As I see it, there is the original rubygems, which has lost all of it's maintainers, and this new one, that has most of the original active maintainers? (how many were there before? it has most of the ones I think about, but I didn't know who was active over there. I mostly saw activity from deivid and didn't know about most of the others to be honest).
It kind feels like this fork is the better maintained piece of software now.
Does anyone have any thoughts on this? Are any people thinking of moving over soon?
Is there any information on what the funding model will be? Also @joeldrapper/anyone is there anything you can share about how the hosting is being covered?[0]
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?
I remember some complaints about the traffic that it produced[0] (though I don't think it's a bad idea. Basically federated downloads).
I'm unsure on who is better placed to handle that stuff now. My view is that the people that were doing that are now with gem.coop, but rubygems still has the infra (i.e. you'd email security@rubygems.org still for now).
I'm unsure about what to think about longer term (my personal approach is currently "wait and see").
Similarly, I'm perfectly happy with bundler for now, but if `rv` turns out to be like `uv`, I'd happily switch (drop-in replacement, but faster/some better features).
[0] https://www.bleepingcomputer.com/news/security/60-malicious-...
[1] https://blog.rubygems.org/2025/08/08/malicious-gems-removal....
They can win me over with a gem distribution site that requires code signing out of the box and a bundler that enforces it out of the box.
Oh, how times have changed. If Oracle were to close source OpenSolaris today, many here would likely rally behind it, especially if Larry Ellison appeared to align with the right. Submissions about Illumos would have been heavily flagged, much like this one has been for a while.
Does the original have many maintainers left?
This does not bode well for the team having the socio-technical savviness to see this project through.
Though there's no way that this is something you care about, cmon.
1. It must depend on RubyGems in order to stay in sync, because people publish to RubyGems.
2. It has no UI to search or view gems, so still depends on RubyGems for that.
Ignoring any question about technical detail or implementation: there is zero practical reason or motivation to switch unless I am ideologically aligned with the maintainers and their reasoning.
As such, there is zero reason to even entertain the idea of switching in a professional context. At best I’d have to care enough to remember it for personal projects.
So it is with almost any fork. It’ll either converge with the mainline after achieving its goals, take over as the new status quo, or fade into obscurity. If I don’t have any direct stake in that then I’m going to wait it out.
This isn’t to discredit or discount the work or the reasoning, of course. It arguably has a far better standing than forking Rails because of DHH.
The suckiest thing is if the fork pans out, it will look a lot like JS: "Which package manager do you want to use?". That beautiful simplicity of "just use bundler and ruby gems" will be gone.
One thing I will give them massive credit for is walking-the-walk. There wasn't really that much complaining for the aggrieved maintainers of RubyGems. They made a public statement describing their grievances, then quietly got to work on a fork. Taking on a fork of RubyGems seems impossible and foolish, but they now have a non-zero chance of succeeding because they're doing it.
Most people I've talked to inside of big orgs are going to stick with the "safe boring" thing, which will probably be RC backed by Shopify. They will probably throw security bureaucracy at the problem, which will make SOC 2, ISO 270001 auditors. I don't think we'll see a lot of innovation coming from RC since the executive director is non-technical and has demonstrated a very ham-fisted approach to running the organization that seems to be out of touch with developers.
On the flip side, I think if gems.coop takes off, it will be because it's a "better mousetrap". One of the people behind it, André, is working on https://rv.dev, which promises to be a faster, "all-in-one", tool for managing ruby versions, gem dependencies, and even has an "npx-like" run this from from the CLI, the right version of Ruby will install, the gems will install, and it will run. That's a much better DX that I could see developers going for.
I've seen discussions on the periphery of adding namespaces to gems, bringing in checksums, and overall taking a more aggressive technical approach to security. I could see that "winning" over a long enough timeframe if RC continues on their current course.
From a fund-raising PoV, I'm starting to put together the clues that André believes organizations with the means to pay for OSS infrastructure should pay for it. I think I agree with this point-of-view and think it's a path for funding that's more transparent than "A group of donors". I hope we start to see infrastructure run in a manner where the costs are accurately estimated, then divided by the number of companies with the means to pay to arrive at the price.
There's absolutely on consensus on my final point, but I think the root cause of RC's catastrophic failure is having too much of a concentration of funding from a few donors. If you're new to this drama, a major donor pulled funding from RC because they didn't ideologically agree with a conference guest. The details are out there if you want to dive into it, but to keep this thread on point, I hope Ruby Co-op figures out how to spread out their funding model across 100's or 1000's so this doesn't happen again.
Which fork of what software..?
> We’re excited to introduce gem.coop – a new server for gems in the Ruby ecosystem.
This is a new hosting service for gems, not a fork of bundler. Or is there missing context?
It's fine. Keeps all the complainers away from the larger ecosystem.
I personally trust Ruby Central, 37signals, Shopify, DHH, Tobi, Matz and others over the guy who was launching a startup to compete with rubygems while being a maintainer for rubygems.
> “Since Ruby Central has informed us they will never allow us to continue working on the projects they now claim they own, that we successfully maintained and operated for the last ten years, the former RubyGems team is launching gem.coop today.”
[1]: https://socket.dev/blog/gem-cooperative-emerges-as-a-communi...
- uv is a cool tool, but Astral has signaled their intention to have it tie in nicely to paid services.
- that's a nice moat!
- Andre & friends saw that in the Python community (and uv's success) and decided they could do the same for Ruby
- Their collective announces rv and now wants to make us dependent on them & friends for Ruby Gems.
- After Hashicorp and others, I'm extremely wary of orgs luring me in with free shit. Hashicorp is maybe the lightest example of this but they're very intentional about enterprise-walling business-essential features.
- I don't want the Ruby ecosystem dependent on one party or even a tiny collective of people. This is just as bad to me as the Ruby Central situation right now.This entire post is practically the case in point, except I’m not clear on how they got real time sync with RubyGems and if any other competitor would have the same capability.
To use Astral and uv as an example, they would have to fork PyPI and maintain all the infra for that and not just the tool that manages the dependencies.
EDIT: Misread the comment and thought it was only about `rv`, not both `uv` and `rv`
This a fact. By this alone I don't think Andre Arko is an honest person.
https://rubycentral.org/news/rubygems-org-aws-root-access-ev... discusses that a precipitating event was Andre asking for a copy of the http access logs to monetize them.
I think this is confirmed by Mike Perham's comment in https://www.reddit.com/r/ruby/comments/1o2bxol/comment/ninn6...
> In this case I have first hand knowledge since he pitched me on the idea: would Sidekiq, being a big sponsor of Ruby Central in the past, be interested if rubygems could somehow use the remote IP to identify the companies downloading the sidekiq gem so I could use that to upsell those companies
Single-file archives are much easier to distribute.
Digests and signatures have standard algorithms, not unique to git. Key/identity management is the hard part, but git doesn't solve it for you (if you don't confuse git with GitHub).
The benefit to being centralized is... everything is in one place. Everything scales at once. Every update is available at the same time.
We did this back in the day using artifactory and co. to proxy NPM and a few other package managers as well as docker containers and some other things. No third party service going down could keep us from deploying.
Not everyone does it because as a solo developer or a small team, as it feels like pointless overhead.
having a decentralized, and maybe sometime unavailable, infrastructure would make more people think about the problem and maybe brings us more stable solutions than we have now.
I hope they find financing to cover hosting costs.
In open source too.
My 2c is that 95% of ruby developers aren't aware of the drama going on around Rubygems.org right now. They have probably seen emails from Ruby Central but largely ignore them and move on with life. Most people have no idea there are issues and they will just continue using Rubygems.org. Getting a project like this to critical mass is incredibly challenging.
This is massively flawed thinking. So called "market rate" is actually a tool for value extraction from the workers and is not connected in any shape or form with what they create for company they work at. As corporations refer to this as if it was a consensus (as in developer should earn $x an hour), they pay this much and workers have no choice but to accept (if someone has working class background and no trust fund, it is rather impossible to throw the towel and start own business, sometimes there are even regulations designed to keep workers captive).
In such a project, "founder level" people should pay themselves as much as they think their worth is. Simple as that.
I often hear VC talking that if founder takes too much money, it's a bad look. They just want to shame people into not taking the slice they deserve.
It's interesting that IT is full of intelligent people, yet they can't grasp how they are being played by the market frames set by the rich.
It's almost like removing money from the equation stops all the nasty stuff that happens inside organizations. Who'd have thought?
Flat salaries do not remove politics. With unequal equity and control, a flat wage simply disciplines workers while investors keep uncapped upside. If money is the poison, start by flattening carry, liquidation preferences and board vetoes. Otherwise you have only flattened one side.
Capping founder pay is class gatekeeping. It selects for people with savings or family safety nets and pushes working‑class founders out. Shaming those who take cash once they create surplus protects investor optics, not fairness.
Equal pay only makes sense when ownership, risk and power are equal. Without that, "equal pay" is theatre.
The fash problem in the Rails ecosystem is next on the list, and I hope there is community consensus to fork this as well.
https://www.benjaminfleischer.com/2013/11/08/how-to-sign-you...
Here's some fun facts:
- DHH enforced a "No Politics at Work" policy.
- DHH wrote a post expressing that he wouldn't want to live in London anymore because it's "no longer full of native Brits", and expressed support for a Tommy Robinson march he called "heartwarming". Tommy Robinson is described as "an anti-Islam campaigner and one of the UK's most prominent far-right activists.". The march DHH praised featured speakers calling for ethnic cleansing via "remigration" and banning all non-Christian religions.
- DHH also promoted "demographic replacement" conspiracy theories and used language connecting immigration to crime, particularly regarding "Pakistani rape gangs" and street theft.
- DHH has been publicly critical of Diversity, Equity, and Inclusion initiatives. This one isn't backed by facts, so take it with a grain of salt.
> This leads me to think this project is not about the code but about the people.
Trust is of utmost importance to a package repository. Even more so than code. A hostile takeover, like the one that occurred with RubyGems, fundamentally undermines that trust. In contrast, an alternative run by the original maintainers who have built years of trust, represents a positive shift.
Unfortunately, it seems that your conclusion was drawn before your justifications. When you invent justification though, at least make sure you don't undermine your own position. Where's the prominent link to the Git repo on rubygems.org top page?
https://web.archive.org/web/20251003112525/https://rubygems....
I'm not saying they aren't, but there are a LOT of conflicting opinions about what happened, why it happened, and who was right/wrong.
This it what tends to happen when money gets involved in a project without a clear structure/business plan/guarantees put in place. People just did whatever and made assumptions, and now suddenly the whole community is rocking and rolling thanks to the actions/view points of a select few.
As long as people are aligned on advancing the Ruby ecosystem, I think it should be possible to cooperate even if there are disagreement in other areas [which political party you support, differences in personal opinions, etc].
Maybe it'll be resolved eventually, just like Merb <> Rails, Bundler <> RubyGems and RubyTogether <> RubyCentral were eventually merged. That's what I'm hoping for!
https://old.reddit.com/r/ruby/comments/1nzxgb9/buckle_up_the...
In the event the ruby-reddit moderators remove it, the comment had this content verbatim at the time of linking to it here:
"I have tried so much. It’s Ruby Central that won’t talk. They’re hiding behind lawyers at this point."
Now, we have to concede that this could be wrong; or incomplete. Personally I believe him though, but in theory it could be a wrong statement. Nonetheless ... just think about this for a moment ...
The organisation that claims it is all about the community, refuses to be transparent and now hides behind lawyers, after having been caught with making several incorrect statements before already. Does this look more like a community-centric organisation or possibly a front for corporations? Just think it through for yourself what it means when they suddenly have to hide behind lawyers.
In my opinion they are now deliberately making the community angry. But, even without this, I believe we can conclude that by far the biggest fault for all of this lies on Ruby Central.
This is one thing I think hasn't been talked about explicitly enough within the community (that I see at least) yet, Ruby Central seems to be actively trolling the 'other side' of this situation. It reads to me like they know they have the lawyer power to defend their castle and are enjoying pissing down on people and telling them it's raining. Oh and you should enjoy that because it means there will be flowers soon... or something.
I think the dialogue of 'are they acting in good faith' only works in so far as they even care about the rest of the Ruby community at all. If they are indeed bad actors (motivated purely by greed, ambition, ego, etc) then they are not ever going to come clean and they would let the whole Ruby community die before they admit defeat or wrongheadedness. My favorite term for these types of actors is SCUM - Sufficiently Clever and Uncaring Malefactors.
Imagine if someone came into your house and changed all of the locks on you/your family, because "security". You had built that house from your original designs but the other party claims they own it now because they happen to manage a series of rental listings for houses built to your design. You had even made it so the plans could be copied and modified in private; if "security" were a real concern with about 10 minutes effort to do so.
Would you agree that it is right, do nothing? Or would you rebuild something new, given how little time it takes to copy the plans.
Swap "house design" for "software project" and "rental listings" for "running an instance of your software project" and you have the current situation.
Developers are free to choose the party they trust more.
Yes the manner in which it was handled was really bad but given the supply-chain attacks we're seeing against the Python and JS worlds, I think auditing contributor access and consolidating certain privileges is prudent.
Again, handled poorly. But a lot of money rides on stuff like Bundler. We need a strict security posture.
edit- I am an artist; I get the concern and distaste. But at a certain point your art grows bigger than you. If you as a private individual build a bridge used from a public roadway and you don't do the necessary maintenance or management your shit gets shut down. Not sure how this is much different.
I honestly find it ridiculous that this situation happened to begin with, and I also have no clue why people are hating on DHH.
The easiest way to kill an open source project is drama and forking like this. Ruby has been around forever, obviously, however it is far from the most used languages, and drama like this just hurts the ecosystem as a whole.
As a former Ruby dev, it makes me sad.
As for DHH, he's a far-right racist.
https://jakelazaroff.com/words/dhh-is-way-worse-than-i-thoug...
Silencing and excluding such people from open source is the right thing to do because failure to do so means forcing others to interact with people who are hostile to their very existence.
What I'd really like to see is a whole bunch of people acting more professionally. Who you pray to, who you vote for, and who you sleep with are irrelevant to a professional context - and open source development is a professional context. So everyone needs to keep their professional and personal lives separate. I know that at best I would be disciplined, and at worst sacked if I made comments on the lines that some of the lead players in this sorry saga have made. And that's not pointing the finger at any one person.
(neither the "me" nor the "you" here refer to you or me personally ofc.)
There may very well simply be political eras where the floor of trust isn't there for open source to spring forward by leaps and bounds.
This whole "DHH situation" with Rails has put my mind in weird position. I admire the Rails creator, the business man, the speaker. I admire what he builds, how passionate he is about his work and open-source software. But I very strongly disagree with his vision of immigration, nationalism, parenting, well most of his vision of society.
I was made aware about these opinions because people talked about it. Thanks to these people, I read and listen to him with more nuance, more critical thinking. That does not necessarily mean I would discard Rails, cancel the dude or write shit about him, but that surely means that I will be more careful about how the opinions of this 1 person could impact mine, the ecosystem I work with and the larger ecosystem I live in that is society.
This situation is eerily similar to the Freenode takeover[1] and the subsequent formation of Libera Chat[2] a few years ago, even down to the political leanings of those behind the takeover. Except if the Freenode incident occurred today, there would be a vocal portion on HN vehemently siding with Freenode solely based on the perceived political affiliations of its owners. Submissions about Libera Chat would face heavy flagging, much like this one has.
It seems the Freenode team may have advanced their plans just a bit too early.
The most likely reason it was flagged from my perspective is that David Heinemeier Hansson (who created rails) is kind of the figurehead of this community and he has controversial opinions[1] which people believe make him unfit to represent their community. The controversy has manifested as people speaking out against DHH in his position. So this post seems to have been flagged for being "political" because it is seemingly in opposition to rubygems for the DHH reason.
0: https://hn.algolia.com/?dateRange=pastMonth&page=0&prefix=fa...
1: https://davidcel.is/articles/rails-needs-new-governance (this article has a lot of examples from DHH's blog)
Personally, I think the reason this post about gem.coop has been flagged is that we've reached the point at which new HN threads about things related to the recent RubyGems shake-up quickly devolve into people rehashing the DHH "aspect" of it all. So it has become less about flagging the actual target of the post and more about flagging the parts of the discussion that seem to go nowhere.
EDIT: expanded
Basically just a blog post from some guy aghast that DHH has different political opinions to him. I'm politically on the left too but I can't imagine getting so incensed about someone else having right-leaning views.
Do these people never leave the house to meet anyone outside their echo chamber? The mind boggles.
It was sparked after Ruby Central chose to platform an extremist figure prominently for their last RailsConf against the wishes of the sponsors, losing them a lot of sponsorship money, as well as community support.
That's entirely unsubstantiated.
This is so incredibly one-sided that it misleads more than it informs.
The person they are talking about is DHH. Inviting the creator of Rails to speak at RailsConf – a conference for Rails – is not the outlandish behaviour this comment makes it sound like.
It is said the underlying cause is that devs push rv which is threatening RubyGems.
There is a conversation around this which needs to be had. Maybe on bsky or x?