So, ignoring everything that got us here, what do people think about this?
As I see it, there is the original rubygems, which has lost all of it's maintainers, and this new one, that has most of the original active maintainers? (how many were there before? it has most of the ones I think about, but I didn't know who was active over there. I mostly saw activity from deivid and didn't know about most of the others to be honest).
It kind feels like this fork is the better maintained piece of software now.
Does anyone have any thoughts on this? Are any people thinking of moving over soon?
Is there any information on what the funding model will be? Also @joeldrapper/anyone is there anything you can share about how the hosting is being covered?[0]
It's bittersweet.
The suckiest thing is if the fork pans out, it will look a lot like JS: "Which package manager do you want to use?". That beautiful simplicity of "just use bundler and ruby gems" will be gone.
Most people I've talked to inside of big orgs are going to stick with the "safe boring" thing, which will probably be RC backed by Shopify. They will probably throw security bureaucracy at the problem, which will make SOC 2, ISO 270001 auditors. I don't think we'll see a lot of innovation coming from RC since the executive director is non-technical and has demonstrated a very ham-fisted approach to running the organization that seems to be out of touch with developers.
On the flip side, I think if gems.coop takes off, it will be because it's a "better mousetrap". One of the people behind it, André, is working on https://rv.dev, which promises to be a faster, "all-in-one", tool for managing ruby versions, gem dependencies, and even has an "npx-like" run this from from the CLI, the right version of Ruby will install, the gems will install, and it will run. That's a much better DX that I could see developers going for.
I've seen discussions on the periphery of adding namespaces to gems, bringing in checksums, and overall taking a more aggressive technical approach to security. I could see that "winning" over a long enough timeframe if RC continues on their current course.
From a fund-raising PoV, I'm starting to put together the clues that André believes organizations with the means to pay for OSS infrastructure should pay for it. I think I agree with this point-of-view and think it's a path for funding that's more transparent than "A group of donors". I hope we start to see infrastructure run in a manner where the costs are accurately estimated, then divided by the number of companies with the means to pay to arrive at the price.
>It kind of feels like this fork is the better-maintained piece of software now.
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?
Trustworthiness is far more important for a package manager. No amount of storage or bandwidth can compensate for an untrustworthy package manager.
With this is in place. A ".coop" domain does not signal trustworthiness. It's more like a childish revenge attempt. Don't get me wrong. I think it's a great idea for the original maintainers to begin work on a form. However, they could have chosen a better domain name.
Read https://en.wikipedia.org/wiki/.coop
Think about all of the organisational structures you know of.
Then ask yourself how is a cooperative fundamentally untrustworthy?
My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io). In general, why should I trust domain_name.xyz over domain_name.com? There are obvious caveats, e.g. it doesn't matter as much for generic words like "gem" and for personal sites that I don't trust much in the first place. In this case, 3 seconds of critical thinking makes it clear that they have a plausible reason for choosing .coop. But given that much of this controversy is premised on toolchain trust, there's plenty of other domains that seem even more trustworthy to me at first glance, e.g. gem-lib.org, gemcoop.org, stuff like that.
Again, a domain name is pretty minor in the scope of this whole fiasco, and I wouldn't have bothered with bringing up this point, but on balance I agree with it.
Using .coop is actually a costly signal that you are, in fact and in law, a cooperative; and intend to stay one; since non-cooperatives are not allowed to occupy those domains. Dot Org, while it's used by a lot of well known organisations, is an open domain that anyone can register in.
Of course, it's also true that many people won't have the spare time to find that out.
I saw someone else saying something about the domain name, but I didn't really give it a second thought when I read it.
Can you explain what the issue is?
I'd only say it's a real issue if this were a "normie-facing" website. But being a developer tool, we all know that there are legitimate domains other than .com, .org, and .net.
I view ".coop" quite highly given it is restricted to actual, legally recognized, cooperatives. Its definitionally more meaningful and "trustworthy" than .com or .org
What? Which part of the word "co-op" sounds like a "childish revenge attempt"?
https://en.wikipedia.org/wiki/Cooperative
It's a word that nicely captures their objectives.
Maybe they read it like “coup”?
Coop as in co-op, as in “co-operative”.
> It's more like a childish revenge attempt.
Gaslight much? "coop" implies intention and direction...you know, that thing that rubygems.org could have used?
Isn't that how golang works?
I remember some complaints about the traffic that it produced[0] (though I don't think it's a bad idea. Basically federated downloads).
Combining this with something like tangled.sh/bluesky's AT protocol or what forejo is working on in their activitypub federation integration can actually make it genuinely federated as well
Or maybe radicle as well if someone is okay with swapping in a custom software but the hiccups can be too much imo so tangled.sh is the most interesting thing to me right now
What is stopping something like gem.coop to exist with the at protocol/tangled.sh??
re: funding model, looks like it's TBD[0]
The main page itself provides little to no info so I’m going to make a few assumptions that, to me, seem logical:
1. It must depend on RubyGems in order to stay in sync, because people publish to RubyGems.
2. It has no UI to search or view gems, so still depends on RubyGems for that.
Ignoring any question about technical detail or implementation: there is zero practical reason or motivation to switch unless I am ideologically aligned with the maintainers and their reasoning.
As such, there is zero reason to even entertain the idea of switching in a professional context. At best I’d have to care enough to remember it for personal projects.
So it is with almost any fork. It’ll either converge with the mainline after achieving its goals, take over as the new status quo, or fade into obscurity. If I don’t have any direct stake in that then I’m going to wait it out.
This isn’t to discredit or discount the work or the reasoning, of course. It arguably has a far better standing than forking Rails because of DHH.
True, but this is a new beginning.Give time and credit to build an alternative. I think another repo server will not harm anyone in the long run
I personally cannot think of a new ruby gems or bundler feature from the past decade that I noticed or cared about. That isn't to say that there aren't any; I just don't know what they are.
There have been several releases with incremental but still notable performance improvements. The overall cadence has been pretty steady, intentionally targeting roughly one minor release per year since 2019-ish, with handfuls of quality of life improvements in each. Arguably RubyGems and Bundler are infrastructure, so the major feature is stability. What sort of big feature are you imagining is missing from your dependency management system?
That's basically my point. I'm not missing anything, so I'm happy if it just gets small / stability fixes, which doesn't seem like it needs a six member maintainer group. That team should go off and do a great job with 'rv' or whatever the next brand new idea is, and just let rubygems sit there with minor updates, same as we do for the ruby logger or date class.
André is working on a combination of rbenv/asdf, bundler, and gem that I think is interesting. Not that they're wildly broken, but I'd rather have fewer tools and it always seemed a bit odd that they're separate when they're notionally managing the environment in which your ruby code executes.
Given the rise in supply chain attacks, I'd also like a private rubygem instance where I can whitelist gems and even versions for my company in a way that doesn't let anything else install. I'm not sure if they're taking that on or not, but I'd like it.
the rv thesis is here: https://andre.arko.net/2025/08/25/rv-a-new-kind-of-ruby-mana...
> I'd also like a private rubygem instance
that was always possible https://guides.rubygems.org/run-your-own-gem-server/
(there's also "gem server")
I think I basically agree with this, but my thoughts are more on which org is better placed now to respond to things like the recent supply chain attacks (ref for the specific recent ruby one[0][1]).
I'm unsure on who is better placed to handle that stuff now. My view is that the people that were doing that are now with gem.coop, but rubygems still has the infra (i.e. you'd email security@rubygems.org still for now).
I'm unsure about what to think about longer term (my personal approach is currently "wait and see").
Similarly, I'm perfectly happy with bundler for now, but if `rv` turns out to be like `uv`, I'd happily switch (drop-in replacement, but faster/some better features).
[0] https://www.bleepingcomputer.com/news/security/60-malicious-...
[1] https://blog.rubygems.org/2025/08/08/malicious-gems-removal....
Socket.dev states "Since at least March 2023". RubyGems says "Our team first detected this activity on July 20th". This attack has ran for almost 5 months undetected. I wouldn't feel reassured at all.
Lockfile checksums are quite new and useful.
They made bundler output compact, previously it spammed all installed versions and updates mixed, now you can see just updates if you do those for example.. or quite concise "all OK" if everything is as it should be. Small but really nice quality of life change imo
I think right off the bat since they chose .coop as their TLD, a lot of corporate firewalls auto-block them and they have immediately decided to fight an uphill battle to get allow-listed to be a gem repo.
This does not bode well for the team having the socio-technical savviness to see this project through.
Don't think it will be the TLD specifically. Most corporate firewalls block domains under a certain age, so it will just be a matter of time.
Really? Maybe I'm naive, but why would .coop be blocked?
It is pretty common that "weird" tlds get blocked more or less whole sale in places you might not expect.
The reason is spam. Before these can get wide spread "normal" adoption they can be heavily used by spammers. Its hard to say if that is because they have desirable look-a-likes available, or if its because the first year is offered at a deep discount. So, systems will get flooded, and on inspection they will see that they don't have any legit traffic from those tlds and will whole sale block them.
.xyz is kind of infamous for being in this situation. https://news.ycombinator.com/item?id=28554400
I have no idea if that applies to .coop though.
How will anything ever change we're still guilted into thinking about crappy default corporate firewalls when choosing a TLD?
Though there's no way that this is something you care about, cmon.
Most places seem to manage.
But thinking that they can disregard all prior Internet history and just slam into the situation with no concern about what came before is pretty on-brand for a project in the Ruby ecosystem.
Ah yes, "slam in" to a situation is definitely the correct terminology for forking a project that was seized from you by a hostile party.
I mean regarding the choice of TLD. Forking the package repository ecosystem I fully understand the incentives; it just strikes me as a very Ruby-ecosystem thing to just assume that `.coop` is a good enough TLD with no consequences for using it relative to choosing to use .org, .com, or .net.
seems like an easy fix in a month with a new TLD though.
I don't plan on switching to a rubygems fork that does not offer technical/security benefits over the original.
They can win me over with a gem distribution site that requires code signing out of the box and a bundler that enforces it out of the box.
Which part of a project that kicked out its original maintainers still feels "original" to you? At this point, rubygems.org is the fork.
Oh, how times have changed. If Oracle were to close source OpenSolaris today, many here would likely rally behind it, especially if Larry Ellison appeared to align with the right. Submissions about Illumos would have been heavily flagged, much like this one has been for a while.
Excellent point, I can't help but feel gem.coop is essentially Ruby Together 2.0 which reinforces my opinion that the merger of RT with RC was a huge mistake. (It certainly made sense at the time…hindsight is always 20/20…etc.…but still.)
For me, having the software be maintained (and have a security engineer working on it) feels like a security benefit.
Does the original have many maintainers left?
It has allegedly been taken over by Shopify. I expect it to be very well maintained. The issues are of ethical character.
Well maintained? Rubygems has had no commits in the last 10 days and that's not a good sign. I don't think you can find a window with no commits for 10 days in its 15+ year history.
History has shown over and over that when a for-profit org takes over public infrastructure, maintenance is cut to the bone.
> Rubygems has had no commits in the last 10 days and that's not a good sign.
I honestly can't tell if this is satire.
You think no commits for 10 days for a piece of software that has existed for around 20 years is a sign that it's dead?
What kind of code churn do you think this project requires? Perhaps the old development was too unstable if there wasn't a single 10 day window without a commit in 15 years, for what is essentially a solved problem and a tool that people depend on to be stable.
I expect a lot of people will stop pushing gem updates to `rubygems.org` once `gem.coop` supports publishing directly to namespaces.
They had a minor security incident right off the bat, demonstrating they don’t even fully understand what they stole. They aren’t equipped to do the job.
I'm starkly opposed to this ridiculous fragmenting of the community. They can and should all go work out contribution agreements with RubyCentral and get over their egos.
What makes you think they _haven't_ tried to work things out with Ruby Central? As per a separate article[1], this seems to be a last resort:
> “Since Ruby Central has informed us they will never allow us to continue working on the projects they now claim they own, that we successfully maintained and operated for the last ten years, the former RubyGems team is launching gem.coop today.”
[1]: https://socket.dev/blog/gem-cooperative-emerges-as-a-communi...
I suspect many of these maintainers are making absurd ultimatums of RubyCentral.
That's a strange suspicion. Why?
Because many mass-resigned unless Andre was re-instated.
I think many mass resigned when their commit access was taken away from their own project by a company that doesn't have a right to do that.
Some people might consider that a dick move.
Given some of the ways Andre Arko gets described (See https://justin.searls.co/posts/why-im-not-rushing-to-take-si... for a recent overview) I'm a little wary of what the motivation behind this is.
This reads like a hit piece based on a personal vendetta. I'd be careful how much weight to give this.
> When Ruby Together first launched in 2015, the website suggested donations went to pay "our team" (...) This resulted in a nonzero number of donors believing they were funding the work of people like Steve Klabnik, Aaron Patterson, and Sarah Mei, when in fact only Andre was being paid at the time.
This a fact. By this alone I don't think Andre Arko is an honest person.
Back in the day, nobody ever had said to me that they believed I was earning money from Ruby Together. This whole thing was speculation at best. And regardless, once it was suggested that this may be a possibility, it was immediately changed to be unambiguous.
André is absolutely a standup individual.
I have tried to stay in good terms with the other people involved in this (except DHH), but this claim was always ridiculous.
This absolutely happened and is not speculation. I can't find the emails from the individuals that emailed me, but I did find my email to the board of directors asking that the website language be changed because people had pinged me thinking I would be getting money, or that the money would go to fund rubygems.org.
At the time I'd sent the email I was unaware Ruby Together was on HN front page (and that's why people were pinging me)
Okay, if you got emails, you got emails, but I did not.
I absolutely wouldn't want people to think that I'd be getting the money, so I think clarifying it was a good thing, regardless.
I was misremembering it. Now that I've checked, it's clear that the claim was that the money was for paying "the team" [1], which consisted of André Arko and David Radcliffe [2]
[1] https://web.archive.org/web/20150919025358/https://rubytoget...
[2] https://web.archive.org/web/20150919025603/https://rubytoget...
It's all good, you were quoting the blog post.
Frankly that page is even more clear than I remembered. All of this happened so long ago.
I just want to know how much was David Radcliffe getting paid for his time?
TBH the whole thing is pretty opaque. There are a lot of accusations floating around. It's pretty easily to capitalize on "Big evil shopify is making a takeover", but I suspect there's a lot more happening behind the scenes.
To take the maximally negative view of things:
- uv is a cool tool, but Astral has signaled their intention to have it tie in nicely to paid services.
- that's a nice moat!
- Andre & friends saw that in the Python community (and uv's success) and decided they could do the same for Ruby
- Their collective announces rv and now wants to make us dependent on them & friends for Ruby Gems.
- After Hashicorp and others, I'm extremely wary of orgs luring me in with free shit. Hashicorp is maybe the lightest example of this but they're very intentional about enterprise-walling business-essential features.
- I don't want the Ruby ecosystem dependent on one party or even a tiny collective of people. This is just as bad to me as the Ruby Central situation right now.The Ruby ecosystem is already decentralised in that there is no single source of truth for published gems. You can pull the source from any software forge that uses git, you can point to any self hosted gem server or use something like Artifactory or GitHub package registry. You can vendor the code if you want.
This entire post is practically the case in point, except I’m not clear on how they got real time sync with RubyGems and if any other competitor would have the same capability.
To use Astral and uv as an example, they would have to fork PyPI and maintain all the infra for that and not just the tool that manages the dependencies.
By "Astral" do you mean "Spinel"? Also, what paid services? So far the only paid services they've mentioned is retainer services that essentially amount to priority customer support. The tools themselves are only ever described as free
EDIT: Misread the comment and thought it was only about `rv`, not both `uv` and `rv`
What is Spinel? Astral is the developer of uv, and they have announced their hosted platform service, pyx [0]. It appears it will be FOSS as well, but they'll have a hosted version of it.
My mistake, I completely misread your comment and thought you were _only_ talking about `rv` as opposed to both `uv` and `rv`!
spinel is the company spun up around rv, ruby's uv version.
"If it's free, you're the product"
It’s amazing to see the open source community step up like this. Kudos and gratitude to everyone that made this happen!
yeah, but still, the maintainers need to be paid for their time and expertise. not to mention, although bandwidth and storage is cheap, somebody still have to foot the bill. i suggest people donate to this project.
Just a thought of mine: why don’t we switch fully to git? Commit signing, tag signing, Decentralize. Doesn’t that sound like a good alternativ?
The git protocol is more complex and harder to scale. It's especially wasteful if people are going to redownload all packages every time their amnesiac CI runs.
Single-file archives are much easier to distribute.
Digests and signatures have standard algorithms, not unique to git. Key/identity management is the hard part, but git doesn't solve it for you (if you don't confuse git with GitHub).
Going crazy: we cold also adopt the container registry api for distributing gems, similar to how helm charts are also distributed nower days.
git bundles exist to solve the single-file caching and distribution problems
Someone has to run the git server. Then, someone has to find the git server to pull each gem from, since not every git server is likely to be up-to-date with the each gem, or the correct version. Since these are all decentralized, each individual owner of a git server has to independently scale as more people start using each one.
The benefit to being centralized is... everything is in one place. Everything scales at once. Every update is available at the same time.
We did this back in the day using artifactory and co. to proxy NPM and a few other package managers as well as docker containers and some other things. No third party service going down could keep us from deploying.
Not everyone does it because as a solo developer or a small team, as it feels like pointless overhead.
So GitHub would be one option. Developers already discover all kind of things there. And each gem can still be provided by its “main repository”, but I don’t mind on whatever domain that repository is located. Somewhat how container images are referenced/distributed already. I think go already does it like that too.
having a decentralized, and maybe sometime unavailable, infrastructure would make more people think about the problem and maybe brings us more stable solutions than we have now.
Well, rubygems (the software) can pull from any git repository. So we kind of have it already anyway.
Exactly. Go already adopts that.
You've seen golang's package... situation?... and you still think switching to Git is a good idea?
What "situation"?
Let's review for example Traefik's dependency list: https://github.com/traefik/traefik/blob/master/go.mod
1. Heavy dependency on Github. AKA Microsoft owns much of the golang ecosystem. Not just the source... The package distribution as well!
2. Many packages are referencing a git (short!) commit hash instead of a version. It still boggles my mind that this is an acceptable practice. Not to mention that git tags can be deleted and recreated... A pinnacle of secure package distribution practices.
3. Stuff like ambiguous imports because apparently nothing enforces proper go.mod files? They are not packages to be compiled after all, they're just repos with some conventional structure (optional)...
Mind you, this is popular production-grade software...
I think this is much worse than even node packages, let alone bundler and rubygems...
Here's the thing. They could have put up link to a git repository where others can follow along with the maintenance of this project, but here isn't one. There is a list of maintainers explicitly mentioned on this page but no link to the git repository. This leads me to think this project is not about the code but about the people.
It's a package repository. A link to an Ansible repository or whatever doesn't need to be in the first announcement.
> This leads me to think this project is not about the code but about the people.
Trust is of utmost importance to a package repository. Even more so than code. A hostile takeover, like the one that occurred with RubyGems, fundamentally undermines that trust. In contrast, an alternative run by the original maintainers who have built years of trust, represents a positive shift.
Unfortunately, it seems that your conclusion was drawn before your justifications. When you invent justification though, at least make sure you don't undermine your own position. Where's the prominent link to the Git repo on rubygems.org top page?
https://web.archive.org/web/20251003112525/https://rubygems....
I think the issue that you overlook is that you assume this group of individuals is trustworthy.
I'm not saying they aren't, but there are a LOT of conflicting opinions about what happened, why it happened, and who was right/wrong.
This it what tends to happen when money gets involved in a project without a clear structure/business plan/guarantees put in place. People just did whatever and made assumptions, and now suddenly the whole community is rocking and rolling thanks to the actions/view points of a select few.
Source lives here: https://github.com/gem-coop
The only public repo is a static website.
Ah! Good catch. I saw the repo exists but didn't dig into the contents, given that it's (as far as I know) purely a proxy for rubygems at the moment, I figured it would be pretty simple.
I agree they should post the whole source, regardless.
If we isolate this from the recent controversy: in general, is an alternative (yet mostly compatible) package source, package manager, and/or language version manager neutral, good, or bad for an open source ecosystem?
Mostly good. Monopolies stagnate. Competition helps drive innovation.
In open source too.
I understand forking is sometimes needed, but it's also somewhat discouraging to see that the differences couldn't be reconciled.
As long as people are aligned on advancing the Ruby ecosystem, I think it should be possible to cooperate even if there are disagreement in other areas [which political party you support, differences in personal opinions, etc].
Maybe it'll be resolved eventually, just like Merb <> Rails, Bundler <> RubyGems and RubyTogether <> RubyCentral were eventually merged. That's what I'm hoping for!
I feel like a change to the way gems are distributed/downloaded could fix this. Unfortunately, the very powers that could make that happen are the powers that control the software and infrastructure, and have the least incentive to improve things.
I honestly find it ridiculous that this situation happened to begin with, and I also have no clue why people are hating on DHH.
The easiest way to kill an open source project is drama and forking like this. Ruby has been around forever, obviously, however it is far from the most used languages, and drama like this just hurts the ecosystem as a whole.
As a former Ruby dev, it makes me sad.
Great move to counter the hostile takeover of the RubyGems GitHub repo (not the rubygems.org repo) and organization by Ruby Central.
I hope they find financing to cover hosting costs.
I believe the hosting is already covered.
Is there anything more you can share about that? I guess I should just sign up to the newsletter and wait and find out...
A brief announcement post: https://andre.arko.net/2025/10/05/announcing-gem-coop/
Why?
Is this not an overreaction to the rubygems rubycentral fiasco?
No.
Imagine if someone came into your house and changed all of the locks on you/your family, because "security". You had built that house from your original designs but the other party claims they own it now because they happen to manage a series of rental listings for houses built to your design. You had even made it so the plans could be copied and modified in private; if "security" were a real concern with about 10 minutes effort to do so.
Would you agree that it is right, do nothing? Or would you rebuild something new, given how little time it takes to copy the plans.
Swap "house design" for "software project" and "rental listings" for "running an instance of your software project" and you have the current situation.
Developers are free to choose the party they trust more.
> initially his own, but eventually others—by paying themselves a market hourly rate
This is massively flawed thinking. So called "market rate" is actually a tool for value extraction from the workers and is not connected in any shape or form with what they create for company they work at. As corporations refer to this as if it was a consensus (as in developer should earn $x an hour), they pay this much and workers have no choice but to accept (if someone has working class background and no trust fund, it is rather impossible to throw the towel and start own business, sometimes there are even regulations designed to keep workers captive).
In such a project, "founder level" people should pay themselves as much as they think their worth is. Simple as that.
I often hear VC talking that if founder takes too much money, it's a bad look. They just want to shame people into not taking the slice they deserve.
It's interesting that IT is full of intelligent people, yet they can't grasp how they are being played by the market frames set by the rich.
hard disagree. For a project like this, all members should be paid a fair, but not "get rich" sum. There are companies out there that pay EVERYONE the same salary, all the way from CEO to janitor. Mysteriously, those companies don't have folks trying to hijack things, because nobody benefits.
It's almost like removing money from the equation stops all the nasty stuff that happens inside organizations. Who'd have thought?
"Market rate" is not neutral. It is a wage‑fixing device that standardises labour pay while letting profits float to shareholders. Treating it as holy writ is how extraction is hidden in plain sight.
Flat salaries do not remove politics. With unequal equity and control, a flat wage simply disciplines workers while investors keep uncapped upside. If money is the poison, start by flattening carry, liquidation preferences and board vetoes. Otherwise you have only flattened one side.
Capping founder pay is class gatekeeping. It selects for people with savings or family safety nets and pushes working‑class founders out. Shaming those who take cash once they create surplus protects investor optics, not fairness.
Equal pay only makes sense when ownership, risk and power are equal. Without that, "equal pay" is theatre.
I'm really pleased to see this happening, but sad that it has come to this.
What I'd really like to see is a whole bunch of people acting more professionally. Who you pray to, who you vote for, and who you sleep with are irrelevant to a professional context - and open source development is a professional context. So everyone needs to keep their professional and personal lives separate. I know that at best I would be disciplined, and at worst sacked if I made comments on the lines that some of the lead players in this sorry saga have made. And that's not pointing the finger at any one person.
If who you vote for will put me into a torture camp (or otherwise devalues my life or personhood), then I can't work with you, so no it is not irrelevant.
(neither the "me" nor the "you" here refer to you or me personally ofc.)
"will put me into a torture camp" for sure, but "devalues my life or personhood" is pretty vague. So, for example, if I value guns and consider them necessary for my well being and personal safety, should I refuse to work with anyone who votes for increased gun control? This sounds like a recipe for very fragmented, unstable society.
If gun owners are being denied health care or being told who they can marry ("it's illegal to marry a fellow gun owner"), then yes, they'll probably want to avoid anyone wretched enough to advocate that.
Short of that, it's NBD right? Not really comparable.
It's absolutely comparable. They both involve limiting rights and freedoms.
> being told who they can marry
I consider this somewhat unfortunate example, since we, as a society, are putting limits on this very thing. For example age, or species. How is that supposed to work if people are not allow to debate and express their opinions on where those limits are supposed to be?
Similar with the health care. What is covered and what is not, and who has to pay and who has it (almost) free, should very much be up for a debate. Otherwise, how do you improve anything?
Agreed. Your example could sound like exaggerated, but silence is a form of opinion, of vote, of approval. Even in a professional context, because work is part of the society we live in.
This whole "DHH situation" with Rails has put my mind in weird position. I admire the Rails creator, the business man, the speaker. I admire what he builds, how passionate he is about his work and open-source software. But I very strongly disagree with his vision of immigration, nationalism, parenting, well most of his vision of society.
I was made aware about these opinions because people talked about it. Thanks to these people, I read and listen to him with more nuance, more critical thinking. That does not necessarily mean I would discard Rails, cancel the dude or write shit about him, but that surely means that I will be more careful about how the opinions of this 1 person could impact mine, the ecosystem I work with and the larger ecosystem I live in that is society.
> but silence is a form of opinion, of vote, of approval.
I disagree. We don't have to have an opinion on everything. And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval. It's getting very close to "those who are not with us are against us". And that's a worldview I have very little time for.
> that's a worldview I have very little time for
Only people who already live in a position of privilege get to have "little time" and settle for worldviews which advocate for a sort of bland tolerance of extremism. I can assure you, for people who are being actively harmed by hateful rhetoric and political policies, "those who are not with us are against us" is absolutely a reality.
Extremism is in the eye of the beholder. Trying to kick a founder out of a hugely successful project because he thinks there has been too much immigration to London is also an extremist view.
Yes, I agree with you. Silence, when you do not have an opinion, is totally fine. And yes, not having an opinion on everything is absolutely fine, probably sane even.
I was answering a comment about a vote that would put you in a torture camp, so a vote on which you are certainly opinionated about.
In other words, don't self-censor when you think something is not right.
I'll put it like this.
Close by where I live is a monument for civilians who were taken from their houses and shot by the German occupiers during the last months of WWII. Simply because they were suspected of having distributed pamphlets. There wasn't even evidence to that claim, and retribution was a thing.
I passed that monument countless of times during my youth, giving me pause to contemplate.
It's a tangible reminder of what ultimately happens when people stay silent about something as final and poignant as one group denying the existence of another group for whatever reasons.
I have no problem with expressing differences over world views. I take issue when that world view entails denying the other side's existence because of differences, and a fervent intent to act on that notion.
It's a matter of boundaries, and speaking up.
> And what worries me is those (both on the left and on the right) who think that silence is a form of opinion or approval.
Definitely definitely. When a racist paramilitary is disappearing my neighbors my primary concern is whether people will consider me complicit for publicly stating that I have no duty to interfere.
You don't have to have an opinion on everything but you do have to have an opinion on some things. Or I mean, obviously you don't, but then you have to accept the social consequences of cowardice.
Silence can also indicate disapproval.
> but silence is a form of opinion, of vote, of approval.
No it’s not. Indifference is not approval.
Open source is global and someone in a university in Argentina contributing some features does not “approve” of anything because she didn’t participate in some bickering about US identity politics.
This is a lot more than just US identity politics, as shown by the fully idiotic take on London he did.
Indifference is acceptance of the status quo, though, yeah? Whether that be on a conscious level of active avoidance or on a subconscious level of never mentally aligning it as a priority to build further understanding to form a thought-out opinion.
There actually is a binary view on your stance against things when you see unfettered hate spread by others and choose (at some level) to not have an opinion. We've seen it before, we see it now, we'll see it again. Not everyone has the same privilege as you to remain head under sand until there's no commotion left to dodge.
I think the salient meta-concept here is "Open source development is an inherently collaborative enterprise, and if people cannot collaborate, it stifles creation of open source projects and software."
There may very well simply be political eras where the floor of trust isn't there for open source to spring forward by leaps and bounds.
Please stop with this type of ridiculous hyperbole.
People would be less inclined to say ridiculous things like this if they didn't keep happening.
I've been in the "keep work and politics" separate camp most of my life. However, with the lines that have been crossed recently, where literal democracy and freedom are at stake, I don't think people have the luxury of keeping work and politics separate any longer. Fascism is bad and people cannot be silent.
If you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless.
If you say something like “if you invoke the word "fascism" in the context of today's politics, your opinion is immediately worthless”, your opinion is immediately worthless.
Not everyone involved in open source has a boss. I don't care what a boss would hypothetically do to me, so that's not helpful guidance.
Completely agreed. Sorry, other folks, but you have no right to gatekeep my speech in any way in a professional context. Are you a family member? Then sure, we can have a discussion. Am I a member of your private club or otherwise dependent on your approval of my thoughts or beliefs? Then let's talk. Otherwise, leave me alone. You (the collective you) don't get to decide what I am and am not allowed to think and believe.
Nobody is constraining your beliefs or expressions of them. People are exercising their own individual right not to associate with people who express certain beliefs.
Ah. So just good old fashioned bigotry.
Generally, bigotry is bias based on immutable traits. Beliefs are not immutable.
Is this political or does it have actual technical merit?
The best "technical" benefit from this is that if one goes down, you could switch to the other in a pinch, so arguably better than the status quo even if you disagree with the organizational/"political" motives.
Important move to maintain a free community. I'm switching over to Gem.coop now.
I hope they tackle the actual main issue with Rubygems -- lack of any sort of code signing... (I know the functionality exists, but it's not required to publish in Rubygems, and off by default on gem install. In other words it's as if it doesn't exist)
The fash problem in the Rails ecosystem is next on the list, and I hope there is community consensus to fork this as well.
It has code signing. It's just optional, inconvenient, and so unused because of Tragedy of the Commons and complacency. https://guides.rubygems.org/security/
https://www.benjaminfleischer.com/2013/11/08/how-to-sign-you...
As I said, it's as good as no code signing. The very lack of a chain of trust stemming from rubygems that can be used to verify gem authenticity makes the whole thing useless.
What does “fash problem” mean?
There's some weird opinions coming from mostly DHH. My personal take is that they're blatantly racist, but everyone can have their own
Here's some fun facts:
- DHH enforced a "No Politics at Work" policy.
- DHH wrote a post expressing that he wouldn't want to live in London anymore because it's "no longer full of native Brits", and expressed support for a Tommy Robinson march he called "heartwarming". Tommy Robinson is described as "an anti-Islam campaigner and one of the UK's most prominent far-right activists.". The march DHH praised featured speakers calling for ethnic cleansing via "remigration" and banning all non-Christian religions.
- DHH also promoted "demographic replacement" conspiracy theories and used language connecting immigration to crime, particularly regarding "Pakistani rape gangs" and street theft.
- DHH has been publicly critical of Diversity, Equity, and Inclusion initiatives. This one isn't backed by facts, so take it with a grain of salt.
Cannot speak for the US, but in Europe immigration is connected to crime increase in general. The Ukraine refugees are one of few statistical exceptions.
Have you got any references for this claim?
Well, https://link.springer.com/article/10.1007/s10611-024-10144-y seems to claim there is a link for sexual crimes. This paper suggests that there is some delayed effect https://www.sciencedirect.com/science/article/pii/S092753712....
I think a lot of people are forgetting or at least choose to ignore that DHH is Danish (and specifically a Danish expat) and is probably more inclined to have controversial views on immigration from majority Islamic countries. That's not to give his statements a pass, but to give them some needed context.
And no, I'm not saying that Danes are racist.
I think a lot of people don't know why being Danish is relevant. Is there some reason why controversial views on immigration might be less suprising coming from a Dane?
Denmark is the rare case of a European nation where its center-left listened to feedback from the electorate early on and earnestly adopted policies restricting immigration and refugee admission. As a result they had no populist backlash, and that policy position is uncontroversial to hold publicly.
He doubled down on his opinion by sharing a sequence of posts from a X account that denounces "woke activism" in the software industry and open source projects. He criticised the political activism in open source projects, then, ironically, suggested Palmer Luckey should step in to steward NixOs.
Ironic that DHH is politically active enough that it affects his day to day activities and public perception of his company - kind of the exact opposite of his own policy he expects his employees to abide by.
He posts about it on his personal blog, not on his company Slack.
Is world.hey.com/dhh a personal blog? It's literally on his company's domain... At least in the company slack your fash opinions would reach just your poor colleagues...
That's the part where the term "fascist" is misused to smear somebody they disagree with. It can be safely ignored.
If you know you know.
So RubyGems has betrayed its community by ousting its maintainers. When a community-focused alternative created by the original maintainers is announced, it gets flagged on HN. What is wrong with people?
This situation is eerily similar to the Freenode takeover[1] and the subsequent formation of Libera Chat[2] a few years ago, even down to the political leanings of those behind the takeover. Except if the Freenode incident occurred today, there would be a vocal portion on HN vehemently siding with Freenode solely based on the perceived political affiliations of its owners. Submissions about Libera Chat would face heavy flagging, much like this one has.
It seems the Freenode team may have advanced their plans just a bit too early.
I could be wrong but it may be that some have an additional agenda to try to make e. g. competition to Ruby Central fail. You can see this on ruby-reddit, e. g. by u/f9ae8221b - either way I think the by far best strategy for gem.coop is to address all concerns and statements made, including the wrong ones. Simply be better than rubygems.org - everywhere. (Also, u/f9ae8221b is super-impatient; why can't he wait for a while? Rome was not built in a day, it is strange how he thinks to know the future. I don't know the future - let's wait and see. In the worst case gem.coop will fail; in the best case it'll fix numerous issues, including, by the way, gem/bundler not having had the same functionality. And namespacing too; and inactive accounts, and so on, and so forth. There is a ton of things to do.)
Flagging is definitely getting abused more on HN lately. The consensus seems to be that politics and/or morals are irrelevant outside of personal affairs so we must not have these conversations here.
Which is absurd because the hostile takeover of RubyGems primarily involves technology, with serious implications for the security and trust of nearly all Ruby code. Those flagging this submission are the ones prioritizing politics over this critical issue.
Politically-charged ultimatums _caused_ the hostile takeover of RubyGems. This whole thing is politics all the way down.
Someone withdrawing funding from Ruby Central doesn't necessitate a hostile takeover of RubyGems. The responsibility lies squarely on people doing the takeover. Needless to say, you haven't shown me any convincing arguments for suppressing the announcement of gem.coop.
Why is this flagged? This is super relevant to HN!
I wrote this comment with what I understand to be the relevant context: https://news.ycombinator.com/item?id=45490531
+1.
Brigading
Why has this been flagged?
Remove flags 2025, all the best stuff is in https://news.ycombinator.com/active. I don't even use Ruby right now, have no dog in whatever drama is behind this, but I don't see what's so offensive about knowing Gem.coop is now a thing.
Just some background: there is a controversy in the Ruby community[0][2] around the governance of the rubygems project. It has been maintained for a long time by employees of Ruby Central but not in a corporate capacity. There was a recent hostile takeover of this project by the Ruby Central corporate arm.
The most likely reason it was flagged from my perspective is that David Heinemeier Hansson (who created rails) is kind of the figurehead of this community and he has controversial opinions[1] which people believe make him unfit to represent their community. The controversy has manifested as people speaking out against DHH in his position. So this post seems to have been flagged for being "political" because it is seemingly in opposition to rubygems for the DHH reason.
0: https://hn.algolia.com/?dateRange=pastMonth&page=0&prefix=fa...
1: https://davidcel.is/articles/rails-needs-new-governance (this article has a lot of examples from DHH's blog)
Er...FYI, your [2] link is to a discussion about an article written by the person to whom you are responding.
Personally, I think the reason this post about gem.coop has been flagged is that we've reached the point at which new HN threads about things related to the recent RubyGems shake-up quickly devolve into people rehashing the DHH "aspect" of it all. So it has become less about flagging the actual target of the post and more about flagging the parts of the discussion that seem to go nowhere.
EDIT: expanded
That's fair enough, I didn't actually notice. Regardless, I was offering the information for other readers, which may or may not include the person I'm replying to.
Edit:
> flagging the parts of the discussion that seem to go nowhere
This is and isn't what actually happens, though. People do flag the parts of the discussion that don't go anywhere but then people also flag the post itself because they think there's no reason to discuss it at all for the fact there's a vocal part (minority or majority doesn't really matter) that wants to discuss a topic that's not going anywhere.
People shouldn't flag the post itself just because it's likely to gather or even has gathered a crowd that will discuss such directionless topics when there are better topics to discuss, even (especially?) if they're not currently being discussed.
Is there any context on why? Is there some controversy regarding RubyGems.org I'm not aware of?
This article was the most nuanced I found while everything was still hot. https://archive.ph/SEzoV
In short, a hostile takeover forced by Shopify through Ruby Central.
It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf against the wishes of the sponsors, losing them a lot of sponsorship money, as well as community support.
Might be worth noting the figure in question is the creator of Ruby on Rails.
He deserves a few more titles now. Like prolific xenophobia[1] and sexism[2] proponent, and generally a person that has no connection with the real world[3].
[1] https://web.archive.org/web/20250920061923/https://world.hey...
[2] https://web.archive.org/web/20250920061926/https://world.hey...
[3] https://web.archive.org/web/20250918051013/https://world.hey...
> a hostile takeover forced by Shopify through Ruby Central.
That's entirely unsubstantiated.
I heard it directly from people directly involved.
So it is unsubstantiated.
This is a little glib, you dropped "Entirely" because you know multiple first hand accounts are actually worth something. If you want to argue the credibility of those accounts, then please be specific about it.
I dropped the entirely because I am on mobile.
We don’t have multiple first hand accounts. All we have is second hand account being relayed by someone with a massive axe to grind against Shopify.
There are a lot of truly committed Rubyists at Shopify, particularly the one handling the relationship with Ruby Central.
The idea that Shopify had done what Joel aledges without a single one of the involved parties on the Shopify side blowing the whistle is preposterous.
So you critisize Joel because he worked at Shopify. He pointed that out when he wrote the article.
Let's add here that YOU also worked at Shopify, until recently.
IF we are going to be critical, then let's be complete here.
I actually think there is a lot of validity to the statement made that Shopify is NOT a neutral party here. We can dispute how much Shopify was involved, but to assume "all is unsubstantiated" while not even disclosing one's own work at Shopify, feels super-strange here.
> He pointed that out when he wrote the article.
Did he point out how it ended, and how he spent the better part of two years having public tantrums about it on Twitter?
Disclosing that you worked somewhere isn't relevant. Worse, it can easily give the impression that there is some insider knowledge involved.
What is relevant is how the relationship ended.
> Let's add here that YOU also worked at Shopify, until recently.
Yes, and I left over some major disagreements, hence if I have a bias, it would be against Shopify, not in favor.
> It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf
This is so incredibly one-sided that it misleads more than it informs.
The person they are talking about is DHH. Inviting the creator of Rails to speak at RailsConf – a conference for Rails – is not the outlandish behaviour this comment makes it sound like.
Agreed. There is a lot of conflation of statements that are not directly connected.
The whole DHH argument, for instance, as well as some people having a vendetta about him, is not, or not directly, related to the hostile take-over of rubygems.org. There is a slight partial overlap, but it is a separate discussion (even if DHH was involved with the take-over via Shopify because he does not like Arko or Shopify wanting more power-control to bully the independent developers at rubygems.org with more corporate rules and restrictions; and, by the way, DHH never mentions Arko's name, but even this is a separate discussion still. For instance I specifically do not care about rails nor DHH really, but the hostile take-over was a complete no-go. Ruby Central really pissed off too many people here and unfortunately there are still many open questions that ruby-core has to think about. I am not necessarily saying all came with malicious intent, because I think there is an english language barrier too in regards to Hiroshi Shibata, but even then it may be better to have someone with better knowledge about the english language in charge of gems; there seems to be some strange disconnect or translation going on between english, into japanese and japanese culture, and it is super-confusing.)
As I understood it, to secure (their words) the supply chain, they took ownership of the code and repo (which others disputed as being owned by them) and kicked out users from Github.
It is said the underlying cause is that devs push rv which is threatening RubyGems.
How is rv threatening rubygems? I am pretty excited about rv on first glance, I tried it and it was too beta when I did to work nicely, but definitely good to have a uv type tool for ruby.
"Yes, I agree. And some of the “admins” even announced publicly many days ago they were launching a competitor tool and were funding raising for it. I’d not trust the system to such “admin”."
https://bsky.app/profile/rmfranca.bsky.social/post/3lz7alpob...
"Spinel develops rv, the next-generation Ruby version manager"
This doesn't explain how rv is threatening rubygems in any way.
They were using the name "rubygems" to fund-raise for not-"rubygems."
But how is this a conflict? Both are not-for-profit projects with the same goal? How can one even use the term 'competition' in this context? What if the Ruby community embraces a new and better package manager? This is, again, a net win for the Ruby community, and both projects strive for that?
It doesn't really matter if it's a non-profit. How do you think your company would react if you started raising money using their name?
Is Rubygems a company? My mind cannot comprehend why are people conflating not-for-profit open-source projects with for-profit companies...
If Rubygems was a company, they'd have a trademark, they'd have patents, they'd have lawyers to protect the money they were making from their brand and product. But we are speaking about not-for-profit open-source projects, not for for-profit corporations!
flagged??
Based on the comments getting downvoted, it feels like some brigading going on.
Flagging this post is quite disturbing.
There is a conversation around this which needs to be had. Maybe on bsky or x?
FYI, this is Ruby Central's response: https://rubycentral.org/news/our-stewardship-where-we-are-wh...
This cannot be a response, as it was posted days before this was released.
The response you link to was published on September 30, 2025, so it's not the response to gem.coop? I'd say gem.coop is the response to Ruby Central's actions?