I finally got around to writing about the recent rubygems.org security improvements we've shipped!

blog.rubygems.org/2026/04/09/p...

What's your network hardware look these days?

> There are several posts in the reddit thread you linked from maintainers who say they have been asking to have access returned. In your view, are they lying?

I believe I have answered your question. I'm re-muting this thread.

It was evaluated. It was found to have a higher risk than presented and higher risk than the alternative, which was picked. I would have made the same assessment and choice.

I think it's disingenuous to present it as a 1-click operation (then) and to continue to represent it that way is misleading.

> Whilst a migration to a different org is not a one-click operation it doesn't seem to be a so hard that it couldn't be considered.

Agreed. No bad ideas. Brainstorming. Love that stuff. And Ruby Central did consider it...

If you’re being argumentative for its own sake, it’s not helpful. It’s fine to argue with my statements but please argue with the facts and opinions and not the delivery.

I’m engaging because. Your question about them if they are lying or not about access was a good one.

I’m too close to the details and have too much access to know what people are confused about. If your confusion is genuine and you want real information it’s helpful.

The code is open source. You don’t have to take Claude at its word.

No. It's not. i explained why I'm using an LLM in the gist.

You’re being pretty rude and seemingly not reading the things I’ve put quite a bit of time into. You don’t have to argue with everything I say.

Intentional or not, it’s not the whole truth. I will not advocate for the moving bundler away from Ruby core. I will not advocate for forking or giving them (gem coop) RubyGems.org codebase or service.

000_prelude.md GitHub Gist: instantly share code, notes, and snippets.

Are they lying? Josef is seriously misrepresenting how viable moving code out of the org would have been gist.github.com/schneems/a6a.... Up until 2 weeks ago Andre strongly asserting that the only connection between GH and prod access was ship it which is not true gist.github.com/schneems/577....

000_prelude.md GitHub Gist: instantly share code, notes, and snippets.

They didn’t JUST ask for their access back. They demanded that Andre be given control over the business again and Marty kicked out and demanded Ruby central can move orgs and fork the codebase. That was what Josef was advocating for when he says “ruby central wouldn’t give access back”

A lot of this fracture has been about who you trust, because so much of the story was missing. It's good to hear more of Ruby Central's side (with timestamps and the full "I made a mistake" email)!

Props to @schneems.bsky.social for compiling this and adding context.

This is pretty much the main point of the report. I covered that in detail.

Agree to disagree. I don't think foundation access was the problem here. I reject their argument that Marty shouldn't have it. Had Marty had it to begin with. the situation would have been better...not worse.

Regarding the foundation holding admin access through individuals on behalf of the foundation. It wasn't an intended outcome but I think it's a good safeguard (and would have made this a lot cleaner if true before). Keeping it is intentional.

Permanence of the removals wasn't a thing we can change without participation.

> oopsie we accidentally stole ownership of the repository

It's not in this timeline. But bundler was moved to the Ruby org in October. Following the initial suggestion from the committee from Sept 10.

schneems's comment on "RubyGems Fracture Incident Report" Explore this conversation and more from the ruby community

Here's a reply that speaks to that desire for change www.reddit.com/r/ruby/comme...

If it was as easy as "there was a runaway bad actor internally" or something that could have prevented this I would have listed it. But I don't have evidence of anything that easy.

Weird it shows fine on the main post bsky.app/profile/ruby...

I think this might be a bug in bsky actually

confirmed. same. I think it’s an issue with ghost

I put lessons learned with suggestions. I’m interested in which of those you find compelling. I’m also open to other suggestions.

I previously wrote this on how you can hold me accountable in this work ruby.social/@Schneems/11....

Though I'll probably be slow to respond today.

I joined RubyCentral to release a postmortem, and today I'm delivering my report on what happened. The hope is to provide more transparency and closure, 194 days since the incident on September 18.

I've named the incident "RubyGems Fracture." Read my report. #ruby

rubycentral.org/news/rubygem...

Austin Systems Programming A meetup for curious low-level engineers in Austin, TX. We meet in-person monthly.

If you're in town for SXSW, come to AustinSystems.org on the 18th! We've got two talks lined up: embedded Linux, and distributed consensus algorithms for syncing a group of motorcyclists by radio.

Cross posting my response ruby.social/@Schneems/11...

PS "this is bullshit" isn't what a reporter says when they find a new source with a new fact just because they don't like it. But a "reporter" definitely does.

If you want to help, Joel. Then help. If you want to report accurately, then report accurately. If you want to misrepresent, attack, threaten or silence, I cannot stop you. But don’t try to pretend it’s something else.

By not amplifying that (new to many) information. You are showing me either you already knew and chose not to mention or you didn’t and don’t feel it looks good for the team you chose. Instead you attack the messenger (me).

The big new info in the reddit comments (that you’ve neglected and not linked to) is that rubygems.org production access is directly tied to GitHub access. To offboard someone completely from prod, you need to touch GitHub.

If you want to help, Joel. Then help. If you want to report accurately, then report accurately. If you want to misrepresent, attack, threaten or silence, I cannot stop you. But don’t try to pretend it’s something else.