First - I want to apologize, genuinely, to people who have felt fear, confusion, outrage, and any of the other hundreds of possible emotions a person might feel after reading some of what others have shared. I often go out of my way to avoid making people feel bad, and so to be part of what's caused so much chaos lately has really been awful.
People are asking for some kind of statement from the Ruby Central board, but this is a small group of volunteers spread out all over the globe. We are software developers and makers and builders first. We don't have some big PR machine or communications team. It's just us. And we're suddenly overwhelmed by feedback from our community that we aren't equipped to quickly respond to.
For those who don't know me, I'm a Ruby Central Board Member, and also currently the Treasurer. What that means is a few hours a week, and a few days a month, I spend my time reviewing bank statements, spreadsheets, financial statements, projections, etc. It is really boring stuff. So why do I do it?
I love Ruby. Not just the language, I love the community. I love the people who use Ruby, the companies that make it a part of their stack. I love the people who give their time to Ruby and I love the people and companies who generously provide financial support for Ruby.
I owe Ruby a huge debt. When I first discovered Ruby, watching some crazy video where a blog was built in just a few minutes, I was just a young man working at a bank who would sometimes get paid to build software for other people on the side. Ruby opened my eyes to the idea that code could be a craft, a skill I could hone and develop. It also introduced me to the idea that code could be poetry... code could be art.
20 years later, and here I am, a reasonably successful person who's built a career out of building software. And I owe a ton of that to Ruby. Volunteering my time on the Ruby Central Board, doing boring work, is one way that I can give back a tiny amount of what was given to me.
I can't speak for the board or the Ruby Central staff. But I know them and they are like me. They do this because they love Ruby and our community. I'm certain of that. Everything I'm sharing is from the perspective of a Treasurer who is responsible for the fiscal well being of the organization, and so there may be some information that I don't have.
So what really happened? From my perspective it's far more boring (or should have been) than anyone is making it out to be. Ruby Central has been responsible for RubyGems and Bundler for a long time. This isn't a new development, and I'm honestly very confused about the confusion.
What isn't confusing is that supply chains are under attack. We can see this in recent attacks on RubyGems and also in major attacks on other ecosystems that have made global news. Companies that depend on Ruby count on Ruby Central to ensure they are not at risk. Some of those companies are sponsors of Ruby Central and some are not, but all have a legitimate need to know that they can tell their users that the software they are using is safe.
Over the last several months, safety concerns have started to come to light more frequently. As companies big and small have paid the price for supply chain attacks that were preventable, those companies have started to look at other parts of their supply chain, including RubyGems and Bundler. Some of those companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain, but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
It's not a new story that Ruby Central has been working on (or trying to at least) improve the governance model for Bundler and RubyGems. These tools both go way back to a time long before Ruby Central was responsible for them. Some people who had commit access going back a long time, retained that commit access long after they needed it. It was always a little bit of a concern but not a major one.
To me, the proposed solution seemed like common sense. Let's get some kind of committer agreement in place with those folks who need access (the same way many other high profile open source projects have), and remove access from those who don't, while still being fully open to accepting PRs and being open to re-welcoming them as committers if they decide that is how they want to spend their time in the future.
Here's the challenge. How do you tell someone that has had commit and admin access to critical infrastructure long after that need has expired that you need to revoke that access without upsetting them? And what if other people who do still need that access claim things like "If you remove their access, I'll just add it back" or "If you remove their access, I'll quit". These are emotional conversations. I wasn't a part of them and can't actually speak to the content of the conversations or how they were handled.
But this is the kind of information the board had to work with.
If Ruby Central made a critical mistake, it's here. Could these conversations have been happening in public? Could the concerns we were hearing from companies, users and sponsors could have been made more apparent? Probably. But I remind you we don't have a "communications team", no real PR mechanism, we are all just engineers who (like many of you I'm sure) go heads down on a problem until it's solved.
A deadline (which as far as I understand, we agreed to) loomed. Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going. With less than 24 hours to go, we were still working on this. Conversations with some maintainers were still happening as far as I know but the cooperation we were hoping for was not emerging. Probably because of a mix of egos on both sides, but like I said, I wasn't a part of those conversations so I can only speculate.
It was clear that we weren't quite ready yet, but in the end we were out of time. A vote had to be cast so we could ensure we did not lose funding necessary to operate RubyGems. What I voted for, was to direct Marty, Ruby Central's Director of Open Source, to temporarily remove access and lock down the systems, get operator agreements in place with maintainers, and then re-enable access to those folks who needed and wanted it. Marty did exactly what the board asked of him.
It wasn't a vote that felt political. And certainly didn't feel unreasonable. If I had voted the other way, I felt I'd be voting to start the process of shutting down Ruby Central, which doesn't seem like a genuine option. I feel terrible that as a result so many people have been scared or worried or hurt in some way. I do think it was the only vote I could make at that time. And so I stand by it. Does that mean the internet mobs will come for me? I really genuinely hope not. I love this community and I love Ruby.
You’ll probably bump into me at a conference soon. When you do, I hope we can share a coffee, or a beer, and our love for Ruby. Even if we don’t share anything else, I know we at least have that.
MINASWAN