Ruby Central is said to have quietly snatched control of several flagship Ruby open source projects from their long-time maintainers without their consent, following pressure from Shopify, one of its biggest backers.

The allegations were detailed by Joel Drapper, a Ruby developer and open source maintainer who previously worked at Shopify. They suggest a coordinated takeover of the RubyGems and Bundler ecosystems, and may deepen fractures in the Ruby community. 

The controversy follows a story earlier this week about Ruby Central’s assumption of control over RubyGems infrastructure. What’s new in Drapper’s exposé is the assertion that Shopify, a major corporate user and sponsor in the Ruby ecosystem, applied financial and governance pressure to force Ruby Central’s hand – effectively turning the nonprofit into a proxy for corporate interests.

According to Drapper, Ruby Central had already been financially strained. A major sponsor, Sidekiq, allegedly withdrew a $250,000/year commitment after Ruby Central “platformed” Rails creator DHH (David Heinemeier Hansson) at RailsConf 2025, leaving it heavily dependent on Shopify’s chequebook. 

In that context, Shopify allegedly demanded that Ruby Central assume full ownership of the RubyGems GitHub organization and certain core gems – including ‘bundler’ and ‘rubygems-update’ –  threatening to cut funding if the move did not occur.

In a series of events beginning on 9 September, an alleged plan was executed. HSBT (Hiroshi Shibata), a Ruby infrastructure maintainer, renamed the RubyGems GitHub enterprise to “Ruby Central,” added Marty Haught as a new owner, and demoted permissions for other maintainers. When questioned, HSBT reportedly declined to reverse the action without Haught’s permission. On 15 September, some of the changes were rolled back, but Haught remained in an ownership role, despite other maintainers having never agreed to his appointment.

By 18 September, maintainers were removed entirely, including from administrative access, and their GitHub organization and email accounts were deactivated, with ownership of the critical gems revoked. Among those caught in the purge was André Arko, a veteran RubyGems contributor who was on call for the RubyGems.org service at the time. 

Drapper says the Ruby Central board had voted in favor of the takeover despite objections from maintainers and arguments that alternative paths, such as forking, remained viable. He also presents evidence that Shopify had prepared its own on-call rotation to take over operational responsibilities immediately after the takeover, anticipating the disruption. 

In particular, he suggests that Shopify insisted that Arko, long a backbone of the RubyGems project, must not be allowed back into the project. 

Ruby Central’s official response, published several hours after the allegations surfaced, frames the move as a necessary step to secure the Ruby supply chain. 

“To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed,” the organization said. “This includes both our production systems and GitHub repositories. In the near term, we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights.”

In a video address, Ruby Central’s executive director, Shan Cureton, claimed that the takeover was tied to demands from sponsors and companies dependent on Ruby tooling, who raised concerns about supply chain and access issues. She said Ruby Central attempted to reach an agreement with maintainers but ran into time constraints. 

However, Drapper’s sources insist the Zoom meeting between maintainers and Haught was focused on ownership, not security, and that no maintainers had objected to Ruby Central controlling the production service infrastructure itself.

Drapper also highlights the case of Ellen Dash (aka duckinator), a decade-long RubyGems maintainer who quit after the lockout, calling the removal of maintainers “hostile.”

In parallel, Arko and others are launching a new effort, Spinel, to develop alternative Ruby tooling. Spinel’s ‘rv’ project aims to supplant elements of RubyGems and Bundler with a more modular, version-aware manager. Some in the Ruby community have already accused core Rails figures of positioning Spinel as a threat. For example, Rafael França of Shopify commented that admins of the new project should not be trusted to avoid “sabotaging rubygems or bundler.” 

Much remains murky. Drapper says he’s uncertain how every board member voted, and admits that he cannot yet confirm the involvement of other major players beyond Shopify. What’s clear is that Ruby Central’s board, knowing exactly what was at stake, decided to take control from maintainers who had nurtured the projects for years – and did so rapidly. ®