Tag: Ruby

When Responsibility and Power Collide: Lessons from the RubyGems Crisis

September 23, 2025 /

The Ruby community experienced significant turbulence in September 2025 when Ruby Central forcibly took control of the RubyGems GitHub organization, removing long-standing maintainers without warning. As someone who has worked extensively on RubyGems security - first independently and later with Mend.io - protecting our ecosystem from supply chain attacks and handling vulnerability reports, I found myself caught between understanding the business necessities and being deeply disappointed by the execution.

I should clarify: I'm not affiliated with Ruby Central, but I've been working behind the scenes to keep RubyGems secure for years. Most people don't realize the constant vigilance required, including assessing security reports, investigating suspicious packages, and coordinating responses to threats. The RubyGems blog has documented some of these efforts, but much of this work happens quietly, every single day.

The Supply Chain Security Context

Recent events in the software world have made supply chain security yet again impossible to ignore. We've seen attacks on npm, PyPI, and other package registries that compromised thousands of systems. We've also seen attacks on RubyGems. These aren't theoretical risks-they're active, ongoing threats that require constant attention.

Having personally taken over a few gems, I understand the complexity involved. These transfers required months of legal documentation, clear agreements, and, most importantly, communication and consent from all parties. What seems like bureaucratic overhead is essential risk management when dealing with infrastructure that thousands of companies depend on.

Yet while security is critical, it cannot become a blanket justification for rushed decisions and broken processes. True security requires not just control, but also the trust and cooperation of those who understand the systems best - and that trust, once shattered through poor execution, is far harder to rebuild than any technical vulnerability is to patch.

WHY vs HOW: The Critical Distinction

The WHY behind Ruby Central's actions - securing critical infrastructure, establishing clear legal frameworks, and protecting against supply chain attacks and legal risks - addresses real concerns, though questions remain about whether these fully explain the specific decisions made. As Ruby Central stated, they have a "fiduciary duty to safeguard the supply chain." When enterprises require SBOMs (Software Bill of Materials), when security audits demand transparent ownership chains, when legal liability is on the line, having unregulated access to production systems creates genuine risk.

The HOW - removing access without warning, failing to communicate, breaking trust with maintainers who had served for years - was catastrophic. As Ellen Dash documented and André Arko confirmed, maintainers learned about their removal through GitHub notifications, not communication from Ruby Central. The same objectives could have been achieved with proper planning, effective communication, open discussion, and respect for the individuals who had dedicated their lives to this ecosystem.

The Missing Human Element

One of the biggest failures has been Ruby Central's absence from the day-to-day community. Apart from Marty Haught, I rarely interact with Ruby Central leadership. They're not in the trenches with us (in the areas where I operate), they don't participate in the daily work, and they don't build relationships with maintainers. This disconnect created a situation where crucial decisions were made by people who didn't truly understand the human cost.

It's crucial to understand that the RubyGems GitHub organization contains far more than just the repositories Ruby Central funds or operates. While Ruby Central is responsible for RubyGems.org (the service) and funds work on core projects like Bundler and the RubyGems library, the organization also houses numerous other repositories - both public and private - that have no direct relationship with Ruby Central. By seizing control of the entire GitHub organization, Ruby Central took possession of projects that may have been beyond their legal or ethical purview - a concerning overreach that warrants scrutiny.

When you remove half of the on-call team members without warning, you're not improving security - you're creating operational risk. When you alienate the people who know the system inside and out, you're not protecting the ecosystem - you're endangering it.

What breaks my heart is seeing talented and dedicated contributors walk away. The domain knowledge these maintainers possess took years to build. The collaborative culture, the shared understanding, the trust between team members - these intangible assets are now damaged or lost. You can't just hire new engineers and expect the same level of expertise and dedication overnight.

Governance vs Control: Finding the Balance

The fundamental tension remains: who should control critical services that entire ecosystems depend on? After dealing with similar transitions myself, I've learned that governance and control don't have to be in opposition. A Ruby Central board member's perspective revealed the pressures they faced, including potential loss of funding, but also acknowledged that execution was poor.

A more surgical approach would have been to transfer only the critical repositories - RubyGems.org, perhaps the core RubyGems and Bundler repos - to Ruby Central's direct control while leaving the broader organization structure intact. This would have addressed their stated security concerns without overreaching into unrelated projects. The fate of the dozens of other repositories should have been discussed openly with the community, not decided unilaterally under time pressure.

  • Governance is about direction, goals, and community involvement in decision-making
  • Control is about legal and operational boundaries - who bears responsibility when things go wrong

An organization can maintain control for legal reasons while still having transparent, community-driven governance. But this requires:

  1. Clear agreements established in advance
  2. Transparent communication throughout the process
  3. Respect for existing contributors
  4. Understanding that trust is earned, not demanded

Ruby Central had understandable concerns about security and liability. But their execution turned a necessary evolution into a crisis. The same changes, implemented over weeks or months with proper communication and respect for maintainers, might have been accepted as unfortunate but necessary.

Moving Forward: Uncomfortable Truths

We need to acknowledge several realities:

  1. Critical infrastructure needs formal governance - The era of informal arrangements for mission-critical services is ending. This transition must be handled with care.

  2. Legal responsibility requires appropriate control - If Ruby Central faces lawsuits or liability, it needs the ability to manage that risk. This is non-negotiable in today's threat landscape.

  3. Security theater isn't security - Real security comes from experienced teams with deep system knowledge, not from corporate control structures.

  4. Community contribution and corporate control can coexist - But only with clear agreements, transparent processes, and mutual respect.

  5. Ruby Central needs to be present - Leadership must engage with the community, understand the daily work, and build relationships with contributors.

  6. Decisions made under extreme time pressure are rarely optimal - Critical infrastructure changes need careful planning, not panic-driven actions. If there truly was a 24-hour deadline - whether from external pressure or internal mismanagement - it reveals systemic governance problems that enabled this crisis

My Path Forward: Why I'm Staying

Despite everything that has transpired, I've decided to continue my work with RubyGems. I'll continue to do what I've been doing for years: hunting for malicious and spam packages, assessing security reports, and developing new ways to protect our community.

It would be hypocritical of me to abandon ship now. Throughout this article, I've argued that those who bear responsibility should maintain control. I've emphasized that real security comes from people with deep system knowledge, not from organizational structures. How could I make these arguments and then walk away from the very work I claim is so critical?

The Ruby community deserves continuity and stability, especially during this turbulent period. The malicious actors trying to compromise our supply chain won't pause their attacks because of organizational drama. This isn't about endorsing how things were handled - I've been clear about my disappointment. It's about recognizing that the Ruby ecosystem is bigger than any individual or organization.

A Personal Reflection

As someone who deals with enterprise Ruby software and security requirements daily, I understand the types of pressures Ruby Central claims to have faced. Supply chain attacks are real. Legal liabilities are real. The need for formal structures is real.

But as someone who has worked to protect RubyGems from these very threats, I know that security comes from people, not policies. It comes from maintainers who care enough to respond at midnight, from contributors who spot anomalies because they know the system intimately, from a community that watches out for each other.

The Ruby community has lost more than just access permissions. We've lost people who cared deeply, who worked tirelessly-often without recognition or compensation - to keep our ecosystem secure. While I'll continue my security work because I believe in protecting our community, I mourn the loss of colleagues who deserved better.

The question isn't whether critical infrastructure needs proper governance - it clearly does. The question is whether we can implement these necessary changes while preserving the human relationships and domain expertise that actually keep our systems secure. More importantly, we must ask whether the current governance structure adequately protects against undue influence from any single external source. Based on recent events, we have a lot of work ahead of us to build a system that is both secure and truly independent.

For more context on these events, see: Ellen Dash's account, André Arko's farewell, Ruby Central's official statement, and a board member's perspective

Past, Present, Future, and Brotherly Love: My Final RailsConf Journey

August 18, 2025 /

A few weeks have passed since RailsConf 2025, which was running from July 8th to 10th in Philadelphia, PA, and I've had time to process what was my first (and last) RailsConf experience. It wasn't just any RailsConf – it was the final edition after nearly 20 years of bringing together the Rails community. There's something poignant about attending what the organizers called "the last celebration" of Rails' longest-running conference.

After attending RubyKaigi 2025 in Matsuyama this past April, I was eager to compare it with RailsConf. RubyKaigi emphasizes Ruby internals and provides a unique bridge between Japanese and Western cultures, while RailsConf focuses on the Rails ecosystem and its diverse, dynamic community. With these experiences in mind, I approached RailsConf with excitement and curiosity about how it would distinguish itself.

Philadelphia was an excellent choice for this final gathering. The conference was held at Sheraton Philadelphia Downtown (201 N 17th St), right in the center of the city, making everything conveniently walkable. The organizers did an outstanding job securing accommodations at both the central conference hotel and The Logan Philadelphia nearby, ensuring plenty of space for attendees.

Getting There: From Kraków to the City of Brotherly Love

My journey to Philadelphia started early - a 6 AM flight from Kraków to Frankfurt, then onward to Philadelphia. I appreciated that the organizers chose a city accessible to international attendees. The East Coast location was particularly beneficial for European travelers like myself - the jet lag wasn't too punishing, coming from Poland.

I was apprehensive about border controls, which seem increasingly rigid these days, though I encountered no problems whatsoever. Philadelphia pleasantly surprised me with its cleanliness and surprisingly calm atmosphere, at least in the downtown area where the conference took place.

First Impressions: Heat, Humidity, and Hospitality

What immediately struck me was the oppressive weather – 36°C (97°F) with crushing humidity. Walking became a strategic exercise in shadow-hopping and route optimization. Despite the heat, the city had that distinctive American energy that I genuinely enjoyed with a European twist.

I have mixed feelings about hosting conferences directly in hotels where attendees stay. On one hand, it's incredibly convenient – you can grab a quick nap between sessions or drop off swag without leaving the building. On the other hand, it can create a bubble effect where you never really experience the host city. In this case, the convenience won out, especially given the weather.

Day 1: Technical Content and Community Connections

Day 1 was primarily about reconnecting with familiar faces and meeting new community members. There was one standout technical presentation about "The Ghosts of Action View Cache" that caught my attention for being genuinely technical and diving into implementation details.

Having just come from RubyKaigi, I had my expectations for technical depth calibrated relatively high. Coming from RubyKaigi, where presentations dive deep into Ruby internals and advanced topics, some of the RailsConf talks felt less technically dense. That's not to say the presentations weren't valuable – they addressed different needs. RailsConf has always been about the broader Rails ecosystem, including topics that might not interest hardcore Ruby internals folks but are crucial for the day-to-day work of Rails developers.

The evening was refreshingly low-key – we stayed in the hotel, shared some beers, and enjoyed conversations about the state of Rails and Ruby. Nothing spectacular, but precisely the kind of organic community building that makes conferences worthwhile.

Day 2: Past, Present, and Future Panel

Day 2 was the big day for me – I participated in a panel discussion with Mike, Rosa, and Ben about the past, present, and future of Ruby background processing engines. I can't objectively evaluate our performance since I was part of it, but the audience seemed engaged, and there was plenty of laughter, which I take as a good sign.

We managed to cover both our prepared talking points and several audience questions. I wish we'd had more time to delve deeper into technical implementation details, but RailsConf targets a broader audience than highly technical conferences like RubyKaigi.

One thing I noticed was how polite everyone was during the panel. Nobody complained about things that don't work well in the Ruby background processing ecosystem. While that makes for a pleasant discussion, it also means we might have missed opportunities to address real pain points that developers face daily. These could be a topic for a future blog post themselves.

The day also included hackathon–style breakout sessions with teams tackling different challenges. I ended up working on my projects and ideas – essentially a personal mini-hackathon to prototype a small application I'd been contemplating.

Meeting Karafka and Shoryuken Users

What made this day particularly special was connecting with the users of my open-source projects. I was thrilled to meet people using both Karafka and Shoryuken, and the positive feedback I received was incredibly energizing. There's something uniquely rewarding about putting faces to GitHub usernames and hearing firsthand how your work impacts other developers' daily lives.

Exploring Philadelphia: Food, Culture, and Conference Social Events

Between conference sessions, I managed to explore Philadelphia's highlights. The Rocky Steps at the Philadelphia Museum of Art were obligatory – you can't visit Philly without channeling your inner Rocky Balboa, however cliché it might be. The surrounding museum district offered beautiful architecture and a rich historical atmosphere perfect for wandering.

The culinary scene exceeded expectations. I particularly enjoyed some fish tacos from my Uber-recommended spot - perfectly spiced with just the right amount of heat, crispy texture, and fish that wasn't overly moist. Philadelphia's diverse food landscape offered far more than the stereotypical cheesesteaks, though I did sample those, too.

Conference Social Events

The Sidekiq-sponsored board games evening was brilliant. While I'm not typically a board game enthusiast, I was there for the beer and conversations – and both delivered. These kinds of informal gatherings often produce the best conversations and connections.

Day 3: Presentations and Concerns About AI

Day 3 brought on several compelling talks. I particularly enjoyed one about ActiveRecord migrations that was well-executed and informative.

But the highlight, as always when he's speaking, was Aaron Patterson's talk. Aaron has this unique ability to be simultaneously hilarious and thought-provoking. His presentation covered his previous talks and various loose thoughts about conferences and the Ruby ecosystem. While entertaining, he touched on a topic that's quite troubling for me: the impact of AI on the open-source environment.

Aaron's concerns mirror my own growing apprehensions. He argued that AI tools might inadvertently stifle innovation because the friction and pain points that typically drive developers to create better solutions will be papered over by AI assistance. Instead of solving problems that hurt developers, we might start offloading responsibility to these tools to work around issues rather than fixing them fundamentally. He gave the example of "convention over configuration" in Rails – a principle that emerged from the pain of XML configuration files. If LLMs had existed then, developers might have automated the XML generation rather than questioning whether XML configuration was the right approach at all.

It resonates with my concerns about AI's impact on tool selection and ecosystem diversity. If developers increasingly rely on AI recommendations, they'll likely choose the most popular tools - the ones the AI was trained on most heavily – rather than better, more innovative, or more suitable alternatives for specific use cases. It could cement the current landscape, making it increasingly difficult for new tools to gain adoption unless they fill an empty niche.

The risk is that instead of a diverse, evolving ecosystem where better solutions can emerge and gain traction, we might end up with a "frozen" developer landscape where the most popular tools become permanently entrenched simply because they're what AI tools recommend.

Day 4: RubyGems Team Meeting

While the official conference ended on Day 3, Day 4 brought an important RubyGems team meeting. It lasted about 2.5 hours and was incredibly productive. Having six of us in person was fantastic - there's something irreplaceable about face-to-face collaboration when you usually work distributed across different time zones.

We covered numerous topics about how RubyGems operates and what changes we need to make moving forward, including many operational aspects related to new platform policies. Some excellent improvements will come out of that meeting.

This kind of in-person collaboration is one of the most valuable aspects of conferences that people often overlook. While the talks get recorded and can be watched later, these impromptu meetings and discussions can only happen when everyone's in the same place.

Community Reflections: Age, Support, and the Future

Several things struck me about this final RailsConf, mostly positive and some concerning.

The Positive: The organization was excellent, Philadelphia proved to be a great host city, and the community spirit was strong. I received numerous warm comments about my open-source work, particularly Karafka and Shoryuken, and met users I'd never have encountered otherwise.

The sponsor's presence created a good atmosphere for meaningful connections with companies supporting the Rails ecosystem.

Many people expressed genuine interest in contributing to open-source projects, but seemed unaware of the challenges involved in maintaining a project over many years. It isn't criticism – it's more an observation about the gap between wanting to help and understanding what's involved in long-term project maintenance.

The Concerning: One observation that both struck and somewhat concerned me was the apparent aging of conference attendees. I'd estimate the average age at the conference was well over 35, possibly closer to 40. It could indicate several troubling trends:

  1. Market conditions: The tech job market, particularly for junior developers, might be challenging enough that fewer younger developers are attending conferences.

  2. Technology relevance: Ruby and Rails might not be attracting new developers the way they once did. This could be specific to the region (Philadelphia) or a broader trend.

  3. Economic factors: Companies might not be funding conference attendance as readily, particularly for more expensive destinations requiring travel and accommodation.

The criticism I received about Karafka's pricing also highlighted an interesting disconnect. Some developers seemed to view the commercial aspects of open-source sustainability as problematic, despite the extensive free tier and the reality of what it takes to maintain enterprise-grade software over many years.

Final Thoughts: The Magic of In-Person Gatherings

RailsConf 2025 was a fitting finale to nearly two decades of Rails conferences. While different from RubyKaigi – less technically intense but more focused on community and practical applications – it served its purpose well as a gathering place for the Rails ecosystem.

The enduring magic of every conference lies in facilitating conversations and connections that simply cannot happen any other way. Despite all our advances in remote collaboration tools, they remain fundamentally limiting for certain types of relationship-building and knowledge transfer. Despite all the advances in remote work and virtual collaboration, there's still something irreplaceable about grabbing a beer with someone whose gem you depend on, or having an impromptu hallway conversation that sparks a new idea.

As Rails conferences transition to becoming tracks within RubyConf starting in 2026, I hope we don't lose the specific focus on the Rails ecosystem that made RailsConf valuable. The combination of community building, practical applications, and ecosystem updates served an essential role in keeping the Rails world connected.

While I miss the deep technical content that makes RubyKaigi special, RailsConf fulfilled a different but equally important role. It reminded me why I fell in love with the Rails community in the first place – not just for the technical excellence, but for the people who make it work.

Philadelphia truly lived up to its "City of Brotherly Love" reputation. The warmth of both the city and the Ruby community created a memorable experience that I'll carry forward as our community continues to evolve and adapt to new challenges and opportunities.

Here's to the next chapter of Rails conferences, and to the community that will keep Rails thriving for years to come.

If you enjoyed this post, you might also like my RubyKaigi 2025 experience or check out my work on Karafka.

Copyright © 2025 Closer to Code

Theme by Anders NorenUp ↑