Lightnews — Scholar-powered news

Reposted by Joel Drapper 🇬🇧🇺🇦

puppy @duckinator.bsky.social · 1d

What if gem hosts had NPM-like scopes & your Gemfile could be:

source "https://gem.example"
gem "@duckinator/jim"

OR:

gem "https://gem.example/duckinator/jim"

... what if a PoC patch was 25 lines, and a 1-line kludge meant you can test it against a production server?

github.com/gem-coop/gem...

A screenshot of running `bundle install` against various Gemfiles.

It shows that, with my patch, you can use scoped packages similar to what NPM provides, if you're using GitHub Packages.

1 4 23

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Who would ever contract for Ruby Central in the future after this obvious smear campaign against a former employee?

I’ve never seen a postmortem like it. Incredibly unprofessional.

If I was trying to destroy RC’s reputation to justify a takeover by another org, this is what I’d be doing.

Ufuk Kayserilioglu @ufuk.dev · 3d

We just publicly posted about the Rubygems.org AWS root-access security incident from September 2025, what occurred, what we verified, and the actions we’ve taken to strengthen our security processes.

Ruby Central @rubycentral.org · 3d

Here’s a note from our Executive Director regarding our recent security incident.
rubycentral.org/news/rubygem...

1 17

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Except the article is not true and you can test it yourself with any LLM.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Even Qwen 2.5:0.5b (an even smaller 298MB previous-generation model) noticed the "no", despite giving me an overall pretty incoherent sounding answer. What can you expect from a model that‘s smaller than the Slack mac app?

2

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Claude, Mistral and ChatGPT got it. Even Qwen 3:0.6b (a tiny 523MB model) *clearly* understands the difference.

1 1

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

We need both. We need LLMs that can follow plain language instructions and we need calculators that can do math.

LLMs are bad a math just like humans are. So we need LLMs to be able to use calculators.

1 1

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

I can’t read that because it’s gated. But this doesn’t make sense. “No” will be statistically significant for any reasonable set of training data. Also you can use any of the big LLM models today and see that they clearly respond to “no”.

2 2

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

It sounds like you’re comparing LLMs to computer programs. But they’re not meant to stand in for computer programs. They’re meant to do work that otherwise has to be done by humans.

Humans also don’t listen and often give bullshit answers. But they can do things traditional computer programs can’t.

2 2

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Tidewave solves this in theory by running in the browser.

1

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

That makes sense. Even BasicObject.

My personal preference is to produce predicate methods that return either true or false.

But I’m more careful when consuming.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Agreed. I just think there are several better names for a top type than bool.

1

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

I agree they are, but there is a different sense in which they’re not. There is a set of expectations about and methods I can call on a union of true/false that I can’t call on any object.

1

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

Also, `foo` may be as true as `true` but `!foo` is not necessarily the same as `!true`. There’s something to be said of the expectation that the value is strictly a boolean and will behave like true or false do, even when applying operators like `!@`.

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 1d

`:foo` isn’t the unit type `true` though. If you expect your function to return either false or true, you would be surprised if it returns :foo.

bool seems like a strange name for object/any type.

2

Reposted by Joel Drapper 🇬🇧🇺🇦

Mike Perham :sidekiq: @getajobmike.ruby.social.ap.brid.gy · 2d

Periodic reminder: @rubycentral is smearing Andre in public so they can justify their hostile takeover of the rubygems/rubygems repo after the fact.

An actual community-focused organization would have followed the RFC process which was already in progress.

1 13 29

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 2d

Maybe the fault lies with the guy donating six figures to Ruby Central who decides to withdraw it when they intentionally invite a white supremacist to speak?

This is below you, Irina.

2 6

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 2d

That *IS* a supply chain attack. A malicious maintainer is exactly how XZ was lost to Jia Tan. Kicking all the other maintainers out is a malicious act.

There were agreed rules in place about how maintainers can be added and removed.

2

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 2d

They do need to make things right first.

3

Reposted by Joel Drapper 🇬🇧🇺🇦

eric shamow @botmatrix.myatproto.social · 2d

Without regard to the factuality of anything on either side of this, this is ABSOLUTELY the correct on-call response to the scenario André is describing:

"Given Marty’s claims, the sudden permission deletions made no sense. Worried about the possibility of

1/

André Arko @indirect.io · 2d

Ruby Central said some really concerning things today. I don’t think they’re representing the situation accurately. andre.arko.net/2025/10/09/t...

The RubyGems “security incident”

Ruby Central posted an extremely concerning “Incident Response Timeline” today, in which they make a number of exaggerated or purely misleading claims. Here’s my effort to set the record straight. Fir...

andre.arko.net

1 4 14

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 2d

Looks like Ruby Central tripped over themselves putting together a smear campaign that they forgot to remove André from 1Password.

André Arko @indirect.io · 2d

Ruby Central said some really concerning things today. I don’t think they’re representing the situation accurately. andre.arko.net/2025/10/09/t...

The RubyGems “security incident”

Ruby Central posted an extremely concerning “Incident Response Timeline” today, in which they make a number of exaggerated or purely misleading claims. Here’s my effort to set the record straight. Fir...

andre.arko.net

3 17

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 2d

At that point the internet blew up and Ruby Central were calling him a security threat, Marty wasn’t responding to emails.

1 1

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 2d

We had to spent 500 words explaining the difference between `rubygems.org` the code and `rubygems.org` the service and how one was never owned by Ruby Central, while the other one was.

1 3 17

Joel Drapper 🇬🇧🇺🇦 @joel.drapper.me · 2d

As silly as this sounds, if the GitHub repository had been named `gemserver` instead of `rubygems.org`, then Ruby Central wouldn’t have been able to pull off this stunt so easily with so much public support.

2 1 18

Reposted by Joel Drapper 🇬🇧🇺🇦

Joshua Wood @joshuawood.net · 2d

I agree, invoking the CFAA is extremely fucked up.

Amytiville Hoyrror @amyhoy.bsky.social · 2d

he changed the passwords to secure the systems he was ON CALL FOR, because it looked like an incident was occurring.

AND, because he still had passwords, due to their sheer incompetence, they are now trying to legally bully him with the threat of the CFAA which is a nuclear bomb of a law

1 3 7

Reposted by Joel Drapper 🇬🇧🇺🇦

André Arko @indirect.io · 2d

Ruby Central said some really concerning things today. I don’t think they’re representing the situation accurately. andre.arko.net/2025/10/09/t...

The RubyGems “security incident”

Ruby Central posted an extremely concerning “Incident Response Timeline” today, in which they make a number of exaggerated or purely misleading claims. Here’s my effort to set the record straight. Fir...

andre.arko.net

7 74 200