Readit NewsHe logged in and changed the password after the board emailed him and told him his services were terminated. That includes/specifically mentions his on-call services. His response claims only silence from the board and that he was just performing his on-call duties.
I've been a corporate stooge for 25 years or so now. On call duties are one of my main responsibilities. I would NEVER probe out which logins I still have access to after receiving notice of termination. He admits to doing this in multiple places.
All his justifications are that he was under contract to do work that he was already notified was terminated. Everything that follows either tells me that he has bad judgment, that he's lying (by omissions), or in the worst case totally delusional.
If he was so worried about operational takeover, why did he _change a password_ without notifying anyone else with operational capabilities that he was doing so? Nobody reasonable would _ever_ do that. There's a certain amount of upfront communication and CYA required of reasonable actors in this space and he doesn't have it (Not that Ruby Central did any better).
So no, I won't be changing my mind, and I don't know why you put "(again)" in there.
Why is there (seemingly) no public offer to former maintainers to rejoin, or acknowledgement of wrongdoing having been done as part of this? It's practically zero cost to do that; as the Ruby core team is (largely) not the party that inflicted harm.
Politeness? Conspiracy to have done this all along? Cultural differences around public vs private opinions? Something else?
What would we think if this wasn't a software project but a hijacked community bus, being passed from party to party, pretending nothing is untoward about the whole situation while the passengers are still aboard? "Oh good, the new bus drivers are politely accepting the keys from the hijackers; all is well!"?
Edit: https://www.reddit.com/r/ruby/comments/1o8zz3e/comment/njywb... No discussion with maintainers
It also seems like rubygems.org could simply fork the rubygems code, perform whatever 'security and governance' changes they believed were needed in their fork, and run with that?
Isn't that the open source way of handling disagreements in direction?
Because I once installed your project, I need to:
- Take over all of the accounts/access you AND all of your friends/co-maintainers used in connection with it
- Tell you it was a mistake, give back access temporarily
- Do it again!
- Have one of my board members who happens to be the treasurer say it was about the $
- Make a straight to camera YouTube post Addressing The Concerns
- Make a first "continuing our series of transparency" blog post a week later, where I use a dense corporate laden dialect to claim it was for the betterment of all mankind and definitely not about the $; because I need you to understand Where We Are Now; What This Is and What This Isn't.
- Open a Google forms question submission box.
- Smear your reputation, because you had an idea once about tracking which packages go to which companies; so I'll insinuate that you want to read everyone's mail and snoop through their undergarments drawer. What's that? My actions affected much more than just you? Quiet now, we're reshaping the narrative to smear you.
- Answer no questions, explaining that we chose to give you a regular series of Friday updates; but also We Want to Move On from the back and forth but also in that same publication have another go at the smear, because it partially worked.
- Donate the project to my state library, to take some of the heat off of me
Isn't that so much easier than typing "git clone" and "git remote add"?
(I am consistently flummoxed that a handful of people here are buying this narrative; instead of as you point out... Just applying a smidgeon of critical analysis about the usage of tools that the majority of us must use day to day and coming to the conclusion you do. Instead of doing this or accepting this conclusion, there's a frothy passion it seems for Appeal to Authority/Argument from Authority where any excuse, flaw, etc on the part of the maintainers is used to justify the whole chain of events.
It seems like it hits 5-7 facts and people can no longer manage them in short term memory, go and look at more than what is presented to them by a single party, etc; so they just default to the easiest mental shortcut.
For some reason I keep falling into the trap that "people are more educated, capable of critical thinking, and have easier access to data than ever before in history"; which I rationally know is not true)
- Corporate entity doesn't have copyright over your creative output. Just because word can open and view ("run") your novel does not give them ownership.
- Locking your access completely on your resources would be akin to a ransomware attack or account compromise
Would you label those actions hostile? Or just accept it as right because "maintain security"?
If you would label the above hypothetical actions as hostile (if not outrageous overreach, something akin to theft?); what is fundamentally different to what Ruby Central did by taking over the source code of a GitHub repository?
1. Admit that he was the unauthorized actor (which means he's probably admitting to a crime?) 2. Have him attest he didn't exfil or modify the integrity of service while committing a crime.
If I was Ruby Central I would give clemency on #1 in exchange for #2 and I think #2 helps Andre Arko.
- Account created 14 hours ago.
- Posts article crammed full of accusations
- Has a strong well formed opinion about "it's a crime", but didn't? read the content where the subject of the accusations has.... Already disclosed they had access in both private and public.
My account is also very new, because I have opted to discard my previous ones. I have used it to comment predominantly on this topic, as I sympathise with the maintainers.
So in the interests of making a similar disclosure is there any chance you are affiliated with RubyCentral through a business relationship with them, their legal counsel, a marketing or PR agency or anything of that nature?
You as a person who uses reddit have a general agreement most likely with the concept of reddiquette, and perhaps go to engage with diverse views, maybe to learn something, maybe to just have an argument. Normal internet forum stuff.
However, you are arguing with a vertically integrated propaganda machine that is basically an experimental weapons testing facility for rhetoric.
https://en.wikipedia.org/wiki/Internet_Research_Agency but on so steroids, of which those steroids are on various white powders and no this isn't the War on Christmas. It's less obvious because this machine mimics normal, centrist US culture in ways that slip under the cognitive radar.
You could more easily recognize this if it were AI prompts in the style of 1984 or Pravda; but it's more difficult in this case - it is just rational enough to be ridiculous/incredulous; that it seems like debate is a suitable avenue; it aligns to your context enough and while you might not agree; you could see how 1 in 10 people might be misled.
As a result, you engage and then one of the following happens:
- You make a point so salient they banhammer you because you cannot control the narrative.
- Or they mock you, and rally their "side" into feeling superior as a reaction/answer to their side's questioning of "huh, are we the baddies?". Of course not, it's the "loser woke left antifa attack helicopter pronoun'd TROUBLEMAKERS", who are an outgroup and just don't think about it too hard, k? Don't do the hard work of self examination! Just yell at this outsider!
As a result you aren't engaging with the centre right you hoped to; and if you even get close you will be removed as a threat, ASAP.
The game being played by one participant is "try anything that catches attention, causes fear and lures people to our mindset"; vs your (reasonable, but ultimately mistaken) view that rational debate would correct this and mutual understanding may emerge (and that's a positive; win win social outcome)
This isn't your fault, even longtime slightly centrist conservatives end up falling victim to this trap; when they realize their values don't align to the mechanics above, and are surprised when they are turned on by their former allies.
Unless you have a firm grounding in human psychology and few qualms about manipulation; it is unlikely that discourse or debate will get you anywhere if based on facts, not feelings.
I would firmly encourage you to keep the instinct to engage in discourse; but find social forums where it is a lot harder for a propaganda machine to control the narrative. Will still be tough, but face to face interactions in common spaces can build community.
The "other side" of the political spectrum or almost any group is absolutely just as liable to end up in this situation. It is not some "right wing" specific problem, it is a small but powerful group hijacking others to further their own goals, and people protecting their interests by funding the small group.
But thinking that they can disregard all prior Internet history and just slam into the situation with no concern about what came before is pretty on-brand for a project in the Ruby ecosystem.
The "maintainers" weren't volunteers. They were paid employees.
Also none of the ones complaining were the original authors of gem nor bundler.
You work for Microsoft as an independent contractor, as a night watchman/groundskeeper. So do a number of others. You were hired because you and your crew of weirdos were writing the story of advanced gardening and building maintenace; which people including those at many famous and powerful companies used and found useful. A number of years ago someone said "huh, maybe these guys should get funding", and a few others agree; and Microsoft ends up in charge of distributing that funding.
The above still happens. They have locked your computer with a ransomware message that says "we will give you back access if you get rid of one of you". To lock your computer, which is airgapped, it would require someone with admin privileges to your computer to walk in and manually do this. It turns out one of your has colleagues done this, added an account for the Director of Night Maintenance at Microsoft to your machine.
You and almost all of the "paid employees", again, a number of whom are independent contractors, resign in protest; leaving only the person who tampered with your computer.
https://bsky.app/profile/duckinator.bsky.social/post/3lz6exz...
> The behavior Ruby Central exhibited was so egregious that I sincerely thought someone's account had been compromised at one point
During this chaos; which all happened between September 9 and September 18;
- at midday LA time/2:40pm New York time; Microsoft terminates the contract with one specific individual; who was the one they demanded the group gets rid of if they wanted access back - 8 hours later, that person locks the doors; changes nothing else, etc.
Some basic analysis about the situation you need to do:
- Did the actions on September 19th, even if you believe it was a crime of the most serious nature, justify the actions on Sept 9-18 where Microsoft took access, said whoopsie, then did it again?
- Treating the Sept 19 actions as a crime; did the person who did it do so with a criminal intent? (Mens rea). Did they intend harm? Or were they indifferent to the harm caused? Should this be prosecuted, has that person provided justification or similar that could in any way be reasonable doubt?
- If the actions on September 19 are a crime in your viewpoint; would paying/influencing someone to lock the accounts of all of the maintainers also be a crime? Why or why not?
Note that you'll want to read https://www.law.cornell.edu/uscode/text/18/1030
First off, was anything involved a "protected computer"? No, probably not, not by the legal definition there; yes by what we as laypeople would assume.
But, let's roll with the assumption it's "literally a crime" and not a civil matter; but apply that standard equally.
> (4)knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
* Is the draft novel/rubygems source code a thing of value? Yes. $5000 worth? Tricky to say with the open source licencing! But RC were distributing $ to maintain it; and that cost them more than $5000/year. Cost does not equal value; but I think we can argue yes, kinda here.
> (7)with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
* Did anyone attempt to extort anyone else to remove a person? (Get rid of x if you want access back!) * Did that have value? (Gee, I hope the treasurer didn't post, it was about the funding deadlines/only to have that walked back!) Also a bit murky as the value isn't coming from the extortion directly, only indirectly.
> (b)Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
* Did anyone conspire? (Two or more people agree to criminal act, followed by an overt act)
Can you plausibly see how if you try to apply US law to argue one individual on one side is a criminal; that same law would likely make the other side just as criminal; if not more so?
---
> none of the ones complaining were the original authors of gem nor bundler.
Doesn't hold water.
From the individual: https://andre.arko.net/2025/09/25/bundler-belongs-to-the-rub...
"I joined the team at a pivotal moment, in February 2010, as the 0.9 prototype was starting to be re-written yet another time into the shape that would finally be released as 1.0. By the time Carl, Yehuda, and I released version 1.0 together in August 2010, we had fully established the structure and commands that Bundler 2.7.2 still uses today."
IE: Claims to be a significant contributor, predating any "stewardship" by RubyCentral. I would argue this can be born out by contributions and the fact he proposed the darned merger with RC in the first place; and that merger assigns no intellectual property rights or similar.