To put my cards on the table: RubyGems.org seems plenty trustworthy to me. They seem to be shitty at communication, but locking down production access to systems in light of the state of supply chain attacks in 2025 is the kind of thing that reduces the risk of rogue repo-level activity.

But to your comment: I'm not arguing the same, I'm arguing that the results are the same. If I'm consuming packages from a repo, and I care about the security of the thing I'm running, I need to think about how I know I'm getting legitimate code that does what I expect it to do. One of the risks to that is malicious developers at the package level (either outright malicious or stolen publish credentials). Another is malicious substitution by the package repo. The detection strategies and next steps are different but as a consumer of code, bad code is a risk regardless of who injects it.

My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io). In general, why should I trust domain_name.xyz over domain_name.com? There are obvious caveats, e.g. it doesn't matter as much for generic words like "gem" and for personal sites that I don't trust much in the first place. In this case, 3 seconds of critical thinking makes it clear that they have a plausible reason for choosing .coop. But given that much of this controversy is premised on toolchain trust, there's plenty of other domains that seem even more trustworthy to me at first glance, e.g. gem-lib.org, gemcoop.org, stuff like that.

Again, a domain name is pretty minor in the scope of this whole fiasco, and I wouldn't have bothered with bringing up this point, but on balance I agree with it.

Nothing here instills trust or makes me want to learn more.

https://register.coop/

https://register.coop/services/

I'd only say it's a real issue if this were a "normie-facing" website. But being a developer tool, we all know that there are legitimate domains other than .com, .org, and .net.

It's one of those "attractive distractions" that us nerds like to bikeshed over.

Honestly, after "tweet" caught on as a verb, I've given up on thinking that we have any sort of crystal ball when it comes to names.

Maybe they read it like “coup”?