undefined | Better HN

0 pointssaghm5mo ago0 comments

> As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem. In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems.

It took less than two weeks from this statement for them to put out an incident report from them forgetting to change the password on the infrastructure they took from the previous maintainers. I can't say I'm shocked that this didn't actually result in people's confidence in their ability as steward to provide long-term stability for the ecosystem.

0 comments

jrochkind15mo ago

Ruby Central has been the entity responsible for the infrastructure hosting rubygems.org the entire time. Literally since the beginning of rubygems.org. Any hosting bills, contracts, or agreements are in the name of the Ruby Central corporation and always have been, as far as I know. Any "previous maintainers" were working as contractors or employees of Ruby Central, if they were working on infrastructure.

The (open source) source code for rubygems and bundler, the libraries that rubyists use in their apps to manage gem dependencies, are potentially another story.

But the infrastructure, to have passwords to it, for rubygems.org, has been Ruby Central since the beginning of rubygems.org without any break. I don't know why people receiving checks from Ruby Central as contractors would think they had a personal right above Ruby Central to the infrastructure that Ruby Central has been running since long before they received those checks. Them thinking they did is sketchy.

Again, the open source source code, I agree, is another matter with other considerations. It has had many maintainers and contributors over time, including periods where development was not coordinated by Ruby Central. And all the code is owned by it's authors, and licensed MIT-style. But you're talking about passwords to infrastructure...

the_hangman5mo ago

Genuine question: how do you take something which you have already been paying for?

They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager and logged in a few hours later and changed the root password to lock the legal owners out. Most of the community has turned on the maintainer who did that, it was extremely childish behaviour.

re5mo ago

> They removed other maintainers access to their AWS account, and one of them had allegedly taken a screenshot of the root password from a password manager

Inaccurate:

> Ruby Central also had not removed me as an “owner” of the Ruby Central GitHub Organization. They also had not rotated any of the credentials shared across the operational team using the RubyGems 1Password account.

> I believe Ruby Central confused themselves into thinking the “Ruby Central” 1Password account was used by operators, and they did revoke my access there. However, that 1Password account was not used by the open source team of RubyGems.org service operators. Instead, we used the “RubyGems” 1Password account, which was full of operational credentials. Ruby Central did not remove me from the “RubyGems” 1Password account, even as of today. https://andre.arko.net/2025/10/09/the-rubygems-security-inci...

Ruby Central didn't realize that they hadn't actually revoked any access to the previous maintainers (and that they didn't have the updated root AWS credentials) until two weeks later when André notified them.

j / k navigate · click thread line to collapse