1Password developer/SDK docs now have first class LLM support!
developer.1password.com/docs/buildin...
I was inspired by @s.ly 's recent piece on Latent Space Engineering. I wanted to see if his observations also applied to the security domain.
What started as small experiment turned into a full blown agentic AI benchmark that I'm releasing as OSS at 1Password.
1password.github.io/SCAM/
Getting phished is both scary & humiliating and with AI its happening more often.
As we've said, the long-term answer is passkeys, but not everyone uses them. Today, 1Password is shipping a deceptively simple change that massively improves the situation for passwords.
1password.com/blog/as-ai-s...
Great news for all who depend on a Ruby ecosystem that's healthy and secure.
Good news for the Ruby ecosystem.
RubyGems now has the same governance as Ruby itself. Matz and Ruby Core as stewards.
If Ruby Core has authority over where gems (by default) install from, this alignment makes sense.
Viva la Ruby!
www.ruby-lang.org/en/news/2025...
The reason legal stuff is so important when first setting up entities, is that’s when everyone is in alignment and there are smiles all around the table.
Once that’s gone, it turns into a knife fight and it becomes impossible. Now courts will need to ultimately litigate.
Let’s be clear this post shows that operationally, this whole set up is a mess. You have creds all over the place, a confused OSS manager, and no clear cut docs that establish clear ownership. No IT inventory.
Ruby Central and Ruby Together set this up to only work if everyone perfectly got along.
Arko in this post says he’s in control of a second 1Password account. One thing he should do is check if he’s the only owner. If he is, no one can evict him and regain the account.
IMO he should have disclosed this access to them in his original email, esp if it’s how he got AWS root access.
I got so excited thinking about banana splits that I typoed!
Congrats, I can’t eat banana splits nearly that fast, but I similar heart rate though.
Yep became a member last year and yes I was at Rails world and spoke about passkeys.
A great start for Andre is to sign an affidavit attesting he didn’t abuse his access to the systems or retain any PII from that access either during his contracted employment or afterwards. That would be a great start rebuilding trust.
Andre is entitled to have an IP dispute.
What I won’t do is watch silently as he erodes the public trust in the only legal entity capable of running all of Rubygems.[org] so that he has an monitor advantage in the IP dispute. That’s an existential threat to the Ruby community.
How do you know Andre didn’t use it? You continue to assert things you can’t possibly know. I truly hope he didn’t use it and I hope Ruby Central investigates to make sure.
I also hope he didn’t retain copies of any PII. Someone should look into that.
Literally the exact opposite of the definition of responsible disclosure.
I frankly do not care (and did not care) about GH repos. What I care about is Arko had (has?) access to prod systems with my PII in it after being terminated & didn’t responsibly disclose it by virtue of telling you.
This is all the evidence I need to know something is extremely wrong here.
If I left any company (fired or otherwise) and still had access to prod systems and told them and also told the press or social media about it I would rightfully be permanently unhirable.
I would NEVER do what he just did to my worst enemy. It’s just not done.
You are allowed to point it out and deal with the consequences when the full story comes out. It usually always does. You are placing your entire reputation in this community on the line based on incomplete info. Hope you know what you doing.
It is simply no longer relevant if Arko is right or not. The whole ecosystem is at risk and you are contributing to the risk.
If you are successful and Ruby Central can’t the service, who exactly wins?
Not anyone. Let’s get it functional and deal with this Arko thing when the stakes are lower.
This is a big deal. Ruby Central is running this service and if they fail to do so, it will have dire consequences that far eclipse the minor spat.
I speak for many when I say we need to get Ruby Central healthy. Them failing is threat to the whole Ruby community.
I agree they should have locked him out right away. Them not doing so doesn’t prove they don’t think of him as a risk. It shows they aren’t prepared to do access revocation. They need help not mudslinging.
His actions of putting them on blast paint him unfavorably to in the know security folks.
> He email them to disclose that he still had access.
Yes and then he told you so you can be manipulated into covering it.
I agree it's not great that Ruby Central didn't revoke access. I wouldn't have a job if orgs got that right every time, let alone a resource constrained non-profit.
You have no way of knowing what Ruby Central knows about Arko. How could you possibly know they lied?
This settles it. Based on this blog post, I believe Ruby Central acted correctly in parting ways with Arko
I'm eager to hear Ruby Central's side. Arko is not in charge of RubyGems[.]org. Him using the info of lingering access as a wedge to win in the court of public opinion is clear manipulation.
Clearly not always true, but it’s a good sign that you did something right.
How can you tell if non-tech leadership understood your tech idea? Their first questions are about patent status.
“Shine a flashlight into the soup. If the beam bends slightly, it’s properly seasoned.”
3 things I found are always true when making SaaS.
1. To know what you need to build, you must first build it.
2. A fast and cost-effective way to find and fix bad bugs is to ship them to production.
3. If you're nervous about deploying to production, the solution is to deploy more frequently.
