LightNews
eregon.bsky.social
Benoit Daloze
@eregon.bsky.social
410 followers 140 following 200 posts
Rubyist, Researcher at Oracle Labs, part of the @GraalVM team, TruffleRuby lead. Expressed opinions are my own.
Posts Media Videos Starter Packs
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 1d
As a note I hadn't seen bsky.app/profile/ruby... yet when reading your post. Finally some concrete factual information from Ruby Central. A bit in a roundabout way but explains some parts of the story.
rubycentral.org
Ruby Central @rubycentral.org · 1d
Here’s a note from our Executive Director regarding our recent security incident.
rubycentral.org/news/rubygem...
Rubygems.org AWS Root Access Event – September 2025
As part of standard incident-response practice, Ruby Central is publishing the following post-incident review to the public. This document summarizes the September 2025 AWS root-access event, what…
rubycentral.org
1 2
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 1d
Great post! It's so nice to have a straight honest no-BS write-up about this. I feel that's where RubyCentral's communications are failing, I haven't seen them explain the reason they did this, just vague excuses. I had been wondering about Shopify's role in this and this post makes it much clearer.
1 8
Reposted by Benoit Daloze
byroot.bsky.social
Jean Boussier @byroot.bsky.social · 1d
I tried to explain why I don't believe the recent accusations toward my former teammates, as well as how the Ruby and Rails Infra team at Shopify operates and why it can be trusted.

byroot.github.io/opensource/r...
Dear Rubyists: Shopify Isn’t Your Enemy
I’ve been meaning to write a post about my perspective on Open Source and corporate entities. I already got the rough outline of it; however, I’m suffering from writer’s block, but more importantly, t...
byroot.github.io
11 35 89
Reposted by Benoit Daloze
kenwhite.bsky.social
Popehat Agitates And Irritates @kenwhite.bsky.social · 9d
Every few months now I re-read this "Who Goes Nazi?" piece from 1941 and am blown away by how it captures the people we are dealing with 80 years later.

harpers.org/archive/1941...
Who Goes Nazi?, by Dorothy Thompson
harpers.org
240 3.2K 7.9K
Reposted by Benoit Daloze
stefan-marr.de
Stefan Marr @stefan-marr.de · 9d
First Day: A New Chapter at the JKU

It's Wednesday. Is this important? It's my first day in a new position. So, perhaps the real question is: what's going to be important to me from now on?

stefan-marr.de/2025/10/firs...
First Day: A New Chapter at the JKU
New job and responsibilities: what's now important to me?
stefan-marr.de
4 5 16
Reposted by Benoit Daloze
mikemcquaid.com
Mike McQuaid @mikemcquaid.com · 21d
Having met with both sides on the current RubyCentral/RubyGems situation, here's my take:

- RubyCentral have managed this exceptionally poorly in many ways including removing literally the most active member of the RubyGems organisation by mistake who has declined to return
2 43 130
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
In fact I'm very confident that if it was discussed with the concerned people and/or publicly before the first removal of access it would have gone way better.
2
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
I don't think there is a credible threat of retaliation. And if there was then both could be done at the same time or very closely. It would maintain trust to announce things vs doing it and then communicating about it without any room for discussing it and alternatives.
2 2
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
I think that's not a credible threat. Actually to me (maybe naive or too positive, but still) rv sounds a bit like other projects, sometimes it's easier to innovate from scratch/forking and much harder to improve the system in place.
1 9
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
I really dislike the "legal obligation" here, it sounds like an excuse or like "we found out we can just take full control and did it". Ruby Central has a responsibility to keep RubyGems safe, yes, that doesn't mean remove all access from maintainers not currently employed by RubyCentral.
1 10
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
I think that tendency needs to be fought back. Corporations have changing goals and are not always reliable, and can have weird legal constraints. They should not have full control over a project, at least if there are trusted preexisting maintainers for that project.
1
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
I don't recall that episode well. But it's clear RubyCentral did something f*ked up here for multiple people to resign or consider to resign (whether they are employee or contractor). The feeling from them and the community seems quite unanimous here.
1 1
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
I think it would also be OK to establish a policy (or as part of governance) like maintainers with no activity in the last X years have downgraded access, reasonable enough. But not "just remove every non-RubyCentral-employee access without telling them or announcing it beforehand".
1
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
I don't think that would ever happen, no. I believe Matz knows how to do proper open source (i.e. not big-corp-backed "open source") and respect people. Apparently the RubyCentral board doesn't. I think access would only be removed for one person after a clear significant issue.
1 4
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
AFAIK several RubyGems maintainers are no longer affiliated with RubyCentral but still had some earned control, so it was not held unilaterally by RubyCentral.
There is an RFC process, etc, that would become almost useless if "the boss of RubyCentral" can just decide everything himself.
3
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
As a concrete example every PR to RubyGems/Bundler shouldn't require someone working for RubyCentral to merge. Long-time trusted maintainers should have rights to merge PRs too. Removing that is not unlike telling a Ruby committer they can't commit to ruby anymore.
1 5
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
I'm not blaming you specifically, I'm blaming the RubyCentral board and whoever executed the change without realizing it would never be OK to do it like that for an open source project like RubyGems where maintainers spent a lot of time and earned trust.
1 5
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
Also obvious but access could have been changed from admin to write/maintainer or so vs removing all access.
This access change also affected more maintainers, including the RubyGems maintainer with most commits. It's not OK, it's not OSS, it's disrespectful.
1 4
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
It's also reckless to do it this way with AFAIK no credible treat/urgency and no prior communication. Governance should be established publicly with consensus instead of RubyCentral doing a takeover. If there is a specific threat, address that one and don't revoke all access for many people.
2 5
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
BTW other maintainers like Martin Emde was also revoked all access and him and David Rodriguez both seem to share similar concerns as Ellen and the community, see the Bundler Slack for more details.
2
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
It's also not fine to "temporarily hold all control" and then trying to establish governance. If there is one problematic access then address that specific one and put out a statement about it when removing it.
Many more concerns on replies of that post and also in bsky.app/profile/bsky...
bsky.awilfox.com
Anna Wilcox @bsky.awilfox.com · 21d
This statement from @rubycentral.org does not give me the warm and fuzzies; transparency, equity, and collaboration in an open-source style do not happen in the dark, nor can they happen without honesty and dialogue with existing contributors.
1 4
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
The "reply" from Ruby Central is bsky.app/profile/ruby...
That's not OK, such a big change needs to be announced publicly some time before being done, and needs some consensus, not like a hostile takeover. It's basic OSS and ethics. I don't even see an apology for the terrible handling in that blog.
1 3
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
This is what I think should happen based on the facts so far:
* Restore everything as before September 9
* Let those previous trusted maintainers establish a clear governance
* Marty should resign/be fired for this, I think that trust can't be restored and RubyGems is not someone's dictatorship
1 2 24
eregon.bsky.social
Benoit Daloze @eregon.bsky.social · 21d
@rubycentral.org leadership (rubycentral.org/about/) What are you gonna do about this? I think it's clear it shows Marty Haught knows little-to-nothing about open source, the Ruby community, proper communication and already broke trust beyond repair.
1 4 28
Reposted by Benoit Daloze
duckinator.bsky.social
puppy @duckinator.bsky.social · 21d
Hey, #ruby folks! I've been one of the #RubyGems maintainers for the last decade.

Ruby Central has forcefully taken control of the RubyGems organization on GitHub, the `rubygems-update` and `bundler` gems on rubygems[.]org, and more.

You can read the details here: pup-e.com/goodbye-ruby...
RubyGems.org | your community gem host
rubygems.org
16 170 330