justin․searls․co

People jumped to conclusions about this RubyGems thing

[TL;DR, Ruby Central has alleged that after he was notified that the board had voted to remove his production access to RubyGems.org, André Arko accessed the Ruby Central AWS account without authorization and proceeded to change the root password. 👇]

For context, last week I wrote a post bringing to light a number of things André Arko had said and done in the past as a way to provide some context. Context that might explain why any of the principal actors involved in the RubyGems maintainer crisis (summarized well up to that point by Emanuel Maiberg) would take such otherwise inexplicable actions and then fail to even attempt to explain them.

Today, Jean shed some light on Shopify's significant investments in Ruby and Rails open-source, and it actually paints a picture of corporate investment in open source done right. (Disclosure: I know and am friends with several people who work at Shopify on these teams, and unless they're all lying to me, they sure seem to prioritize their work based on what Ruby and Rails need, as opposed to what Shopify wants.) Jean went a step further by contrasting Shopify's approach with the perverse incentives at play when individuals or groups receive sponsorships to do open source. He also drew a pretty clear line of those incentives playing out based on how RubyGems and Bundler maintainers reacted to Shopify's feature submissions. Read the post, it's good.

But now, not an hour after reading Jean's post, Ruby Central has published a jaw-dropping tick tock of the events that precipitated their decision to revoke maintainer access. Even more bizarrely, the only reason we're learning this information at all seems to be a self-own: that by publicly dunking on Ruby Central's failure to remove André's systems access—as opposed to properly disclosing the security breach—Joel Drapper and André inadvertently compelled Ruby Central to issue a post-mortem that lays out the facts we've all been clamoring for.

Seriously, just go read it yourself.

The Bad Part

On August 3, Ruby Central leadership became concerned there was a risk André might access and sell logs containing personally identifiable information from RubyGems.org servers. This concern was raised by André himself, who proposed it in an email:

Following these budget adjustments, Mr. Arko's consultancy, which had been receiving approximately $50,000 per year for providing the secondary on-call service, submitted a proposal offering to provide secondary on-call services at no cost in exchange for access to production HTTP access logs, containing IP addresses and other personally identifiable information (PII). The offer would have given Mr. Arko's consultancy access to that data, so that they could monetize it by analyzing access patterns and potentially sharing it with unrelated third-parties.

(The screenshot of André's email to Marty is in the post.)

So, according to Ruby Central, André was making $50k a year to fulfill a "rarely activated" role as secondary on-call, and when that budget was cut, he proposed harvesting PII and reselling it for his own profit. No mention that this might be unethical, much less in violation of RubyGems.org's privacy policy.

This led Ruby Central to go to work shoring up proper Operator Agreements and Contributor Agreements that could sufficiently defend against this kind of action. They decided to take the further step of temporarily revoking various accesses from multiple (most? all?) contributors until such protections were in place, which—as has been widely discussed—they didn't do a great job of explaining and did not even attempt to justify. Of course, now that we've seen this email and understanding that Ruby Central probably didn't want to catch a defamation suit by naming and shaming André as the reason, it certainly casts the subsequent community outrage in a different light.

Suddenly, that Shopify's leadership undertook a bizarre corporate conspiracy to withhold sponsorship dollars if Ruby Central didn't mass revoke maintainer access isn't the simplest explanation for why things might have gone down the way they did.

The Somehow Even Worse Part

But wait, there's more. Joel's post identifying that André still had systems access not only represented a security incident, it connected the dots Ruby Central would need to affirmatively identify an unauthorized actor who had accessed and changed credentials on their AWS account.

On September 18th, Ruby Central notifies they're revoking André's access:

Ruby Central notifies Mr. Arko, via email, of the board's decision to remove his RubyGems.org production access, and the termination of his on-call services. During that transition, our teams remove the AWS security credentials belonging to Mr. Arko for accessing the production systems, but we fail to rotate the AWS root account password in tandem.

Not eight hours later, a mysterious stranger in San Francisco (who Ruby Central asserts is André) logs in as the root user of Ruby Central's AWS account and changes the password. Ten days later, another mysterious stranger in Tokyo (who is apparently also André) logs in as root again.

I'm no lawyer, but that timeline could implicate the Computer Fraud and Abuse Act. That'd be incredible enough on its own, were it not for the fact he may have done it again in Tokyo—meaning he might have exposed himself to Japan's own statutes governing unauthorized computer access.

I'm not here to gloat, I'm here to plead with People On The Internet who rushed to judgment against Ruby Central or in defense of André to learn from this situation. The next time a story hits that rhymes with the basic outline of your prior convictions or political beliefs, pause and weigh the evidence before grabbing the nearest pitchfork and joining the mob. Sometimes that means—and I realize this is hard for some of us—not posting anything at all.

That said, I am formally accepting apologies from anyone who dismissed my previous post as "hearsay" or a "hit job" on Reddit, Hacker News, Bluesky, and Mastodon. (The X folks were mostly into it, a fact which brings me no joy.)

 rubycentral.org

Got a taste for hot, fresh takes?

Then you're in luck, because you'll pay $0 for my 2¢ when you subscribe to my work, whether via RSS or your favorite social network.

I also have a monthly newsletter where I write high-tempo, thought-provoking essays about life, in case that's more your speed:

And if you'd rather give your eyes a rest and your ears a workout, might I suggest my long-form solo podcast, Breaking Change? Odds are, you haven't heard anything quite like it.