely ignore them and move on with life. Most people have no idea there are issues and they will just continue using Rubygems.org. Getting a project like this to critical mass is incredibly challenging.
This is massively flawed thinking. So called "market rate" is actually a tool for value extraction from the workers and is not connected in any shape or form with what they create for company they work at. As corporations refer to this as if it was a consensus (as in developer should earn $x an hour), they pay this much and workers have no choice but to accept (if someone has working class background and no trust fund, it is rather impossible to throw the towel and start own business, sometimes there are even regulations designed to keep workers captive).
In such a project, "founder level" people should pay themselves as much as they think their worth is. Simple as that.
I often hear VC talking that if founder takes too much money, it's a bad look. They just want to shame people into not taking the slice they deserve.
It's interesting that IT is full of intelligent people, yet they can't grasp how they are being played by the market frames set by the rich.
It's almost like removing money from the equation stops all the nasty stuff that happens inside organizations. Who'd have thought?
Flat salaries do not remove politics. With unequal equity and control, a flat wage simply disciplines workers while investors keep uncapped upside. If money is the poison, start by flattening carry, liquidation preferences and board vetoes. Otherwise you have only flattened one side.
Capping founder pay is class gatekeeping. It selects for people with savings or family safety nets and pushes working‑class founders out. Shaming those who take cash once they create surplus protects investor optics, not fairness.
Equal pay only makes sense when ownership, risk and power are equal. Without that, "equal pay" is theatre.
The fash problem in the Rails ecosystem is next on the list, and I hope there is community consensus to fork this as well.
https://www.benjaminfleischer.com/2013/11/08/how-to-sign-you...
Here's some fun facts:
- DHH enforced a "No Politics at Work" policy.
- DHH wrote a post expressing that he wouldn't want to live in London anymore because it's "no longer full of native Brits", and expressed support for a Tommy Robinson march he called "heartwarming". Tommy Robinson is described as "an anti-Islam campaigner and one of the UK's most prominent far-right activists.". The march DHH praised featured speakers calling for ethnic cleansing via "remigration" and banning all non-Christian religions.
- DHH also promoted "demographic replacement" conspiracy theories and used language connecting immigration to crime, particularly regarding "Pakistani rape gangs" and street theft.
- DHH has been publicly critical of Diversity, Equity, and Inclusion initiatives. This one isn't backed by facts, so take it with a grain of salt.
And no, I'm not saying that Danes are racist.
Hey.com is 37Signals' Gmail, not the company's private domain.
What I'd really like to see is a whole bunch of people acting more professionally. Who you pray to, who you vote for, and who you sleep with are irrelevant to a professional context - and open source development is a professional context. So everyone needs to keep their professional and personal lives separate. I know that at best I would be disciplined, and at worst sacked if I made comments on the lines that some of the lead players in this sorry saga have made. And that's not pointing the finger at any one person.
(neither the "me" nor the "you" here refer to you or me personally ofc.)
Short of that, it's NBD right? Not really comparable.
I consider this somewhat unfortunate example, since we, as a society, are putting limits on this very thing. For example age, or species. How is that supposed to work if people are not allow to debate and express their opinions on where those limits are supposed to be?
Similar with the health care. What is covered and what is not, and who has to pay and who has it (almost) free, should very much be up for a debate. Otherwise, how do you improve anything?
This whole "DHH situation" with Rails has put my mind in weird position. I admire the Rails creator, the business man, the speaker. I admire what he builds, how passionate he is about his work and open-source software. But I very strongly disagree with his vision of immigration, nationalism, parenting, well most of his vision of society.
I was made aware about these opinions because people talked about it. Thanks to these people, I read and listen to him with more nuance, more critical thinking. That does not necessarily mean I would discard Rails, cancel the dude or write shit about him, but that surely means that I will be more careful about how the opinions of this 1 person could impact mine, the ecosystem I work with and the larger ecosystem I live in that is society.
I disagree. We don't have to have an opinion on everything. And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval. It's getting very close to "those who are not with us are against us". And that's a worldview I have very little time for.
Only people who already live in a position of privilege get to have "little time" and settle for worldviews which advocate for a sort of bland tolerance of extremism. I can assure you, for people who are being actively harmed by hateful rhetoric and political policies, "those who are not with us are against us" is absolutely a reality.
I was answering a comment about a vote that would put you in a torture camp, so a vote on which you are certainly opinionated about.
In other words, don't self-censor when you think something is not right.
Close by where I live is a monument for civilians who were taken from their houses and shot by the German occupiers during the last months of WWII. Simply because they were suspected of having distributed pamphlets. There wasn't even evidence to that claim, and retribution was a thing.
I passed that monument countless of times during my youth, giving me pause to contemplate.
It's a tangible reminder of what ultimately happens when people stay silent about something as final and poignant as one group denying the existence of another group for whatever reasons.
I have no problem with expressing differences over world views. I take issue when that world view entails denying the other side's existence because of differences, and a fervent intent to act on that notion.
It's a matter of boundaries, and speaking up.
Definitely definitely. When a racist paramilitary is disappearing my neighbors my primary concern is whether people will consider me complicit for publicly stating that I have no duty to interfere.
You don't have to have an opinion on everything but you do have to have an opinion on some things. Or I mean, obviously you don't, but then you have to accept the social consequences of cowardice.
No it’s not. Indifference is not approval.
Open source is global and someone in a university in Argentina contributing some features does not “approve” of anything because she didn’t participate in some bickering about US identity politics.
There actually is a binary view on your stance against things when you see unfettered hate spread by others and choose (at some level) to not have an opinion. We've seen it before, we see it now, we'll see it again. Not everyone has the same privilege as you to remain head under sand until there's no commotion left to dodge.
There may very well simply be political eras where the floor of trust isn't there for open source to spring forward by leaps and bounds.
Not everyone is a fundamentalist.
To a right-winger, safety is bigotry and hatred is love. Of course, how else could it ever be.
Do you really care about freedom if you don't let white nationalists abuse everyone and everything in their power all the time?
This situation is eerily similar to the Freenode takeover[1] and the subsequent formation of Libera Chat[2] a few years ago, even down to the political leanings of those behind the takeover. Except if the Freenode incident occurred today, there would be a vocal portion on HN vehemently siding with Freenode solely based on the perceived political affiliations of its owners. Submissions about Libera Chat would face heavy flagging, much like this one has.
It seems the Freenode team may have advanced their plans just a bit too early.
[1]: https://news.ycombinator.com/item?id=27286628
[2]: https://news.ycombinator.com/item?id=27207734
The most likely reason it was flagged from my perspective is that David Heinemeier Hansson (who created rails) is kind of the figurehead of this community and he has controversial opinions[1] which people believe make him unfit to represent their community. The controversy has manifested as people speaking out against DHH in his position. So this post seems to have been flagged for being "political" because it is seemingly in opposition to rubygems for the DHH reason.
0: https://hn.algolia.com/?dateRange=pastMonth&page=0&prefix=fa...
1: https://davidcel.is/articles/rails-needs-new-governance (this article has a lot of examples from DHH's blog)
2: https://news.ycombinator.com/item?id=45348390
Personally, I think the reason this post about gem.coop has been flagged is that we've reached the point at which new HN threads about things related to the recent RubyGems shake-up quickly devolve into people rehashing the DHH "aspect" of it all. So it has become less about flagging the actual target of the post and more about flagging the parts of the discussion that seem to go nowhere.
EDIT: expanded
Edit:
> flagging the parts of the discussion that seem to go nowhere
This is and isn't what actually happens, though. People do flag the parts of the discussion that don't go anywhere but then people also flag the post itself because they think there's no reason to discuss it at all for the fact there's a vocal part (minority or majority doesn't really matter) that wants to discuss a topic that's not going anywhere.
People shouldn't flag the post itself just because it's likely to gather or even has gathered a crowd that will discuss such directionless topics when there are better topics to discuss, even (especially?) if they're not currently being discussed.
Anyway.. a core piece of infra like this needs to be open for anyone and not closed for some shady entrerprize.
Ruby Central wanted to oust one or two specific maintainers because of a rocky relationship (whether it was warranted or not is not my point).
It later backfired when a majority of the other maintainers resigned.
> They could start to gatekeep or even worse add some sort of paid version.
That's a funny accusation given that's something the ousted maintainers now behind gem.coop wanted to do a while ago.
It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf against the wishes of the sponsors, losing them a lot of sponsorship money, as well as community support.
https://joel.drapper.me/p/rubygems-takeover/
[1] https://web.archive.org/web/20250920061923/https://world.hey...
[2] https://web.archive.org/web/20250920061926/https://world.hey...
[3] https://web.archive.org/web/20250918051013/https://world.hey...
That's entirely unsubstantiated.
We don’t have multiple first hand accounts. All we have is second hand account being relayed by someone with a massive axe to grind against Shopify.
There are a lot of truly committed Rubyists at Shopify, particularly the one handling the relationship with Ruby Central.
The idea that Shopify had done what Joel aledges without a single one of the involved parties on the Shopify side blowing the whistle is preposterous.
Let's add here that YOU also worked at Shopify, until recently.
IF we are going to be critical, then let's be complete here.
I actually think there is a lot of validity to the statement made that Shopify is NOT a neutral party here. We can dispute how much Shopify was involved, but to assume "all is unsubstantiated" while not even disclosing one's own work at Shopify, feels super-strange here.
Did he point out how it ended, and how he spent the better part of two years having public tantrums about it on Twitter?
Disclosing that you worked somewhere isn't relevant. Worse, it can easily give the impression that there is some insider knowledge involved.
What is relevant is how the relationship ended.
> Let's add here that YOU also worked at Shopify, until recently.
Yes, and I left over some major disagreements, hence if I have a bias, it would be against Shopify, not in favor.
This is so incredibly one-sided that it misleads more than it informs.
The person they are talking about is DHH. Inviting the creator of Rails to speak at RailsConf – a conference for Rails – is not the outlandish behaviour this comment makes it sound like.
The whole DHH argument, for instance, as well as some people having a vendetta about him, is not, or not directly, related to the hostile take-over of rubygems.org. There is a slight partial overlap, but it is a separate discussion (even if DHH was involved with the take-over via Shopify because he does not like Arko or Shopify wanting more power-control to bully the independent developers at rubygems.org with more corporate rules and restrictions; and, by the way, DHH never mentions Arko's name, but even this is a separate discussion still. For instance I specifically do not care about rails nor DHH really, but the hostile take-over was a complete no-go. Ruby Central really pissed off too many people here and unfortunately there are still many open questions that ruby-core has to think about. I am not necessarily saying all came with malicious intent, because I think there is an english language barrier too in regards to Hiroshi Shibata, but even then it may be better to have someone with better knowledge about the english language in charge of gems; there seems to be some strange disconnect or translation going on between english, into japanese and japanese culture, and it is super-confusing.)
I am just trying to draw a parallel between the two to try to understand its broader ideology. So some might say both big cities like London and hyperscaler like AWS are:
- very expensive and have become unaffordable for many actors
- limit your freedom to scale and accommodate a very broad range of guests
- under massive surveillance and control
where the comparison stops is:
- AWS offers pretty good security but London is not (and hasn't for a long time)
- It is pretty easy to get kicked out of AWS if you do not follow the rule or pay
He's not saying London doesn't have enough British people, he's saying it doesn't have enough white people in it.
That and saying it was heartwarming to see a Tommy Robinson march who represents the most extreme fringe of British right wing politics.
What was more troubling to me was that he called the Tommy Robinson rallies "heartwarming". TR was a member of an explicitly fascist, white nationalist party. The rallies were full of signs calling for death to Muslims. Or, in the same blog post, his disproven claims of migrant gang r*pes. On top of that, he has written some really vile things about transgender people.
I would like to go to a tech conference and focus on Ruby, not politics. I'd like to leave my identity home and discuss software engineering and interesting technical ideas. DHH has made that impossible.
“I try to discourage them because I don’t want more Ruby code in the world…”
I wouldn't bother replying to that account, it's not arguing in good faith. Ishkebab has stated many times its goal is to kill ruby and its community.
It's commenting here to stir things up.
https://news.ycombinator.com/item?id=43331847
https://news.ycombinator.com/item?id=43331847
I'm not. It's true that I dislike Ruby and prefer everyone would abandon it, but that's orthogonal to the issue we're discussing. In fact I'm saying that the Ruby community is being stupid and shooting themselves in the foot by characterizing relatively mainstream right wing views as "extremism".
If I was being disingenuous I should really encourage this schism!
> It
Dunno if you're a native English speaker or not but the normal way to refer to someone of unknown gender is "they". "It" is offensive.
This doesn't preclude extreme. Not commenting on whether the community's is shooting themselves in the foot or not, just that the reason provided is not a good one for believing so.
> If I was being disingenuous I should really encourage this schism!
I do not think that you are necessarily being disingenuous but misunderstanding the difference of opinion in this way actually seems to encourage said schism.
Uhm yeah it literally does. Mainstream views can't be extreme by definition. You might not agree with them, but that's a different thing.
> misunderstanding the difference of opinion in this way
I haven't misunderstood anything.
You have misunderstood why people use the term "extremism".
> Mainstream views can't be extreme by definition.
Of course they can; mainstream views can't be uncommon by definition. Extreme doesn't strictly mean uncommon (not even in a political context), it is also used to mean "high degree", which can include distance from political centrism but can also include, e.g., frustration or flavor of cookie. To give another example, various online "challenges" like the "ice bucket challenge" are extreme but were also relatively mainstream when they were commonly performed and posted online; the term "ice bucket challenge" is still mainstream and the challenge itself is extreme (in fact, the reason it's called a "challenge" is because it is extreme).
Thinking there's too many immigrants might be mainstream (it currently is) but whether or not it's extreme depends on the degree to which it's believed. If it's believed to a high degree (such as "immigration is the worst thing about the capital city of this nation") by a large number of people then it is an extreme mainstream view by definition.
Ok I think you just have a very abnormal (extreme even?) definition of the word "extreme".
In a political context it literally means "far from the norm". His views are not far from the norm, as much as you might hate that. (I'm not a huge fan either but I'm not going to distort reality to make myself feel better.)
No, this is simply what you want it to mean, keeping in mind you're trying to tell other people what they mean with their word choice. Extreme views can be normal and mainstream and typical. There are many normalized-but-extreme views in current mainstream politics.
> Ok I think you just have a very abnormal (extreme even?) definition of the word "extreme".
Pouring a bucket of ice water on your head to bring attention to something is extreme. Like, it's over-the-top and exaggerated. You can disagree but that's kinda moot: someone isn't strictly wrong that it's extreme, you just disagree. You still didn't address the greater point that extreme, as it's being used, is orthogonal to mainstream.
But I guess I can link to a dictionary so you can see that I have a pretty normal (and mild) definition of the word in question. I hope you don't cherry-pick definition 1c, ignoring definitions 1a and 1b, which are, of course, valid.
Maybe 4 is the best definition, seeing as it gives "the extreme political left" as an example usage. It's not obvious to me how "advanced and thoroughgoing" means "not mainstream", though. I wouldn't mind an explanation.
https://www.merriam-webster.com/dictionary/extreme
Do you have a link? I suspect these "really vile things" will turn out to be not so vile (like JKR), just things you don't agree with.
> I'd like to leave my identity home and discuss software engineering and interesting technical ideas. DHH has made that impossible.
Really? Did he talk about politics at this Ruby conference? Seems like it is you that can't focus on Ruby.
"Not so vile" things like spreading lies about a female Olymics Boxer's gender, calling her terrible names, and inciting her online followers to harass her? She not only bullies transgender individuals but also targets other women who don't meet her own standards of femininity. If you have no problems with people like that, no wonder you can't fathom why the Ruby community has trouble accepting similar people with open arms.
https://www.bbc.com/news/articles/cm2njjm4e2po
https://xcancel.com/jk_rowling/status/1819007216214573268
https://xcancel.com/jk_rowling/status/1931144695771435140
Also, on another note, here's one of her many posts from JKR literally equating trans women with sexual predators.
https://xcancel.com/jk_rowling/status/1972054407148695732
It's astonishing how far some people will go to defend this kind of dehumanization of fellow human beings.
> https://xcancel.com/jk_rowling/status/1972054407148695732
Consider what this conversation was actually about - a male sexual predator, caught pleasuring himself in the showers attached to a girls' changing room, who claimed, when caught, to have a female gender identity:
https://xcancel.com/KatieDR96/status/1972050074227429663
Anyways, it's clear that you're intent on dehumanizing others, even creating a new account for the sole purpose of saying the most vile things, so I'll stop replying here.
https://www.bbc.com/sport/olympics/articles/c4gp8evl009o
https://www.dw.com/en/algeria-condemns-baseless-imane-khelif...
https://www.snopes.com/news/2024/11/20/imane-khelif-medical-...
https://www.telegraph.co.uk/boxing/2025/06/01/imane-khelif-m...
https://www.3wiresports.com/articles/2025/6/1/xxyetyl1aewfij...
https://lecorrespondant.net/docteur-suis%e2%80%91je-un-homme...
https://www.independent.co.uk/news/imane-khelif-eindhoven-ne...
The evidence indicates that Khelif is male, with male physiological advantage, and therefore should never have been competing in women's boxing. And it is a matter of record that Khelif withdrew from the Eindhoven Cup rather than take the sex verification tests required to compete.
That proposed lawsuit mentioned in your BBC article near the end of 2024 went nowhere, by the way. How could it? The facts show there was no libel.
It is said the underlying cause is that devs push rv which is threatening RubyGems.
https://bsky.app/profile/rmfranca.bsky.social/post/3lz7alpob...
See https://spinel.coop/
"Spinel develops rv, the next-generation Ruby version manager"
If Rubygems was a company, they'd have a trademark, they'd have patents, they'd have lawyers to protect the money they were making from their brand and product. But we are speaking about not-for-profit open-source projects, not for for-profit corporations!
Doesn't it seem like a bit of a security risk to you?
There is a conversation around this which needs to be had. Maybe on bsky or x?
https://x.com/africajam/status/1975206106738901110
https://bsky.app/profile/indirect.io/post/3m2iq5p7eoc2j