I'll keep this post evergreen, as the situation evolves. Also, when you are done reading - hire me.

👣🔍️ First some background reading 🕵️

• RubyGems (the GitHub org, not the website) suffered a hostile takeover in September 2025.
• Ultimately 4 maintainers were hard removed and a (dubious) reason has been given for only 1 of those, while 2 others resigned in protest.
• It is a complicated story which is difficult to parse quickly.
• Simply put - there was active policy for adding or removing maintainers/owners of rubygems and bundler, and those policies were not followed.
• I'm adding a note linking to this post to all of my gems because I don't condone theft of repositories or gems from their rightful owners.
• If a similar theft happened with my repos/gems, I'd hope some would stand up for me.
• Disenfranchised former-maintainers have started gem.coop.
• Once available I will publish there, or to my own server, exclusively; unless RubyCentral & Ruby Core make amends with the community.
• The "Technology for Humans: Joel Draper" podcast episode by reinteractive is the most cogent summary I'm aware of.
• See here, here and here for more info on what comes next.

My thoughts

1. I no longer trust Ruby Central.
2. I no longer trust certain members, but primarily HSBT, of the RubyGems core team.
3. I no longer trust certain members, but primarily HSBT and Matz, of the Ruby core team.

Q: In what sense do I not trust them?
A: 📃 Governance 📃

To be more specific, I no longer trust that they:

1. Hold people accountable for their actions according to written agreements and documentation around governance policy.
2. Understand the community upset over point 1.
3. Will ever do anything about it.

If they are added to your repository, you may wake up to find you have lost access to your own project.

I'm not OK with this having already happened to others, and have taken steps to ensure it will not happen to me.

Within my open source projects, I will reduce, to the degree possible, my reliance, on any project hosted under the Ruby org on GitHub. Since most of my projects are Ruby projects, I'll never get to complete exclusion, but I will be focusing much more on JRuby and Truffleruby.

It has been pointed out to me in other discussions about this that we never had reason to trust them, but we did anyway, implicitly. We normally assume other people live by the same code of ethics that we ourselves live by. I will miss being able to rest on that assumption, but it is probably for the best that it get binned.

What I'm doing about it

• ore installs gems without Ruby, without bundler, and without rubygems. It is a GoLang implementation of (some parts of) Bundler (and adds some features bundler lacks). A project by @seuros - and I'm now on the core team. It is much faster than bundler.
• setup-ruby-flash is an alternative to the venerable setup-ruby GHA we've all been using for years. setup-ruby-flash relies on rv and ore for Ruby and Gem installs, and it falls back to setup-ruby on unsupported platforms/engines. I wrote more about it here.
• appraisal2 is a hard fork of the old, and nearly-dead, namesake Thoughtbot project, to which I've added many features, including support for eval_gemfile, all versions of Ruby back to v1.8, and ore (see above). More on the reasons behind the hard fork.
• A (WIP) proposal for bundler/gem scopes
• A (WIP) proposal for a federated gem server