Jan Lehnardt said it best in a Mastodon post: “What the f*** is going on with Ruby?”What’s going on is the RubyGems community is upset after maintainers were kicked off the GitHub repository late last week. RubyGems are packages of reusable Ruby code and other components, used to add functionality to a Ruby project. They are the standard package manager for the Ruby language.Earlier this month, Ruby Central replaced all maintainers with its Director of Open Source Marty Haught. Ruby Central is a non-profit organization committed to “driving innovation and building community within the Ruby programming ecosystem since 2001.” It also runs both RubyConf, the world’s largest Ruby conference, and RailsConf.Community Safeguarding or Hostile Takeover?If the goal is to build community, Ruby Central may have made a serious misstep. On Sept. 9, without explanation, an anonymous RubyGems maintainer renamed the RubyGems GitHub enterprise to Ruby Central, added Ruby Central’s Director of Open Source Marty Haught as a maintainer, and removed every other maintainer of the RubyGems project, according to maintainer Ellen Dash, aka Puppy or duckinator.On Sept. 15, the anonymous maintainer said he/she restored the previous permissions after talking with Haught, who Dash reported had said the deletion was a mistake that “should never have happened.”“The ‘restoration’ kept a notable change: Marty was now an owner of the GitHub enterprise,” Dash wrote. “The RubyGems team responded by immediately began putting in place an overdue official governance policy, inspired by Homebrew’s.”But on Sept. 18, with no explanation, she wrote that Haught revoked GitHub organization membership for all admins on the RubyGems, Bundler and RubyGems.org maintainer teams.“By doing this, he took control for himself and other full-time employees of Ruby Central,” Dash wrote in a goodbye to RubyGems post shared on social media. “Later that day, after refusing to restore GitHub permissions, Ruby Central further revoked access to the bundler and rubygems-update gems on RubyGems.org.“I will not mince words here: This was a hostile takeover.”Ruby Non-Profit Cites Fiduciary DutyOn Sept. 19, Ruby Central posted an explanation for its actions, citing security concerns and related fiduciary duty as the driver for this decision.“As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem,” stated the Ruby Central post, which is not credited to any individual.“In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems,” it continued. “Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service.”Ruby Central also cited software supply chain attacks as requiring “proactive steps to safeguard the Ruby gem ecosystem end to end.”Freedom Dumlao, a Ruby Central board member and CTO for Vestmark, also explained why security issues required the action.“Ruby Central has been responsible for RubyGems and Bundler for a long time. This isn’t a new development, and I’m honestly very confused about the confusion,” he wrote. “What isn’t confusing is that supply chains are under attack. We can see this in recent attacks on RubyGems and also in major attacks on other ecosystems that have made global news. Companies that depend on Ruby count on Ruby Central to ensure they are not at risk. Some of those companies are sponsors of Ruby Central and some are not, but all have a legitimate need to know that they can tell their users that the software they are using is safe.”But the news hasn’t been well-received as Ruby developers took to social media and blogs to express their frustration and sometimes outrage with Ruby Central’s move.Community Response to Ruby Central’s Actions“’Fiduciary responsibility’ is a hell of a euphemism for ‘we were offered millions of dollars from a hostile donor in exchange for control of the RubyGems infrastructure,’” Sam Stephenson, a Chicago-based developer, posted to Mastodon. He did not say who that hostile donor might be.