Response from Ruby Central…

Strengthening the Stewardship of RubyGems and Bundler

Ruby Community,

At the heart of Ruby Central’s mission is our responsibility to steward the open source tools that power the Ruby ecosystem. That commitment is only as strong as the people and processes behind it. Over the past several months, we have been carefully reviewing how RubyGems.org, RubyGems, and Bundler are governed, and we are making changes to ensure these critical services are supported in a sustainable, transparent, and secure way.

As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem. In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems. Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems.org service.

In addition, with the recent increase of software supply chain attacks, we are taking proactive steps to safeguard the Ruby gem ecosystem end-to-end. To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed. This includes both our production systems and GitHub repositories. In the near term we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights. This decision was made and approved by the Ruby Central Board as part of our fiduciary responsibility. In the interim, we have a strong on-call rotation in place to ensure continuity and reliability while we advance this work. These changes are designed to protect critical infrastructure that power the Ruby ecosystem, whether you are a developer downloading gems to your local machine, a small or large team who rely on the safety and availability of these tools.

Looking forward, our goal is to move these projects into a healthier, more transparent and community-centered governance model that is more in line with OSS development. We envision a structure with a public core team to set direction, a committers team to help advance the work, and a triage team to support issues and PRs. Ruby Central will play a supporting role in collaboration with the Ruby Core team, and we will continue to provide project-based grants to ensure these projects evolve in a way that is secure, community-driven, and sustainable.

Looking ahead, Ruby Central is focused on building the right conditions for open source stewardship to thrive. This includes modernizing Bundler and RubyGems to make them more performant, ensuring that decision-making is transparent and equitable, with continued investment in the engineers and infrastructure needed to maintain a secure supply chain. Our aim is to shift away from informal arrangements toward a model of stewardship that truly reflects the collaborative nature of open source.

We know these are meaningful changes, and we want to provide space for conversation. Ruby Central will host a community Q&A session with members of our Board, Shan Cureton, our Executive Director, and Marty Haught, our Director of Open Source on September 23 at 1pm-2pm EST. This will be an opportunity to share more about our governance work, answer your questions, and hear directly from you about the future of RubyGems and Bundler. You can register for the Q&A session here.

We want to express our deep gratitude to the many cohorts of maintainers who have contributed to Bundler and RubyGems over the past two decades. Ruby tooling would not be what it is today without their dedication and leadership. Their work laid much of the foundation we are building on today, and we are committed to carrying that legacy forward with the same spirit of openness and collaboration.

The Ruby community has always thrived on collaboration, accountability, and care. These changes are about carrying that spirit forward and ensuring the infrastructure we all depend on remains healthy, secure, and resilient for the long run.

With gratitude and commitment,

Ruby Central

September 19, 2025