Martin Emde

A screenshot showing `jim release` building a "packed" gem, build a normal gem, and upload them both to GitHub Releases.

!!! `jim release` can now:

1. build itself as a .gem,
2. pack itself into a single-file script,
3. publish both of these to GitHub Releases

Try out the packed `jim.rb` file. It should be completely self-contained:

github.com/duckinator/j...

You might say the reason they needed to do a switch atomically is because someone said “if you remove him I’ll add him back.”

If someone says that to you, does that make it right to respond by using your power to move first to do it by force so you don’t have to answer the concerns being expressed?

You know… Ruby Central’s takeover of rubygems GitHub org ONLY worked because it could be executed within seconds, and by doing so, prevent the possibility of revert.

If the ownership change was a PR it would never have been approved.

If RC is “right”, why did they need the atomic switch?

Read the new white paper by @sethmlarson.dev about the challenges and vulnerabilities caused by package repository archive formats. alpha-omega.dev/blog/slipper...

I have also had this problem. It is very inconsistent. Maybe this is why.

Open Infrastructure is Not Free: PyPI, the Python Software Foundation, and Sustainability In September, the Python Software Foundation (PSF) co-signed the Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship Letter published by the Open Source Security Foundation (OpenSSF) as a steward of the Python Package Index (PyPI). As a follow up, I would like to share a bit more about the concerns expressed in this letter as they relate to our community and the PSF.

PyPI serves billions of requests daily- but sustaining it isn’t free. The PSF joined the OpenSSF & others in calling for organizations to invest in sustainable open infrastructure. Learn what this means for #PyPI, the PSF, & how our community can pitch in:

@sethmlarson.dev and I went through months of intense, complex work to climb a steep and slippery learning curve, only to be stopped short at the very end by a hard ethical line we couldn't cross—it was gut-wrenching.

I'm proud of what we did and I'm proud of what we didn't do.

YouTube video by Confreaks Rocky Mountain Ruby 2025 - We Who Remember Magic by Brandon Weaver

www.youtube.com/watch?v=IQQt...

My keynote, "We Who Remember Magic", from Rocky Mountain Ruby just posted.

Python Software Foundation had to make a tough choice here. I applaud them for sticking to their values. thanks for your leadership in this space @python.org pyfound.blogspot.com/2025/10/NSF-...

Funny you should bring this up! I know some people that work on ruby packaging. I wonder if they need any help.

Let's move Ruby forward. martinemde.com/2025/10/25/m...

the former maintainers of Bundler and RubyGems have a proposal: we want to move Ruby forward andre.arko.net/2025/10/26/w...

One takeaway is that the open source world is an amazing place! It's marvelous how well this usually works. This is distributed trust at scale via education and support (rather than control). All the work to help people learn security and provide best practices mostly seems to work. Wonderful!

Companies should scan their open source. Full adoption of trusted publishing could have foiled NPM’s Shai Halud. Fighting about shared ownership models is horribly destructive when it makes the people leave that understand these problems. That’s the real security vulnerability.

If all you need to make your supply chain secure is CLAs for devs and a non-profit administrative staff holding keys to the world, remember that most package managers still run untrusted code on install, packages go live with minimal scanning, and best practice publishing security adoption is low.

You might wonder, “how can a group of friends be sufficient for global enterprise software supply chain security?” The answer for me is that these people were there BECAUSE it was so important. RubyGems.org has had no major outage in 14 years. This is not a fluke.

Malicious compliance

Updating my LEGO White House

To the mild insult, sorry again. It’s tricky to say “I disagree slightly and wish to present a different perspective on a complex issue that has many different sides”. Well, not that difficult, I just said it there but I shortcutted significantly the first time. I appreciate you accepting my apology

I see no way around it. We’re in a gray world of questionable characters that usually do the right thing and sometimes act in their own best interest despite the damage. I don’t know what else to do besides hope. Rubygems maintainers had a great things going here. Imperfect yes, but honest.

Also, I’m sorry. It seems like my way of saying “it’s confusing” did sound a bit like I was saying you were confused. It was not my intention. My goal is to give more nuance to a complex situation given all I know and to relate that it is difficult to know every conflicting detail.

The blame is squarely on Ruby Central here. None of this was necessary. If they wanted to assume more responsibility for their infrastructure they should have asked and we would have helped. The GitHub org only needed a few hours of work to fully separate infrastructural code.

I’m holding out hope that Ruby Core made a simple oversight. The Ruby Core maintainer restored us. I’m not ready to assign blame on that yet. This is the conciliatory stance I want to take with Ruby Core to heal until I’m proven otherwise.

I’d sponsor that podcast.

The team that managed rubygems was formed by building social connections with people that cared enough to work on rubygems in their free time. It is at its core a trust based team of equals. This is why corporate takeovers that take advantage of that trust hurt so much. Trust is all we had.

I know it’s a bit confusing, but I wouldn’t say that Ruby core is part of the problem. I think they are reasonable, they did what they could to support the community given the situation. Ruby Core cares about Ruby and cares about OSS developers.

I’ll clarify that RC paying for labor is only partial, recently, and for a portion of the engineering time and people. Most work was done for free on personal time or company time. RC is more of a fiscal host for contributions to rubygems than a company managing the service. They do conferences.

By this I mean to clarify that there never has been some sort of “Ruby Central team that manages rubygems.org and understand how it deploys.” This is much more like public land, gifted by AWS and Fastly, on which outside maintainers build tubygens.org using their own accounts and RC paid for labor.

Jamie Writes Words This action will delete this post on this instance and on all federated instances, and it cannot be undone. Are you certain you want to delete this post?

Jamie Gaskins wrote a great piece explaining how shipit, the code the deploys rubygems.org works and why a fork would have been fine. The one thing I would add is that there is no Ruby Central institutional knowledge. There were and are only outside rubygems maintainers jgaskins.blog/ruby-central...

The hard part I think would be the index. You’d need an index per gem with a BitTorrent address and a checksum, maybe, you’d need to build a chain … we’re just building crypto.