Ruby Central has taken control of the RubyGems and Bundler open source projects in what maintainers and community members are calling a hostile takeover orchestrated by Shopify. The move has sent shockwaves through the Ruby programming community and raised serious questions about corporate influence over critical open source infrastructure.
The controversy began when Sidekiq, a popular Ruby background job processing library, withdrew its $250,000 USD annual sponsorship from Ruby Central. This decision came after Ruby Central announced that David Heinemeier Hansson (DHH), the creator of Ruby on Rails, would speak at RailsConf 2023. DHH has recently published controversial blog posts supporting far-right activists and making statements that many in the community view as racist and xenophobic.
Financial Pressure and Ultimatums
With Sidekiq's funding withdrawn, Ruby Central became almost entirely dependent on Shopify for financial support. According to multiple sources, Shopify then issued Ruby Central an ultimatum: take full control of the RubyGems GitHub repositories and remove certain maintainers, or lose all funding. The deadline was tight, giving Ruby Central less than 24 hours to comply.
The pressure was described by one Ruby Central board member as a choice between following Shopify's demands or voting to start the process of shutting down Ruby Central. Shopify specifically demanded that André Arko, a maintainer who had worked on RubyGems for over a decade, be excluded from the project.
Key Financial Details:
- Sidekiq withdrew $250,000 USD annual sponsorship from Ruby Central
- Ruby Central became almost entirely dependent on Shopify funding after withdrawal
- Shopify gave Ruby Central less than 24 hours deadline to comply with demands
The Takeover Execution
On September 9th, Hiroshi Shibata (HSBT), a Ruby core team member and RubyGems maintainer, transferred ownership of the RubyGems GitHub organization to Ruby Central and added Marty Haught as an owner. This action was taken without the consent of other maintainers, who had established procedures for adding new team members.
When confronted by other maintainers, HSBT initially refused to reverse the changes. Although some permissions were temporarily restored after maintainers objected, Marty Haught remained as an owner. On September 18th, the Ruby Central board voted to proceed with the full takeover, and maintainers were systematically removed from the GitHub organization and stripped of their gem ownership rights.
Timeline of Events:
- July 2023: Ruby Central announces DHH will speak at RailsConf
- September 9: HSBT transfers RubyGems GitHub organization ownership to Ruby Central
- September 13: Some changes temporarily reverted but Marty Haught remains as owner
- September 17: Meeting between maintainers and Ruby Central
- September 18: Ruby Central board votes to proceed with full takeover
- September 19: DHH breaks news of the situation publicly
Supply Chain Security Claims
Ruby Central justified their actions by citing supply chain security concerns, referencing recent attacks on package managers like npm. However, community members have pointed out a crucial distinction that Ruby Central appears to be deliberately obscuring. The RubyGems Service (the website rubygems.org that Ruby Central operates) is separate from the RubyGems source code repositories that the community maintains.
Ruby Central has the right to lock down the RubyGems Service infrastructure, but it never owned the RubyGems GitHub repositories.
The maintainers had no objection to Ruby Central securing access to the production service they operate. The controversy centers on Ruby Central seizing control of open source code repositories that they never owned, developed by volunteers over many years.
Competing Tool Concerns
Adding another layer to the conflict, some of the removed maintainers had recently announced a new Ruby management tool called rv through their cooperative called Spiral. Rafael França, a Shopify employee and Rails core team member, publicly expressed distrust of the maintainers, suggesting they might sabotage rubygems or bundler due to their competing project.
This reaction puzzles many in the community, as competition and innovation in package management tools is generally welcomed in other programming ecosystems like Python, where multiple tools coexist without drama.
Key Players:
- Ruby Central: Non-profit organization operating RubyGems service
- Shopify: Major corporate sponsor with DHH on board of directors
- Sidekiq: One-person company that withdrew $250k annual funding
- André Arko: RubyGems maintainer specifically targeted for removal
- HSBT (Hiroshi Shibata): Ruby core member who executed initial ownership transfer
- Marty Haught: Ruby Central Director added as GitHub organization owner
Community Response and Implications
The takeover has divided the Ruby community, with many longtime contributors expressing concern about the precedent this sets for corporate control over open source infrastructure. Some community members are calling for forks of the affected projects and alternative gem hosting services.
The controversy highlights the vulnerability of open source projects that depend on a small number of major corporate sponsors. When funding becomes concentrated in the hands of one or two companies, those organizations can effectively control the direction and governance of critical infrastructure projects.
The situation also raises questions about the future of Ruby as a programming language, as several prominent maintainers have indicated they may step away from the ecosystem entirely. With Ruby already facing challenges in maintaining its market share against newer languages, this internal strife could accelerate developer migration to other platforms.
The Ruby community now faces the challenge of rebuilding trust and establishing more resilient governance structures that can resist corporate pressure while maintaining the collaborative spirit that has historically defined the ecosystem.
Reference: Shopify, pulling strings at Ruby Central, forces Bundler and RubyGems takeover