Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jaredcwhite 12 hours ago

In a word, yes.

kace91 12 hours ago | parent [-]

What I don’t get is, what does Shopify get from this?

I’m assuming there’s a ton of reputational risk in this move, and my understanding as an outsider is that Shopify already has a ton of weight in the Ruby ecosystem - they seem to be the one case quoted by everyone as the “proof that Ruby scales”.

kimos 11 hours ago | parent | next [-]

It’s easy to point at politics or people and some sinister motive. Maybe that’s what it is. But don’t underestimate what can be accomplished through incompetence.

Shopify is a multi-billion dollar company that has processed over a trillion dollars. They are a high value target for sophisticated attackers. It’s entirely possible they are trying to accomplish some security and supply chain goals to protect their Ruby pipeline, but completely messed up the execution and did not predict the community interpretation and backlash.

rmoriz 12 hours ago | parent | prev | next [-]

They are a multi-billion company that is highly dependent of RubyGems and a breach could ruin their business. So they have intrinsic reasons to support anything that keeps Ruby and Rails floating.

bartread 12 hours ago | parent | next [-]

That makes sense but, to put it mildly, I am not whatsoever a fan of corporate controlled and directed OSS. I'm even less of a fan of it when it's effectively controlled by only one corporation. The temptation to play high-handed with the community, and with the future, is overwhelming and not one that corporations seem able to resist. One example: Chromium, which is now effectively worthless as a serious web browser with support for MV2 removed, thus meaning that uBlock Origin (and the like) no longer work, due to Google forcing the issue with MV3.

rmoriz 12 hours ago | parent [-]

I don't see the controlling aspect materializing, except forcing Ruby Central to build a reliable organizational structure. There are companies that are way more involved in controlling projects. Cloud providers or CDNs that start to sponsor, but after a while lose interest unless specific adjustments are being made.

I doubt there will ever be a run-time dependency of rubygems with Shopify. I would be more alarmed if, say, Microsoft GitHub™, Google, Cloudflare would "step up to safe the project".

bigiain 11 hours ago | parent | prev [-]

... so they locked out the main security contributor, and didn't see a need to replace them?

plorkyeran 11 hours ago | parent | prev | next [-]

We know very little about what happened between Shopify and Ruby Central. They said that they made no progress towards satisfying Shopify’s demands until they were 24 hours from the deadline, but not what those demands specifically were or why they failed to do anything. It’s possible that what they panickedly did at the last second wasn’t actually what Shopify had intended.

pityJuke 12 hours ago | parent | prev | next [-]

From all I can observe, it does seem to have a sinister political undertone. In that, Ruby Central's collapse started because Sidekiq disagreed with them platforming dhh, and then Shopify (who has dhh as a board member, and whose CEO races with dhh) used the funding weakness to demand a purge of anyone they disagreed with.

As an aside, I imagine the discussion of this will be end up being... difficult, because people are tending not react to these sorts of things well.

lamontcg 12 hours ago | parent | next [-]

> who has dhh as a board member, and whose CEO races with dhh

Oh, so this is just dhh doing a hostile takeover of core ruby infrastructure where previously he had to try to work with people, now he can just tell people what he wants to be done, because they work for him.

ksec 12 hours ago | parent | prev [-]

>Ruby Central's collapse started because Sidekiq disagreed with them platforming dhh

I remember Ruby Central denied they ever tried to deplatform DHH. But now when they are platforming DHH Sidekiq wants out.

I honestly think it is may be way simpler. Shopify is willing to sponsor and put money into it but they also want it done ASAP, preferably now. They give a deadline and Ruby Central didn't think, plan or act until too late.

And the moment it was badly done, politics creeps in.

kmacdough 11 hours ago | parent | prev | next [-]

I suspect they underestimated the lashback. They wanted to make their changes whenever they wanted, to fit their specific needs. They didn't think twice about the community, so much so that they didn't consider the community might not stand for it.

And history ain't written. Who knows how this will hurt them.

kelvinjps 12 hours ago | parent | prev | next [-]

Isn't most of the reputational risk going to Ruby Central?

zorpner 9 hours ago | parent | prev | next [-]

DHH joined their board in 2024 [0], and is using this opportunity to purge people he disagrees with politically from the Ruby ecosystem. It really is as simple as that.

0: https://www.shopify.com/news/david-heinemeier-hansson-board

th0ma5 12 hours ago | parent | prev | next [-]

Money. Some people seek to extend their claimed intellectual property into previously uncapitalized contexts.

flkiwi 12 hours ago | parent | prev [-]

There are arguably larger reputational risk issues in a company with significant financial/payment activities not having adequate control of their technology. I'm not saying that justifies anything here as I don't know nearly enough about, but I'd wager that even a minor incident arising from them not adequately controlling their stack would create infinitely more issues than this move.

hiharryhere 12 hours ago | parent | next [-]

If supply chain integrity is the issue specifically for Shopify, couldn’t they run their own private, internally facing gem repository and whitelist everything that goes there? It’s not a requirement to use the public rubygems.

kenhwang 11 hours ago | parent | next [-]

They probably thought it would be easier to takeover rubygems than ensure every dev and every machine for every possible ruby tool could be and is pointed at the internal gem repository.

Let's be paranoid for a moment. What if there's a supply side attack on a gem used by Homebrew. That's basically installed on every dev machine, auto-updates automatically/silently, could have sudo, that no one would care or even know how to point at a private gem repository.

yakshaving_jgt 11 hours ago | parent [-]

It was my understanding that they wanted to use Nix to solve this problem.

3eb7988a1663 12 hours ago | parent | prev | next [-]

I too am scratching my head at this. If the problem is the outside community could be a risk, just do not drink from the firehose. Have processes in place to slowly vet and bring the outside world indoors.

Then again, that is not a very web scale suggestion.

hobs 11 hours ago | parent [-]

I dont understand how "well let's just manage the entire ecosystem" could help this problem.

flkiwi 12 hours ago | parent | prev [-]

That's not what I said. I was responding to the parent comment's statement that "I’m assuming there’s a ton of reputational risk in this move" by noting that, in relative terms, this likely isn't something people are paying attention to outside a very, very narrow universe.

jcmfernandes 12 hours ago | parent | prev | next [-]

Exactly. While it seems like the overarching goals were well-suited, the process was... WTF.

apercu 12 hours ago | parent | prev [-]

Supply chain attacks are big shareholder news lately?