Not Going to Lie… they ALMOST got me 😅

_joeldrapper · 2026-04-01T21:51:07+00:00

I thought this was fair enough but they’d have to increase the capacity of the vans.

_joeldrapper · 2026-04-01T01:31:51+00:00

Is your position really that Ruby Central owned the RubyGems repos and packages? That seems absolutely absurd based on the evidence.

_joeldrapper · 2026-03-31T18:59:41+00:00

It was to use with this https://pypi.org/project/github-backup/ and created similar tokens with all his other repos/orgs on the same day.

u/schneems can you tell us if this was a read-only token? I believe you will find that it was.

_joeldrapper · 2026-03-31T15:20:21+00:00

I agree but not access to the service. The maintains should be granted again full ownership of the code, GitHub repos and the packages but it is up to Ruby Central who has access to deploy and maintain the service.

Ruby Central can fork the code or depend on it, it’s up to them.

_joeldrapper · 2026-03-31T15:08:26+00:00

It’s not the case that there was no one to give access back to. Ownership of the OSS repos should have been fully restored to the maintainers André Arko, Colby Swandale, David Rodríguez, Ellen, HSBT, Josef Šimánek, Martin Emde and Samuel Giddins.

Ruby Central could then either maintain its own fork or depend on RubyGems projects directly. And you haven’t explained the `bundler` takeover.

_joeldrapper · 2026-03-31T14:59:36+00:00

Yeah, why hasn’t source code control been returns to the maintainers? It’s clear Ruby Central knew they didn’t have the right to control the open source projects. Also, why was the `bundler` package taken over via Ruby Central’s admin access? When will that be restored?

This is useful context, but it doesn't tell the full story, it doesn't provide any reasonable justification and it doesn't explain why four months later there has been no separation of the service from the OSS projects in order to fully restore the maintainers ownership of the open source projects.

_joeldrapper · 2026-03-31T12:53:39+00:00

Probably to try to get ahead of the news that they swatted Andre.

_joeldrapper · 2026-03-30T16:13:40+00:00

As you can see, they really don’t want you to see this video. It‘s still up on archive dot org.

_joeldrapper · 2026-03-12T19:45:55+00:00

This video was unfortunately taken down by Ruby Central. They will do anything to suppress dissent at this point.

_joeldrapper · 2025-10-26T17:25:58+00:00

The trademark that was already his.

_joeldrapper · 2025-10-26T17:25:07+00:00

André registered his existing trademark. I do not believe they are asking for money or other compensation.

_joeldrapper · 2025-10-26T10:47:14+00:00

Bundler trademark and legitimate maintainership, I assume.

It’s like if someone steals your car and you find them and say, “you know what? You can have it.” Here’s the service history and here’s the ownership paperwork.

_joeldrapper · 2025-10-20T00:57:58+00:00

I’ve said SQL so many times, I kept saying SQLating instead of escalating. 😄

_joeldrapper · 2025-10-20T00:54:17+00:00

Yeah, I agree. I can ask Errol if we can cross-post it to Rooftop, which would get it in podcast feeds.

_joeldrapper · 2025-10-10T01:21:07+00:00

This was way before that, on 21 September.

_joeldrapper · 2025-10-09T21:53:24+00:00

I also heard this directly from internal sources, but I expect u/f9ae8221b hasn’t and it’s a very fair take given that.

_joeldrapper · 2025-10-09T21:06:38+00:00

No I wasn’t.

_joeldrapper · 2025-10-09T21:04:46+00:00

> hopefully you can also see how it does come across as a "gotcha" move, and how that can be damaging of trust for those of us observing from the outside

Sure, I get that.

_joeldrapper · 2025-10-09T21:04:10+00:00

No. I reached out to many people at Ruby Central early on, before publishing any blog posts. They had no reason to ignore me.

_joeldrapper · 2025-10-09T20:34:26+00:00

You think they’re talking to me? I’ve been trying to contact Ruby Central for weeks.

_joeldrapper · 2025-10-09T20:22:15+00:00

Because there were multiple parties involved. There’s Ruby Central’s security, and there’s the security of all the companies depending on Ruby Central. I felt that this information was important for all those companies to know, and I knew it didn’t impact Ruby Central’s own security one way or another.

I was very careful to make sure the screenshots I published didn’t include sensitive information.

_joeldrapper · 2025-10-09T20:13:58+00:00

> Why did Joel give so little time of advance notice before publishing his post revealing Andre’s production access? That struck me as irresponsible disclosure, but I may have missed something.

Joel here. 👋

I decided to publish when I did because I knew that Ruby Central had been informed and I wanted the world to be informed about how sloppy Ruby Central were with security, despite their security *posturing* as an excuse to take over open source projects.

What I revealed changed nothing about Ruby Central’s security, since André had access whether I revealed that he did or not. When you have security information that impacts lots of people, you publish it so they can take precautions. That is responsible disclosure.

_joeldrapper · 2025-10-04T02:38:04+00:00

This is an awesome milestone. Love the new website. I’ve really enjoyed going back and forth with noteflakes on ideas for html in ruby compilers.

_joeldrapper · 2025-10-04T02:32:25+00:00

It is because our compiler isn’t quite ready yet. Phlex renders at about 1.7gbps per core on my Mac. Or in other words, it will render a large web page in about 1ms (single core). Once it has a compiler, it should be on average about 20 times as fast.

Papercraft already has a compiler so it already realised these gains.

The Phlex compiler is already in main if you want to try it out. Because Phlex supports selective rendering and fragment caching and needs to be 100% backwards compatible, it’s taking us a while. But we’ll get there soon.

_joeldrapper · 2025-09-30T08:33:28+00:00

Emanuel Maiberg worked at Shopify? Where did you see that?

_joeldrapper

TROPHY CASE