When Responsibility and Power Collide: Lessons from the RubyGems Crisis

113 days ago 16 views Closer to Code mensfeld.pl

Table of Contents

  • 1 The Supply Chain Security Context
  • 2 WHY vs HOW: The Critical Distinction
  • 3 The Missing Human Element
  • 4 Governance vs Control: Finding the Balance
  • 5 Moving Forward: Uncomfortable Truths
  • 6 My Path Forward: Why I'm Staying
  • 7 A Personal Reflection

The Ruby community experienced significant turbulence in September 2025 when Ruby Central forcibly took control of the RubyGems GitHub organization, removing long-standing maintainers without warning. As someone who has worked extensively on RubyGems security - first independently and later with Mend.io - protecting our ecosystem from supply chain attacks and handling vulnerability reports, I found myself caught between understanding the business necessities and being deeply disappointed by the execution.

I should clarify: I'm not affiliated with Ruby Central, but I've been working behind the scenes to keep RubyGems secure for years. Most people don't realize the constant vigilance required, including assessing security reports, investigating suspicious packages, and coordinating responses to threats. The RubyGems blog has documented some of these efforts, but much of this work happens quietly, every