First - I want to apologize, genuinely, to people who have felt fear, confusion, outrage, and any of the other hundreds of possible emotions a person might feel after reading some of what others have shared. I often go out of my way to avoid making people feel bad, and so to be part of what's caused so much chaos lately has really been awful.
People are asking for some kind of statement from the Ruby Central board, but this is a small group of volunteers spread out all over the globe. We are software developers and makers and builders first. We don't have some big PR machine or communications team. It's just us. And we're suddenly overwhelmed by feedback from our community that we aren't equipped to quickly respond to.
For those who don't know me, I'm a Ruby Central Board Member, and also currently the Treasurer. What that means is a few hours a week, and a few days a month, I spend my time reviewing bank statements, spreadsheets, financial statements, projections, etc. It is really boring stuff. So why do I do it?
I love Ruby. Not just the language, I love the community. I love the people who use Ruby, the companies that make it a part of their stack. I love the people who give their time to Ruby and I love the people and companies who generously provide financial support for Ruby.
I owe Ruby a huge debt. When I first discovered Ruby, watching some crazy video where a blog was built in just a few minutes, I was just a young man working at a bank who would sometimes get paid to build software for other people on the side. Ruby opened my eyes to the idea that code could be a craft, a skill I could hone and develop. It also introduced me to the idea that code could be poetry... code could be art.
20 years later, and here I am, a reasonably successful person who's built a career out of building software. And I owe a ton of that to Ruby. Volunteering my time on the Ruby Central Board, doing boring work, is one way that I can give back a tiny amount of what was given to me.
I can't speak for the board or the Ruby Central staff. But I know them and they are like me. They do this because they love Ruby and our community. I'm certain of that. Everything I'm sharing is from the perspective of a Treasurer who is responsible for the fiscal well being of the organization, and so there may be some information that I don't have.
So what really happened? From my perspective it's far more boring (or should have been) than anyone is making it out to be. Ruby Central has been responsible for RubyGems and Bundler for a long time. This isn't a new development, and I'm honestly very confused about the confusion.
What isn't confusing is that supply chains are under attack. We can see this in recent attacks on RubyGems and also in major attacks on other ecosystems that have made global news. Companies that depend on Ruby count on Ruby Central to ensure they are not at risk. Some of those companies are sponsors of Ruby Central and some are not, but all have a legitimate need to know that they can tell their users that the software they are using is safe.
Over the last several months, safety concerns have started to come to light more frequently. As companies big and small have paid the price for supply chain attacks that were preventable, those companies have started to look at other parts of their supply chain, including RubyGems and Bundler. Some of those companies specifically pay Ruby Central to ensure the security and stability of that part of the supply chain, but then discovered that people with no active affiliation or agreement in place had top level privileges to some of this critical infrastructure.
... continue reading