| ▲ | thomascountz 4 days ago |
| An update from Ruby Central: Strengthening the Stewardship of RubyGems and Bundler https://rubycentral.org/news/strengthening-the-stewardship-o... |
|
| ▲ | DannyPage 4 days ago | parent | next [-] |
| > We want to express our deep gratitude to the many cohorts of maintainers who have contributed to Bundler and RubyGems over the past two decades. Ruby tooling would not be what it is today without their dedication and leadership. Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of *openness and collaboration* - The bolded part doesn’t track with locking out the entire team without notice or explanation. - “Thanks for the hard work, the adults will take it from here” rarely works out. |
|
| ▲ | krmbzds 4 days ago | parent | prev | next [-] |
| > We thank the maintainers and respect their legacy. After removing them without explanation, cutting them off projects they have maintained over a decade and ignoring them when they asked for restoration or dialogue. I feel sad for the maintainers. This is not how they deserve to be treated. |
|
| ▲ | jmuguy 4 days ago | parent | prev | next [-] |
| So essentially they randomly cut off a bunch of long time maintainers for some vague legal and/or security reasons. If there was real reason to do that in a hurry, that's what we need to see, not a corporate PR message. |
| |
| ▲ | awilson5454 4 days ago | parent | next [-] | | 100%. I assumed this was inspired by the supply chain attack, but what a horrible way to address this. Reverting it back before revoking it a second time is even more bizarre. Severely mixed messages from leadership, perhaps? | |
| ▲ | gedy 4 days ago | parent | prev [-] | | It’s not clear to me - did they entirely cut them off, or did they reduce their role as admin of the GitHub org? If so, I'm not defending it, and I could understand why someone would feel insulted by that - but also get why an org doesn't want too many with elevated privileges. | | |
|
|
| ▲ | raesene9 4 days ago | parent | prev | next [-] |
| If they're trying to strengthen security, this feels like an odd way to go about it. Making unplanned unexpected changes to GitHub ownership and removing people with lots of experience and institutional knowledge with little notice (based on the original story) and presumably no great hand-over, feels risky and not a great way to improve people's trust in their governance. |
|
| ▲ | loloquwowndueo 4 days ago | parent | prev | next [-] |
| Totally reads like post-facto CYA. they could have communicated this to the maintainers internally beforehand instead of blindsiding them. |
| |
| ▲ | downrightmike 4 days ago | parent [-] | | The NPM breach was an email that stated the dev needed to update their MFA by the next day in order to keep their access. If you're arguing that is what ruby central should have done, that's a social engineering attack. | | |
| ▲ | mrinterweb 4 days ago | parent | next [-] | | How would a heads up email look like a phishing email? Blindsiding the maintainers like this is just cruel. | |
| ▲ | loloquwowndueo 4 days ago | parent | prev [-] | | It’s entirely possible to distinguish between legit internal communication and a phishing email. (It gets harder and harder every day but ultimately still possible) |
|
|
|
| ▲ | TehCorwiz 4 days ago | parent | prev | next [-] |
| > Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service. Several of the people removed are employees or contractors of Ruby Central. This doesn't pass the smell test. Not to mention it's post-facto in that they did all of this before notifying anyone. |
| |
| ▲ | byroot 4 days ago | parent [-] | | > Several of the people removed are employees or contractors of Ruby Central. Who? > Not to mention it's post-facto in that they did all of this before notifying anyone. Isn't that pretty much the number one rule when restricting accesses? First remove accesses, then communicate? | | |
| ▲ | TehCorwiz 4 days ago | parent [-] | | At least Ellen Dash. The author of the pdf the post links to. | | |
| ▲ | byroot 4 days ago | parent [-] | | They haven't been contracted by Ruby Central since May by their own account: https://bsky.app/profile/duckinator.bsky.social/post/3lz7lec... The other people I know who had their accesses removed have resigned from RC a while ago, and the one I still see with access on https://rubygems.org/gems/bundler are people I know are currently employed or contractors. As far as I can tell, this part of the Ruby Central statement seems to check out. Now you can of course debate whether commit rights should be limited to employees, but have have no indication that they lied here. |
|
|
|
|
| ▲ | bradgessler 4 days ago | parent | prev | next [-] |
| It reads like lawyers and auditors took over RubyCentral. |
| |
| ▲ | julik 4 days ago | parent | next [-] | | * Get appointed as paid managers of a non-profit
* Get advice from legal
* Legal suggests removing long-term maintainers without liability contract the same way people get fired: immediately and instantly, and screw the consequences. "Open-source? Never heard of it. Protect your entity legally"
* Instantly follow the advice of the lawyers to the letter. Well done, well done. | | |
| ▲ | observationist 4 days ago | parent [-] | | Aim it right at my foot? Are you sure?! Well, ok, I'm not a lawyer, but... ok, fine, let's do it! |
| |
| ▲ | blibble 4 days ago | parent | prev [-] | | it's the professional management class at it again see: mozilla, nominet (recovered, thankfully) | | |
| ▲ | observationist 4 days ago | parent [-] | | Mozilla is toast. It basically exists as a tax writeoff for Google at this point, and serves no recognizable purpose beyond that, and maybe nostalgia. How MBAs aren't synonymous with leeches by this point is the most amazing ongoing PR campaign in history. They do nothing but suck and suck and suck, and they keep sucking, and they will never stop sucking until their host dies, and then they just move on. | | |
| ▲ | immibis 3 days ago | parent [-] | | Widespread recognition of what you said about MBAs is synonymous with class consciousness, which won't happen. |
|
|
|
|
| ▲ | corytheboyd 4 days ago | parent | prev | next [-] |
| Aren’t supply chain attacks caused by package maintainer accounts being compromised? I suppose too many people with keys to the package repository itself is also liability, but those accounts being compromised just hasn’t been what is happening. |
| |
| ▲ | corytheboyd 2 days ago | parent | next [-] | | The other side of the story came out, and of course, it’s very reasonable https://apiguy.substack.com/p/a-board-members-perspective-of... | | |
| ▲ | nightpool 2 days ago | parent [-] | | That doesn't sound very reasonable at all. Ruby Central, by their own admission, agreed to take $$$$ of funding on the premise that they would "secure RubyGems against supply chain attacks", and then sat on their hands not doing anything about it until a few days before the deadline, when it was too late to seek community consensus or figure out a good transition plan. So they ended up screwing over everybody who was actually doing work on the project. And they apparently used this as an opportunity to consolidate their power in other ways (renaming the github org) for reasons that were unrelated to the self-imposed deadline. |
| |
| ▲ | krmbzds 4 days ago | parent | prev [-] | | [flagged] | | |
| ▲ | woodruffw 4 days ago | parent [-] | | Your last sentence reads like a weird swipe: as best I can tell, there's no cultural war dimension to this whatsoever? | | |
| ▲ | krmbzds 4 days ago | parent [-] | | [flagged] | | |
| ▲ | the_hangman 4 days ago | parent | next [-] | | It's been a while but if memory serves me correctly the controversy at that time was actually about him unilaterally deciding that people at basecamp shouldn't be talking about politics in off-topic slack channels after people started trying to organize support for something he didn't agree with. IIRC something like 1/3 of the company quit at that time | | |
| ▲ | zorpner 4 days ago | parent | next [-] | | Specifically, it was in a meeting called by Jason Fried to address people who were concerned about the ongoing existence of an internal list of "funny customer names" (which by all accounts was extremely racist), in which Ryan Singer (who had reportedly previously posted a fair bit of politically right-wing content on internal forums -- those were all deleted when the "no politics at work" policy was rolled out) repeatedly asserted that white supremacy/privilege did not exist (he then resigned). In the aftermath, DHH dug through old chat logs to find a time in the past when one of the people complaining about the list participated in a discussion about same without complaint, and posted it in a way that was visible to everyone saying that their prior participation meant that their current complaint was invalid. Then they rolled out the no-politics-at-work policy in this post dated April 26 2021 -- I would encourage anyone interested in the specifics to read through the various versions and edits of this post made in the week following, all without noting that it was being actively changed: https://world.hey.com/jason/changes-at-basecamp-7f32afc5 | | | |
| ▲ | krmbzds 4 days ago | parent | prev [-] | | Am I the only one who feels like discussing politics at work is inappropriate? While I'm not apolitical, I appreciate having a space where the constant bombardment of politics is momentarily absent. It's refreshing to focus on work without the need for political discourse. | | |
| ▲ | bigstrat2003 4 days ago | parent | next [-] | | No, you're not the only one. I think work should be a politics-free zone. We are there to get stuff done, not argue and hate each other. | |
| ▲ | crote 4 days ago | parent | prev [-] | | The problem is that everything is political: if politics don't impact you, you are living a very privileged life. On the one hand, I do agree that endless debating over relatively minor ideological differences is pointless, and only going to lead to time-wasting and resentment. I certainly have the same desire for some peace and quiet, and being able to focus solely on my work. On the other hand, we live in a society where questions like "am I allowed to use the office bathroom" have been made political, and where your coworkers are genuinely worried about whether they'll get arrested and deported from the country for no reason whatsoever during next week's sprint planning. Their issues are real and by definition require the business as an entity to respond to political developments. You might have the luxury of putting your head in the sand and pretending they don't exist, but that's not going to magically solve your coworkers' problems. Unless the company wants to restrict its hiring to the absolutely minuscule group of people who will never be impacted by politics, it'll have to engage in some level of political discussion. |
|
| |
| ▲ | woodruffw 4 days ago | parent | prev [-] | | I’m not seeing how this is related to the subject of the thread. But also, I think DHH’s politics are manifestly controversial: downplaying that doesn’t make for a good argument. | | |
|
|
|
|
|
| ▲ | sussmannbaka 4 days ago | parent | prev | next [-] |
| that’s a lot of words to write “we did a hostile takeover” |
|
| ▲ | yxhuvud 4 days ago | parent | prev | next [-] |
| It might have been a good idea to do that communication BEFORE creating all that drama. |
|
| ▲ | tarellel 4 days ago | parent | prev | next [-] |
| This is just RubyCenteral trying to get ahead of the news and save face before they end up looking like complete @$$ bags. |
|
| ▲ | thomascountz 4 days ago | parent | prev | next [-] |
| I think the fear from Ruby Central might have been that, had they communicated openly, a maintainer/community member with admin access could do their own hostile take-over, and that that would expose Ruby Central to some legal liability, if not a complete loss of control. I'm not in a position where I'd have to make a decision like this, and I don't have all the information, but I like to think that if I had made a decision like this, I'd show some more respect in the aftermath. Something more akin to: "That was really awful, I'm sorry. We were suddenly faced with the severity of our legal exposure and had to immediately lock everything down. It's not a reflection of trust or anything, it was legally what had to be done. Now that we've taken stock and are now squared away, we have to make a more explicit controls framework, and we hope we can make it up to you, make this right, and have you lead as a maintainer again." ...Then again, maybe this wasn't about legal exposure. Or maybe it was and former contributors/maintainers are getting apologetic emails right now... |
| |
| ▲ | loloquwowndueo 4 days ago | parent [-] | | 1. You lock everyone out of the org for whichever valid but idiotic reason.
2. The instant you do, you send them all an email explaining the situation. That’s how you do it in those cases. You don’t blindside them and then wait for them to react, restore their access back (which totally negated and nullified the “I wanted to preempt a takeover attempt” argument) and continue to skulk around instead of being open about it. | | |
| ▲ | chao- 4 days ago | parent | next [-] | | Seconding this. Ruby Central is not a large organization by headcount, but in terms of impact, it is massive. Any person up to the task of leading an organization like this must know that drastic, public action involving long-term contributors will necessarily require an explanation. Inevitably. They must also know that in an information vacuum, people will assume the worst. This is not difficult to foresee. I truly hope this is settled without too much collateral damage, and I hope that the people in leadership learn a lesson about communication. | |
| ▲ | thomascountz 4 days ago | parent | prev [-] | | You're completely right. In a generous interpretation, having so little communication over such a long period is where this went wrong. In any case, having your highly-tenured team dissolve and feeling like things were "hostile," is an indicator that you'll need to do better. Then again, who knows what the goal actually was? Maybe this went perfectly to plan. Given there was nothing approaching an acknowledgement of regret or apology in the press release, maybe this went exactly to plan. | | |
| ▲ | ryandrake 4 days ago | parent [-] | | It reads like the confrontation-avoiding Office Space solution: "We fixed the glitch [...] so it will just work itself out naturally." |
|
|
|
|
| ▲ | michaelem 4 days ago | parent | prev [-] |
| So uh… “compliance reasons”?
That sounds rather concerning. |
