Ruby Central report reopens wounds over RubyGems repo takeover

Board-backed account of maintainer ouster is unlikely to settle row over governance, control, and trust
Ruby Central, a nonprofit that supports the Ruby programming language ecosystem, just published an incident report regarding what it calls the September 2025 RubyGems fracture, when ownership of the GitHub code repository behind the RubyGems package manager was wrested from existing maintainers.

According to a post from the Ruby Central board, the purpose of the report is to explain who was involved and how decisions were made.

The board also promises further steps to "strengthen governance, improve transparency, and expand community participation in the stewardship of RubyGems."
The report is by Richard Schneeman, a principal engineer at Salesforce who maintains the Heroku Ruby Buildpack and joined the Ruby Central board a month after the RubyGems incident.

The matter, Schneeman said, is "deeply subjective" and the document follows "multiple failed attempts...

as a result of aiming for objectivity."
The report was approved by the board, so it is not fully independent.

Nevertheless, Schneeman has given many details of what happened, based on interviews and other interactions.

According to Schneeman, the key trigger was that André Arko, formerly a RubyGems maintainer, an advisor to Ruby Central, and was also paid by Ruby Central for on-call engineering, had launched the rv Ruby management tool and set up the Spinel organization without consulting Ruby Central.

Arko's partner is Samuel Giddins, security engineer at Ruby Central.

Arko had previously created the RubyTogether organization, which merged with Ruby Central in 2022, and Spinel Cooperative Corporation appeared to have a similar structure.

Schneeman quotes a Slack message from Marty Haught, director of open source at Ruby Central, in which Haught wrote of "accelerating removing André," presumably because he was now seen as a competitor.

Giddins left Ruby Central of his own accord in early September.

What happened later in September is a tangle of confusion and lack of communication between Ruby Central and the RubyGems maintainers.

As we reported at the time, the RubyGems GitHub organization was renamed to Ruby Central, Haught became the maintainer of RubyGems, and all other maintainers were removed.

"The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action," said Ellen Dash, one of the maintainers affected.

Bundler is a Ruby dependency manager.

The changes were made possible by Ruby Core member Hiroshi Shibata, who had the requisite permissions and acted on instructions from Ruby Central.

The outcome was that, after some complicated back-and-forth and considerable ill feeling, Ruby Central remained in control of the RubyGems GitHub repository, and several of the former maintainers forked RubyGems to create Gem Cooperative .

In October, Ruby creator Yukihiro Matsumoto (Matz) said that RubyGems repository ownership would transition to the Ruby Core team while continuing to be managed by Ruby Central.

Schneeman's report ends on September 24.

In his conclusion, he acknowledges Ruby Central's shortcomings by stating that "these are our mistakes, collectively." He hopes to "provide some closure to the community" and promises a further process of structural change.

Josef Šimánek, one of the former RubyGems maintainers, reacted to the report on Reddit.

What should have happened, he said , was for Ruby Central "to trust and communicate with all maintainers to resolve any project issues." Šimánek said there was no need for Ruby Central to own the code repository to operate the RubyGems service.

He says he remains unhappy that "RC decided to throw overboard almost whole original RubyGems/Bundler/RubyGems.org (code) and RubyGems.org (service) team and put all the service in real danger (the service was in the meantime for few days, maybe weeks without on-call rotation and anyone able to respond to incidents)."
Schneeman's response is that part of the problem was that maintainers left.

"With the other side walking away...

it leaves Ruby Central holding (and owning) the mess," he said.

Rather than reiterate who did and said what in detail, McQuaid focuses on the lessons for open source.

Sustainability, which plays a part in the RubyGems fracture because of paid roles and other commercial interests, is part of it, and governance another part.

"If your project hasn't argued about governance or money yet, it probably will one day.

Be prepared and try to do this stuff before it becomes a problem," he said.

McQuaid told The Register : "This retrospective is a net positive in that it shows Ruby Central learning lessons and publishing more specific information than was previously public.

I still do not think Ruby Central got, or is getting, everything right, but I am glad to see more accountability and reflection than we had before." ®