Shopify, pulling strings at Ruby Central, forces Bundler and RubyGems takeover

Original Article ↗ Hacker News Discussion ↗

Background: Long‑running Ruby community tensions

  • Several commenters frame this as the latest episode in a long history of Ruby/Rails drama: early flamewars, prominent departures, Code of Conduct fights, and Rails vs Merb tribalism.
  • Others say most of that is “old” and peripheral; day‑to‑day Ruby use has been stable and productive, with a largely kind community.
  • There’s disagreement over whether past conflicts were toxic and unresolved or mostly “water under the bridge.”

What actually happened with RubyGems/Bundler

  • Ruby Central runs the RubyGems.org service but did not historically own the RubyGems/Bundler code or GitHub orgs.
  • A maintainer with “owner” rights added a Ruby Central–aligned owner to the GitHub org against existing maintainers’ wishes, and that access later enabled Ruby Central to remove long‑time maintainers and install its own employees.
  • Many see this as an organizational “hostile takeover” of repos they didn’t own, not just a security hardening or staff change.
  • There’s confusion/concern about how GitHub org ownership was so loosely defined and how one person could effectively transfer control.

Motives: security, consolidation, or culture war?

  • One camp thinks Shopify and Ruby Central overreacted to recent npm and credential‑theft incidents, pushing a rushed “secure governance” plan with terrible communication.
  • Another camp believes Shopify used its position as dominant funder to consolidate control over core Ruby infrastructure, sidelining independent maintainers and a perceived competitor tool (“rv”).
  • A third narrative argues this is fallout from an attempted “cancellation” of a high‑profile figure, with allies retaliating by reshaping governance.

DHH, politics, and sponsorship

  • Much of the thread revolves around that figure’s recent blog posts and public positions on immigration, London demographics, DEI, and trans issues.
  • Some commenters describe these writings as racist, xenophobic, and unsafe for an inclusive community; they see withdrawing conference sponsorship or refusing to platform him as principled.
  • Others describe him as merely right‑leaning or “insufficiently enthusiastic about immigration” and view attempts to deplatform him as ideological overreach.
  • A major sponsor (Sidekiq) quietly withdrew a large donation after he was platformed at a conference, which left Ruby Central financially dependent on Shopify and is widely seen as a key precursor to the takeover.

Impact on trust and future of the ecosystem

  • Many fear long‑time maintainers will leave, and that trust in Ruby’s supply chain and governance is badly damaged.
  • Others argue most commercial Ruby users won’t notice and the language isn’t “dead,” but acknowledge this deepens the split between corporate and community interests.
  • Some call for new funding models, alternative tooling (e.g., “rv”) and even alternative gem hosts to reduce single‑company control.