Hacker News Viewer

Top 20

RubyGems Fracture Incident Report

by schneems on 3/31/2026, 2:08:37 PM

https://rubycentral.org/news/rubygems-fracture-incident-report/

Comments

by: matharmin

I can see a lot of time was put into the report, and it helps to have the detail, but in my mind it glosses over one of the most important parts: The dispute in the stewardship of the bundler and rubygems open-source projects.<p>As I understand it, Ruby Central controlled the rubygems and bundler github organizations, but did not &quot;own&quot; the projects in the traditional sense - the individual contributers have copyright on the code, and potentially even trademark rights. By then removing access of core maintainers to those projects, they removed access to something they don&#x27;t &quot;own&quot; themselves.<p>This is all complicated by the fact that controlling a github organization or repo is different from owning the trademark or copyright. But some of the original maintainers clearly felt they had more of a right to those projects than Ruby Central did.<p>I believe not clarifying this before making these access changes was the biggest mistake that Ruby Central made, and it&#x27;s not even mentioned in this report.

3/31/2026, 6:12:58 PM

by: riffraff

this is a good write up, I hope this really helps put the whole mess to rest.

3/31/2026, 4:51:09 PM

by: mpalmer

<p><pre><code> This incident involved many people over a rather long time scale, and it was important to detangle how people perceived events from how they actually unfolded. The subject matter is deeply subjective, and multiple failed attempts at writing this doc came as a result of aiming for objectivity, for blameless representation. Therefore, those named in this report are: - Full-time employees of Ruby Central - Part-time consultants who were involved in access discussions - Anyone who made an access change from September 10th-18th, 2025 - Those who have already been publicly identified in the discourse Volunteer groups, including the Ruby Central Board and the Open Source Software (OSS) Committee, are listed, but their actions are represented as a group. Individual quotes from the OSS Committee are used without direct attribution when they represent a general consensus. Some execution failures and mistakes are individual, but the purpose of having a foundation and having an institution is that it can rise above individual limitations and provide robust, fault-tolerant systems. Therefore, these are our mistakes, collectively. And collectively we&#x27;ll learn from them, but only if we face what happened, what we meant to do, and where we fell short. The hope is that by sharing this, we can provide some closure to the community and increase transparency </code></pre> The undeniable effect of masking specific comments made by OSS committee members is to protect three members (2 current, 1 former) of Shopify&#x27;s technical leadership around Ruby and Rails, who have all since left the committee. The one who left Shopify went to 37signals after.

3/31/2026, 6:03:23 PM

by: thramp

This is a disappointing look for Ruby Central. I have to get back to work, but their retroactive framing that Andre and Samuel&#x27;s work on RV justified Ruby Central&#x27;s subsequent actions is contradicted by their own admissions.<p>By their own admission, André is a contractor to Ruby Central. Contractors, especially under California law, have no contractual obligation of confidentiality to the other party unless there&#x27;s a pre-existing agreement in place. They later admit in this &quot;incident report&quot; that they didn&#x27;t have any legal agreements with André in place, so there&#x27;s no basis for claiming André couldn&#x27;t work on rv.<p>Samuel was an employee, not a contractor, but [California Bus. &amp; Prof. Code § 16600](<a href="https:&#x2F;&#x2F;leginfo.legislature.ca.gov&#x2F;faces&#x2F;codes_displaySection.xhtml?lawCode=BPC&amp;sectionNum=16600" rel="nofollow">https:&#x2F;&#x2F;leginfo.legislature.ca.gov&#x2F;faces&#x2F;codes_displaySectio...</a>.) voids non-compete agreements—so even as an employee, he had every right to work on a competing project. There&#x27;s no indication that he used Ruby Central&#x27;s proprietary information to do so, and the report doesn&#x27;t allege that. I have little doubt that if Samuel or André used proprietary information to develop rv, they would have already presented evidence of that.<p>Independent of the legalese, a &quot;uv but for ruby&quot; is a blindingly obvious thing to do, and Ruby Central doesn&#x27;t get to lick the cookie and get upset when an independent contractor—Ruby Central&#x27;s own characterization—does a thing they didn&#x27;t fund.<p>My sourcing on this is that I run a 10-person business with employees in California. I&#x27;m not a lawyer, but I looked over enough of this paperwork that I feel confident opining on an internet forum.

3/31/2026, 5:00:29 PM