I never used to reach out to touch my MacBook screen after using my iPad, but because each 26 OS looks so similar, I'm doing it all the time now.
All according to keikaku.
Post-recording update: As I've been lobbying for (both publicly and behind the scenes), it has been announced that the RubyGems and Bundler client libraries are being transferred to Matz and the Ruby core team.
Mike McQuaid (of Homebrew fame) and I scheduled this episode of Hot Fix a week before the Ruby community exploded. Hot Fix is all about getting spicy, but even we were a little wary of the heat in that particular kitchen. The problem Mike brought to the table is the same one he's always on about: open source is not a career. Incidentally, Mike's favorite topic also happens to be relevant to the latest RubyGems controversy—because it all boils down to paying people to work on open source.
Not content to miss out on the fun, Jerod from The Changelog asked if he could join and discuss the ongoing Ruby drama as a group. So we decided to team up and do a collab episode—call it Breaking Changelog, I guess? It's nothing if not efficient: record once, edit twice, and syndicate everywhere.
If you don't mind swear words, listen to this version. If you don't like swearing, what the fuck are you doing here? (But seriously, you can listen to their edit if you want!)
Please send your compliments to podcast@searls.co and your complaints to editors@changelog.com.
"This is just proof that Matz is in bed with the fascists!" said somebody on Bluesky, I'm sure.
To be clear, this is an unmitigated GOOD THING and is a decade overdue IMNSHO. ruby-lang.org/en/news/2025/10/17/rubygems-repository-transition/
Holy shit, a thing I made in college has a Wikipedia page?! And no one told me?! en.wikipedia.org/wiki/KnightCite
Ruby is 30 years old, there's so much left to solve that it'd be too much to ask them to finally add support for naming methods with an interrobang. (I would accept either this?! or that‽)
I'm serious! Have you never seen a predicate method with a side effect?!
Genuinely curious how long it will be until we have our first local LLM-based computer virus that generates code and uses tools to creatively replicate itself.
I'm two weeks behind on the newsletter, so I was trying to be responsible by resisting the urge to document the success I've had with my current coding agent setup. My self-restraint has paid off, as Peter Steinberger essentially wrote the exact post I was planning to write.
There's lots of good nuggets in here, and it's uncanny how many I agree with:
- I also use Codex CLI (well, this fork) on a $200 ChatGPT Pro plan. Claude Code was an epiphany, but their models are overrated for the task, whereas GPT 5's variants are more adherent and diligent across the board. OpenAI's usage limits are virtually infinite by comparison, too
- I run 3-6 agents in parallel (usually up to 3 per project and up to 2 projects at a time). Unlike Peter, it's rare I let two agents edit the same codebase simultaneously. GPT 5's "medium" reasoning setting is so fast that the time-consuming activities are brainstorming, researching, unearthing technical debt, and planning refactors
- While git worktrees are a very cool feature, they dramatically slow down code integration with merge conflicts. Additionally, I've found it's hard to avoid API and port conflicts when running numerous development instances simultaneously. And when an environment stops working, agents will silently start coding based on speculation and conjecture. Fast feedback through observable execution of code is the single most important thing, so the risk isn't worth the (marginal) reward
- Hooks, custom commands, and fancy hacks like coder's undocumented auto-drive mode are nice, but they're no replacement for thinking really hard about what you want
But really, the reason I've had so much success with Codex in comparison to Claude is that if you get off your ass and do the hard thinking necessary to arrive at an extremely crisp and well-informed articulation of what you want, why you want it, and what obstacles it will face, today's agents will generally do a really good job.
Oh, and fuck prompt engineering, just communicate better. As Peter says:
Don't waste your time on stuff like RAG, subagents, Agents 2.0 or other things that are mostly just charade. Just talk to it. Play with it. Develop intuition. The more you work with agents, the better your results will be.
I've started a dozen posts about working with coding agents that I deleted before publishing, because I eventually realized whatever insight I had could just as easily apply to dealing with human colleagues as with LLM agents. Seriously, just talk to it like a human.
Common communication failure modes:
- Telling the agent how to do the work instead of answering why, what, and where, and then getting upset when the ultimate solution manages to complete all the hyper-specific tasks I defined while failing to solve the broader problem
- Giving the agent instructions that contradicted the facts on the ground, only for the agent to spin its wheels endlessly and make a huge mess trying to do the impossible
- Lazily hand-waving away important requirements, only for the agent to miss edge cases it lacked awareness of
- Telling it what I want before I'd really thought things through, then hating whatever it gave me
- Failing to first deal with underlying technical debt, then getting mad when the agent shoehorns in a necessarily-messy solution on top
- Getting frustrated, being condescending, or treating the agent like it's my underling, and then peeking at its reasoning log and seeing 80% of its thoughts are about managing my emotional state and 20% about the problem at hand
I'm more convinced than ever that when people are having a bad time with using AI to write code, it's not only due to ignorance and incompetence surrounding the tools themselves—just as often, it's a failure of imagination and lack of communication skills. Two things that even the best programmers frequently lack. If you're a programmer who's bad at communicating with humans, I hope you've got some other plan for making money in the next decade.
Anyway, that's where things stand in October. June feels like three years ago, so we'll see where we are in February, I guess.
A nonzero number of programmers under 30 assume GraphQL is a legacy technology invented by Texas Instruments in the 90s and had something to do with graphing calculators.
When coding agents fail to accomplish what we task them with, very often it's because the codebase has complications we failed to anticipate and communicate. It's easy to get mad at the AI, but reckoning with technical debt requires your awareness and involvement, too.
After a fabulously productive weekend with Codex CLI shipping a set of features that would have taken me two weeks, it is now past 9 AM on a weekday in San Francisco and it's struggling to add two numbers together again. What a world.
✅ Active on weekends
A recruiter sent me this screenshot of some kind of GitHub profile scraper. Aside from naming me as a "top 1%" JavaScript developer (which I'm not sure is a compliment or a threat…), I just couldn't get over the "active on weekends" checkmark.
Lady, on weekends I charge double. 🤌
The joy I get out of programming has slowly waned over the years, because most interesting problems are now "solved" via standard libraries, open-source dependencies, and HTTP APIs. Novel problem solving gradually gave way to "digital pipefitting" of stuff built by others.
When I work late or long hours coding something, it is expressly NOT because I enjoy it. It's because I can't stomach the thought of wasting another day of my life on this shit.
Best reason to use Codex CLI over Claude Code is the limits. I've been HAMMERING gpt-5-high for >8 hours/day all week. It's the last day of the week and I haven't hit 35% of the weekly limit.
If I'd paid the same $200/mo for Claude, I'd have been locked out by day 2.
A cruel irony of coding agents is that everyone who blew off automated testing for the past 20 years is now telling the AI to do TDD all the time.
But because LLMs were trained on decades of their shitty tests, the agents are also terrible at testing.
When working with a coding agent, a great periodic housekeeping task is to ask it to evaluate the codebase against the principles and values you've laid out in your CLAUDE/AGENTS/RULES files.
Agents frequently violate one's rules while coding, but will also spot those deviations after the fact if asked.
lol I thought Codex CLI misspelled a field, but nope: TikTok actually misspelled "publicaly_available_post_id" in their API developers.tiktok.com/doc/content-posting-api-reference-get-video-status
TikTok for Developers
Have now received multiple apology emails from people who called my previous post a "hit job." First time for everything. justin.searls.co/links/2025-10-09-people-jumped-to-conclusions-about-this-rubygems-thing/
People jumped to conclusions about this RubyGems thing | justin․searls․co
[TL;DR, Ruby Central has alleged that after he was notified that the board had voted to remove his production access to RubyGems.org, André Arko accessed the Ruby Central AWS account without authorization and proceeded to change the root password. 👇]
For context, last week I wrote a post bringing to light a number of things André Arko had said and done in the past as a way to provide some context. Context that might explain why any of the principal actors involved in the RubyGems maintainer crisis (summarized well up to that point by Emanuel Maiberg) would take such otherwise inexplicable actions and then fail to even attempt to explain them.
Today, Jean shed some light on Shopify's significant investments in Ruby and Rails open-source, and it actually paints a picture of corporate investment in open source done right. (Disclosure: I know and am friends with several people who work at Shopify on these teams, and unless they're all lying to me, they sure seem to prioritize their work based on what Ruby and Rails need, as opposed to what Shopify wants.) Jean went a step further by contrasting Shopify's approach with the perverse incentives at play when individuals or groups receive sponsorships to do open source. He also drew a pretty clear line of those incentives playing out based on how RubyGems and Bundler maintainers reacted to Shopify's feature submissions. Read the post, it's good.
But now, not an hour after reading Jean's post, Ruby Central has published a jaw-dropping tick tock of the events that precipitated their decision to revoke maintainer access. Even more bizarrely, the only reason we're learning this information at all seems to be a self-own: that by publicly dunking on Ruby Central's failure to remove André's systems access—as opposed to properly disclosing the security breach—Joel Drapper and André inadvertently compelled Ruby Central to issue a post-mortem that lays out the facts we've all been clamoring for.
Seriously, just go read it yourself.
The Bad Part
On August 3, Ruby Central leadership became concerned there was a risk André might access and sell logs containing personally identifiable information from RubyGems.org servers. This concern was raised by André himself, who proposed it in an email:
Following these budget adjustments, Mr. Arko's consultancy, which had been receiving approximately $50,000 per year for providing the secondary on-call service, submitted a proposal offering to provide secondary on-call services at no cost in exchange for access to production HTTP access logs, containing IP addresses and other personally identifiable information (PII). The offer would have given Mr. Arko's consultancy access to that data, so that they could monetize it by analyzing access patterns and potentially sharing it with unrelated third-parties.
(The screenshot of André's email to Marty is in the post.)
So, according to Ruby Central, André was making $50k a year to fulfill a "rarely activated" role as secondary on-call, and when that budget was cut, he proposed harvesting PII and reselling it for his own profit. No mention that this might be unethical, much less in violation of RubyGems.org's privacy policy.
This led Ruby Central to go to work shoring up proper Operator Agreements and Contributor Agreements that could sufficiently defend against this kind of action. They decided to take the further step of temporarily revoking various accesses from multiple (most? all?) contributors until such protections were in place, which—as has been widely discussed—they didn't do a great job of explaining and did not even attempt to justify. Of course, now that we've seen this email and understanding that Ruby Central probably didn't want to catch a defamation suit by naming and shaming André as the reason, it certainly casts the subsequent community outrage in a different light.
Suddenly, that Shopify's leadership undertook a bizarre corporate conspiracy to withhold sponsorship dollars if Ruby Central didn't mass revoke maintainer access isn't the simplest explanation for why things might have gone down the way they did.
The Somehow Even Worse Part
But wait, there's more. Joel's post identifying that André still had systems access not only represented a security incident, it connected the dots Ruby Central would need to affirmatively identify an unauthorized actor who had accessed and changed credentials on their AWS account.
On September 18th, Ruby Central notifies they're revoking André's access:
Ruby Central notifies Mr. Arko, via email, of the board's decision to remove his RubyGems.org production access, and the termination of his on-call services. During that transition, our teams remove the AWS security credentials belonging to Mr. Arko for accessing the production systems, but we fail to rotate the AWS root account password in tandem.
Not eight hours later, a mysterious stranger in San Francisco (who Ruby Central asserts is André) logs in as the root user of Ruby Central's AWS account and changes the password. Ten days later, another mysterious stranger in Tokyo (who is apparently also André) logs in as root again.
I'm no lawyer, but that timeline could implicate the Computer Fraud and Abuse Act. That'd be incredible enough on its own, were it not for the fact he may have done it again in Tokyo—meaning he might have exposed himself to Japan's own statutes governing unauthorized computer access.
I'm not here to gloat, I'm here to plead with People On The Internet who rushed to judgment against Ruby Central or in defense of André to learn from this situation. The next time a story hits that rhymes with the basic outline of your prior convictions or political beliefs, pause and weigh the evidence before grabbing the nearest pitchfork and joining the mob. Sometimes that means—and I realize this is hard for some of us—not posting anything at all.
That said, I am formally accepting apologies from anyone who dismissed my previous post as "hearsay" or a "hit job" on Reddit, Hacker News, Bluesky, and Mastodon. (The X folks were mostly into it, a fact which brings me no joy.)