Ruby Central, the non-profit that recently seized some Ruby open source tools from maintainers, is transferring the repository ownership of RubyGems and Bundler to the Ruby core team. The move appears to be an attempt to mollify the Ruby community following a divisive power grab, but it does not restore the control of those tools to the maintainers who previously oversaw them.
In a blog post on Friday, Ruby creator Yukihiro Matsumoto, a.k.a. Matz, announced that the Ruby core team – the group responsible for the Ruby language – will take over the repository ownership of RubyGems and Bundler. These are essential Ruby tools that, unlike other important components, were developed outside the Ruby organization on GitHub.
“To provide the community with long-term stability and continuity, the Ruby core team, led by Matz, has decided to assume stewardship of these projects from Ruby Central,” Matsumoto wrote. “We will continue their development in close collaboration with Ruby Central and the broader community.”
The kerfuffle started last month when Hiroshi Shibata, a member of the Ruby core team and maintainer of RubyGems, renamed the RubyGems GitHub enterprise “Ruby Central” – the name of a non-profit that oversees Ruby conferences and sponsors projects. He also added Ruby Central’s director of open source Marty Haught as a RubyGems owner. And the admin rights of other maintainers were revoked.
Debate and backtracking followed, but when the smoke cleared, Haught and Ruby Central had ousted the admins on the RubyGems and Bundler teams from the GitHub organization where those projects were based.
Ruby Central defended the takeover as an effort to improve the Ruby governance process. “To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed,” the organization said.
But software developer Joel Drapper challenged that narrative in a lengthy blog post, saying that Ruby Central overstepped its bounds because it never owned the RubyGems GitHub repositories.
Drapper claims Ruby Central was short on funds after losing a $250,000 sponsorship because it had included politically polarizing Rails creator David Heinemeier Hansson (DHH) at RailsConf 2025. According to Drapper, Ruby Central became financially dependent upon Shopify, which uses the Rails framework. He claims that Shopify – where DHH is a board member – made demands.
“Shopify,” Drapper wrote, “demanded that Ruby Central take full control of the RubyGems GitHub repositories and the bundler and rubygems-update gems, threatening to withdraw funding if Ruby Central did not comply.”
Shopify did not immediately respond to a request for comment.
Since the schism, RubyGems maintainer Ellen Dash has resigned from Ruby Central, some community members have called to fork Rails, and there’s now an alternative source of Ruby gems (packages) known as gem.coop.
In his Friday blog post, Matsumoto said that the Ruby core team will manage the disputed repos for the sake of stability, but Ruby Central will play a joint management role. The software licenses of RubyGems and Bundler will remain unchanged and contributors will retain their copyright and authorship of contributed code.
Ruby Central published a similar statement: “This decision reflects our shared commitment to the long-term stability and growth of the Ruby ecosystem.”
A hostile takeover
While some in the Ruby community have welcomed Ruby Central’s partial delegation of authority to Ruby core, the move still doesn’t address how Ruby Central came to control RubyGems and Bundler in the first place.
In a phone interview with The Register, Drapper pointed out the core issue: People who have been working on these projects for over a decade were kicked out of the projects they oversaw.
“I can’t see it as anything other than a hostile takeover,” he said.
Asked whether the Ruby community will accept this outcome, Drapper said he thinks a lot of people just want peace. But he sees a missed opportunity to bring the community together.
“Had Ruby Central just come to the table and talked to the maintainers, they could have reached this conclusion neutrally, as a blessed path,” he said. “I think they would have come to that compromise and it would have been so healing for the community.”
But Drapper says he talked to a number of former maintainers who said Ruby Central made no effort to involve them.
“Several people specifically tried to reach out to Ruby Central and get these two groups talking to each other to see if there would be any way, and they’ve just been completely hostile to that,” he said.
“It’s such a shame that they did it this way and they didn’t involve the maintainers because it sets such a horrible precedent,” Drapper continued. “You do all this open source work, and someone can just come along and take it from you, and there’s no recourse.”
To make matters worse, Drapper said, an attorney for Ruby Central accused one of the maintainers of a federal computer crime for “hacking” Ruby Central’s AWS account.
The maintainer, André Arko, has published a lengthy rebuttal of that allegation, stating that Ruby Central failed to secure its AWS root credentials for almost two weeks and only learned about its failure because he informed the group. The only “hacking,” he says, is that Ruby Central forgot to remove Arko as an owner of the Ruby Central GitHub Organization and failed to rotate credentials shared through the RubyGems 1Password account.
Pointing to Ruby Central’s postmortem of the incident, Drapper said, “I’ve never seen anything like it from any professional organization, let alone a non-profit that’s meant to be working on behalf of the community.” ®