Sarah Gooding
October 14, 2025
Ruby Central’s effort to clarify the circumstances of September’s AWS root-access lapse has sparked renewed controversy across the Ruby community. The organization published a detailed incident timeline and a “Source of Truth” update describing the event as a procedural failure in credential management, but the report’s framing has drawn sharp criticism from former maintainers. Several of those maintainers are now leading The Gem Cooperative, the new community-run mirror of RubyGems that Socket covered on October 5: “Gem Cooperative Emerges as a Community-Run Alternative to RubyGems.org.”
On October 9, Ruby Central released a comprehensive Security Incident Report covering what it calls the “Rubygems.org AWS Root Access Event – September 2025.” The document describes a series of access changes and missteps that left a former maintainer with root credentials to the organization’s AWS account after their production permissions had been revoked. Ruby Central says the lapse was discovered on September 30 and remediated the same day, with no evidence of compromised data or downtime.
According to the timeline, the AWS root password was changed by an unauthorized actor on September 19, and used again from IP addresses in California and Japan before control was regained. Ruby Central attributes the incident to two failures: neglecting to rotate shared credentials after personnel changes, and not anticipating that an individual might retain a copy of those credentials outside the organization’s password vault.
The following day’s Source of Truth update reiterated that RubyGems remains secure and fully operational. It announced the rotation of all credentials, the addition of two new maintainers to the on-call roster, and a new Corporate Contributor Stewardship Program inviting companies to donate engineering time toward infrastructure and security tasks.
The update also disclosed that on September 26, Ruby Central received a cease-and-desist letter from former maintainer André Arko asserting ownership of the Bundler trademark. Ruby Central says it disputes the claim and has engaged counsel, noting that the legal process has delayed plans for a live Q&A session.
Hours after Ruby Central’s post went live, Arko published a detailed rebuttal titled “The RubyGems ‘security incident’,” calling the report “extremely concerning” and “misleading.” He said his actions were taken in good faith while serving as the primary on-call engineer during a period of contradictory communication from Ruby Central’s leadership.
“Worried about the possibility of hacked accounts or some sort of social engineering, I took action as the primary on-call engineer to lock down the AWS account and prevent any actions by possible attackers,” Arko wrote. “I did not alter, or try to alter, anything in the Ruby Central systems after that.”
Arko published the full text of his September 30 email to Ruby Central, in which he disclosed continued access to AWS root credentials and DataDog monitoring. He said the message went unanswered for three days, during which Ruby Central instead sent a legal notice to his attorney alleging unauthorized access. He denied seeking or handling any personally identifiable information and accused the organization of misrepresenting his motives.
The same email thread appears in Ruby Central’s Source of Truth post, which it says will be released in full “to ensure that the community has the full and accurate picture.” The screenshot confirms that Arko’s disclosure was sent twelve days after Ruby Central informed him his production access had been revoked, which illustrates the communication breakdown at the center of the dispute.
On Bluesky and other social platforms, maintainers and Ruby developers reacted strongly to Ruby Central’s timeline. Many described the post as heavy-handed or damaging to trust.
Ruby Central’s framing of the incident drew swift and vocal criticism across developer networks. Some described the organization as “clownish” and accused it of turning a procedural failure into a smear campaign against the former maintainer. Others called the report “astoundingly irresponsible” in response to a security disclosure.
A number of maintainers argued that the episode reinforced deeper governance issues, saying it demonstrated how fragile community trust had become after the sudden revocation of access in September. Even developers who weren’t directly involved said the situation had left the Ruby ecosystem “burning itself down,” echoing a broader fatigue with the ongoing dispute between Ruby Central and its former operators.
Failing to rotate credentials and then responding to the disclosure with accusations of criminal activity has further strained confidence in Ruby Central’s handling of the incident. While a few participants urged nuance, the overall tone was one of frustration and eroded confidence. By Ruby Central’s own admission, community “frustration, skepticism, and fatigue” remain high, a sentiment echoed widely across Bluesky.
While the Bluesky discussion leaned heavily against Ruby Central’s handling of the incident, conversation on X, formerly Twitter, showed a more divided and at times volatile response.
Ruby on Rails creator David Heinemeier Hansson (DHH) summarized the situation in a post that was widely shared among developers:
“Former Ruby Central contractor tried to barter for RubyGems access logs(?!). When denied and terminated, he illegally accessed RG production servers, changed the root password, and now wants people to trust his new gem hosting service. Crazy," DHH said.
"Circumstances described sound like a clear violation of Computer Fraud and Abuse Act (CFAA). In misdemeanor cases, like this would probably be, the penalty is up to 1 year in prison. Japan has a similar statue where penalty is up to 3 years."
His post amplified Ruby Central’s framing to a much larger audience and likely influenced the flood of reactions that followed, both supportive and skeptical.
Many users echoed DHH’s interpretation, suggesting that Arko’s decision to change the AWS root password appeared retaliatory rather than the result of a procedural oversight. Several commenters called for Arko to be reported to the police.
“Incidents like these make the case strong for having single point of access removal,” software engineer Amit Gupta said. "Access to a user should be granted as & when needed but when their account is removed then it should get removed from all places."
Some commenters faulted both sides, arguing that the episode exposed deeper problems in how open source infrastructure is governed and secured.
“The whole story makes Ruby Central appear less trustworthy, given their incompetent handling of root access,” Meta engineer Matthias Georgi commented.
Taken together, the posts show how fragmented trust has become. Even as Ruby Central insists systems are secure, developers remain split over whether the greater failure was one of process, judgment, or governance.
A high-engagement Hacker News thread discussing Arko’s rebuttal captured a similarly mixed reaction. Several commenters focused on offboarding fundamentals and the risks of shared credentials.
“If you are removing an employee from a company, and you have to rely on their personal integrity instead of technical controls to avoid problems, you are doing very basic access control wrong,” one participant (@tetha) commented. "And if you're doing absolute fundamentals like that wrong, how much is your entire information security worth then?"
Others criticized Ruby Central’s competence and communications.
“My primary takeaway from all of this is that I do not want to be depending on infrastructure run by Ruby Central," @plorkyeran commented. "Maybe it’ll turn out that the previous status quo was even worse and we just got incredibly lucky that it never exploded, but the people now running things have consistently failed to inspire confidence.”
The thread also debated Ruby Central’s decision to include Arko’s proposal regarding access logs in a security incident post. Some readers viewed it as an attempt to smear Arko. Others argued the proposal raised its own ethical questions, even if no personal data was requested or shared.
"Here Andre is downplaying his ask of the logs," mbStavola commented. "Even if Andre didn't get them, the logs were desired. Had Ruby Central acquiesced the logs would've been parsed and sold. Might not be an issue for you but I am frankly not interested in having any data shared or sold like this."
Another commenter, @xylakant, said, “I don’t even understand why RubyCentral included the proposal to use the log data in the post about a security incident. Whatever we may think of the proposal, the only purpose of including it in this place is to smear Andre.”
Counterpoints noted that the proposal itself was fair game for scrutiny and that both sides have credibility issues.
“RC majorly botched the takeover, demonstrated gaps in security know-how, and then retroactively framed everything as a problem with André," mbStavola said. "The details of the logs are mostly immaterial to the rest of the claims, but are still suspicious enough to spice up the announcement.”
There was also debate about the gap between the September 19 password change and Arko’s September 30 disclosure, with some readers questioning the lack of immediate notification, and others citing confusion about authority and chain of command during the transition.
Beyond the immediate controversy, former RubyGems maintainer Ellen Dash (@duckinator), now part of The Gem Cooperative, offered a broader reflection on governance in two posts published October 8 and 9.
“RubyGems was always ran in a very informal way, with no real hierarchy," Dash said. "But the people working on it need to put food on the table, so it needs to fit in the economy without being taken advantage of.
Dash said she expected Ruby Central to be "the boundary between the realities of the economy and the ideals of open source," but found that it didn't play out this way.
"We fell for a common myth in the programming world: that the formal organization and the informal project worked alongside each other as equals," she said.
"However, formal organizations are perceived as more legitimate and that gives them an unstated but real ability to coerce the informal projects they are intended to support. By trying to stay out of the formal hierarchy, we accidentally got placed at the bottom of it."
Dash contends that the conflict with Ruby Central exposed structural flaws that made separation inevitable:
“When backed into a corner, our only option was to walk away and rebuild.”
In her follow-up, “Communities build out, not up,” she urged the Ruby ecosystem to reject centralization altogether:
“Centralization makes this problem more likely to repeat, no matter how hard we try to defend against it, because a single group is easier to target than a dozen. Anyone who tells you otherwise is naive or benefits from your dependence.”
Dash linked this decentralization philosophy to practical supply chain risks such as dependency confusion and namespace collisions:
“We need to figure out how to assign namespaces across multiple gem hosts… and determine an authoritative source for a gem," she said. "A gem host shouldn’t be able to lie about it.”
She concluded that the future of Ruby infrastructure depends on community ownership.
“Many programmers have no interest in formal governance processes, but letting people act and speak on our behalf without our input is what got us here," Dash said. "The path forward is for the community to speak up and take direct ownership of what we make.”
The release of Ruby Central’s incident report was intended to close the loop on the September AWS access lapse. Instead, it has widened the rift between the organization and many of the maintainers who once ran its core infrastructure.
As Ruby Central proceeds with new operator agreements and governance reforms, The Gem Cooperative continues to attract contributors seeking a more decentralized model for Ruby’s ecosystem. The two efforts now represent competing visions for how Ruby’s package infrastructure should be governed and maintained.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
The Socket Threat Research Team uncovered a coordinated campaign that floods the Chrome Web Store with 131 rebranded clones of a WhatsApp Web automation extension to spam Brazilian users.
Security News
ENISA’s 2025 Threat Landscape report highlights how AI is reshaping cyber attacks, driving phishing, model poisoning, and software supply chain risks.
Security News
Evan You announces Vite+, a commercial, Rust-powered toolchain built on the Vite ecosystem to unify JavaScript development and fund open source.
