This document is an extension to my original statement.
It explains why I’m leaving Ruby Central and what has happened in recent weeks.
Before diving into recent events, it’s useful to clarify how I’ll use certain terms in this post.
These definitions are not official Ruby Central terminology, but they reflect the way many of us in the Ruby open source community think about roles and responsibilities.
A maintainer is primarily responsible for the codebase and its surrounding community.
They:
- Review and triage issues and pull requests
- Develop new features and fix bugs
- Stay in touch with the user and contributor community
- Hold write access to the repository
Maintainers act as stewards of the project’s direction and quality.
An operator is responsible for running the service.
In the case of RubyGems.org, this means:
- Deploying and maintaining the production infrastructure
- Managing servers, cloud services, and monitoring systems
- Handling incidents and being part of the on-call rotation
Operators do not necessarily need write access to the codebase. Their role is about keeping the service online and stable.
- Repository: github.com/rubygems/rubygems
- Scope: The package manager itself (the
gemcommand, library, and APIs) - Team: Has its own maintainers focused on development and maintenance of RubyGems.
- Repository: github.com/rubygems/rubygems (same repo as RubyGems)
- Scope: The dependency manager that integrates with RubyGems
- Team: Has its own maintainers, often overlapping with RubyGems maintainers, but with a distinct focus.
RubyGems.org can be thought of in two layers:
-
Code
- Repository: github.com/rubygems/rubygems.org
- Scope: The web application that powers the RubyGems.org service
- Team: Maintainers who review code changes, fix issues, and evolve the platform.
-
Service
- Deployment: Hosted on AWS
- Scope: The live, publicly accessible gem hosting service
- Team: Operators who maintain infrastructure, manage deployments, monitor uptime, and handle incidents.
By separating maintainers (who focus on the code) from operators (who focus on the running service), and distinguishing between RubyGems, Bundler, and RubyGems.org, we get a clearer picture of who is responsible for what.
With the terminology in mind, it’s important to understand how Ruby Central fits into the picture.
Each project — RubyGems, Bundler, and RubyGems.org (code) — has its own maintainers. These are community members with write access to their respective repositories, who decide on technical direction and keep the codebases healthy.
At the same time, the RubyGems.org service is operated by Ruby Central. This means Ruby Central is responsible for:
- Managing deployments and the on-call rotation
- Ensuring the service is stable and available for the entire Ruby community
- Securing the RubyGems.org service, which includes protecting credentials, preventing supply-chain attacks, and handling sensitive operational concerns
Historically, there has been significant overlap between code maintainers and service operators.
The same people often:
- Wrote and reviewed code
- Deployed the RubyGems.org application
- Responded to production incidents
This overlap made sense: it kept the setup simple, minimized communication overhead, and allowed the people who understood the code to also run it in production.
Over the years, Ruby Central has often sponsored maintainers across these projects:
- Providing support to work on RubyGems and Bundler features
- Supporting contributors who help maintain RubyGems.org (both code and service)
- Taking responsibility for securing the RubyGems.org service as a critical piece of Ruby’s infrastructure
In short:
- Maintainers guide and evolve the codebases
- Operators keep the service running
- Ruby Central provides institutional backing, often by sponsoring maintainers and taking responsibility for securing the RubyGems.org service.
I have been contributing to RubyGems since 2013.
Over the years, thanks to my continued activity and involvement, I gradually took on more responsibilities within the Ruby ecosystem:
- Became a maintainer of both RubyGems and Bundler
- Became a maintainer of RubyGems.org (code)
- Later took on the role of operator of the RubyGems.org service
- Finally joined the on-call rotation for production incidents
It took years of building trust to be invited into these honorable roles and to provide service back to the Ruby community.
More recently, I also began receiving partial (not covering all hours spent) compensation from Ruby Central for this work:
- On-call rotation coverage: 6 hours per day in the EU region
- (btw. non-stop, no matter it is weekend, public holiday or vacation time)
- Variable hours dedicated to maintaining and operating the service, which included:
- Triaging issues and engaging with the community
- Developing new features and reviewing code
- Improving deployments and infrastructure
- Handling sensitive operational tasks — such as zero-downtime database upgrades under full production load, which went multiple-times unnoticed by users (I plan to write more about this soon: pg-major-update)
For the entire time, I have remained independent of any company in my decisions and actions. Even while working full-time jobs elsewhere, I made sure my contributions reflected the voice of the community rather than the goals of any corporation. I have always tried to keep the projects as open and community-driven as possible.
This post will be no exception. I believe the Ruby community deserves full transparency about the recent steps taken by Ruby Central.
To provide clarity, here is a summary of the public announcements and statements around the recent events.
(all times listed below are approximate publication times in GMT+2, based on Reddit, announcements, and video uploads)
-
19 September 2025, ~12:30
A message from longtime RubyGems maintainer Ellen Dash (@duckinator) appeared on Reddit:
“Ruby Central’s Attack on RubyGems” — alleging that Ruby Central had unilaterally renamed the GitHub organization, added Ruby Central’s Director of Open Source as owner, and removed maintainers’ access, calling the actions a “hostile takeover.”
Ellen also announced her resignation from Ruby Central. -
19 September 2025, ~16:00
Ruby Central official announcement:
“Strengthening the Stewardship of RubyGems and Bundler” — describing new governance processes, formalizing operator agreements, and restricting administrative permissions on RubyGems.org to Ruby Central employees or contractors. It emphasized fiduciary responsibility, supply-chain security, and the intent to create a “healthier, community-centered governance model.” -
21 September 2025, ~20:30
Public message from a Ruby Central board member (Freedom Dumlao):
“A Board Member’s Perspective of the RubyGems Controversy” — an apology for confusion and distress caused, explaining the decision-making process from a board perspective. The post framed the changes as necessary for security and funding reasons, while acknowledging communication failures and the emotional impact on maintainers. -
23 September 2025, ~06:00
Ruby Central video statement:
An Update From Ruby Central — a video explanation from Ruby Central leadership, expanding on the governance changes and presenting controversial plans such as requiring contributor license agreements (CLAs).
These four communications — maintainers’ message, Ruby Central’s official announcement, a board member’s public statement, and Ruby Central’s update video — define the official narrative so far.
➡️ I strongly recommend reading and watching all of these in full before continuing back to the full explanation.