ruby/ruby gems: ongoing governance dispute #444341
Description
So apparently, the ruby/ruby-gems community is stuck in an ongoing power struggle between Ruby Central and previous Ruby Gems maintainers. Finding credible sources about this is complex. Initially, this blog post shared on mastodon came to my attention.
The ruby gems org owners (https://github.com/orgs/rubygems/people) list Marty Haught, corroborating the story portrayed here. However, the internet archive did not catch any of those org owner changes, and neither did it catch the alleged org rename.
In the worst case, a compromised package repository from which we fetch things could mean compromised packages. For now, most packages are pinned by hash - this only becomes an issue on packages we actually update. However, we should sound the alarm if any ruby fetcher gets hash-mismatches in the next few days, and we should maybe pay some extra attention to upstream changes. It seems likely this is "just" a governance dispute and might not affect package security, but i am not super excited about taking that bet.
Extra insight would be appreciated, i am not exactly familiar with the whole ruby ecosystem. Should this indeed turn out to have been a hostile takeover, we should consider carefully how we proceed in regards to all our ruby ecosystem. Ruby is used by core components, making its way into the closure of e.g. git and ffmpeg, but also popular end user applications such as mastodon and gitlab.
Apparently homebrew people are already on it (see https://bsky.app/profile/mikemcquaid.com/post/3lz6pkabzwk2o, thank you @alyssais for digging this up). Short of finding our own solution, we can maybe just watch and do whatever homebrew does.