Initial ruby/rubygems governance doc
#9187
Conversation
This provides a starting point for a Governance doc. It attempts to: - Document the current state of norms with regard to Matz and Ruby core. - Present a well-defined boundary between Ruby Central (RC) and the technical management of the `ruby/rubygems` repository. This is achieved by separating administrative access (ability) from decision-making capability. Under this model, Ruby Central would need to work through a core team (via norms/communication) for permanent changes. - Establish an explicit security team that can make swift decisions regarding access and threats. For example, if Ruby Central believed there was an active threat, they would need the buy-in from the security team to temporarily remove someone and the buy-in from the core team to permanently remove someone. - Tighten norms around commit access and "active" status. While it's common for some Ruby open-source projects to have inactive members for many years, this project has a very large surface area that affects all Ruby users and the RubyGems.org service. I am seeking a stricter set of norms. Commit access can be a point of pride and identity for developers; to that end, I'm suggesting adopting a way to memorialize that status via an "alumni" status. - Separate development from release capability. This document was reviewed and approved by the RC board. It was previously shared privately for feedback with Ruby core contributors (specifically, @hsbt, who is listed as the Ruby integrator of RubyGems) and with a maintainer of `ruby/rubygems` @colby-swandale, who had commit access prior to the repo being moved from `rubygems/rubygems` and has commit access now. I've also reached out to several of the other former paid maintainers from the [group of six](https://github.com/gem-coop) who identify themselves as "the maintainers." The ones I spoke to expressed that they're unhappy with the communication and how events unfolded, and don't wish to work for or with RC. They're not willing to accept access as it's been offered. I understand that they've moved on to gem-coop and spinel-coop. - This document is intended to be provisional, with an explicit mandate to replace and re-draft governance written in the doc.
|
@schneems who, exactly, did you reach out to? Since you did not reach out to me, I do not want to be included in your summary of "the group". |
Co-authored-by: Sutou Kouhei <kou@cozmixng.org>
|
|
||
| ## Core Team (`core`) | ||
|
|
||
| The core team determines the project's vision. This is achieved by mentoring other teams and advising them. Core team members must show a history of sustained contributions prior to being considered for the `core` team. A core member may override a decision about a feature or breaking change made by a `committer` team member. This should be done explicitly, in public, with a sufficient justification stated. |
There was a problem hiding this comment.
Could we clarify what 'in public' means? I'd suggest defaulting to https://github.com/ruby/rubygems issues/discussions unless the matter involves Ruby core integration, in which case https://bugs.ruby-lang.org/.
|
|
||
| ## Triage Team (`triage`) | ||
|
|
||
| The triage team manages the “inflow” of issues and pull requests. They have access to close and open issues and pull requests (PRs) as well as other similar privileges, such as tagging issues. Their membership is governed by `core`. Any triage team member can recommend a new member to `core`. |
There was a problem hiding this comment.
Could we add a chapter that lays out a rough timeline of the provisional period? Even something like "replacement governance should be drafted in 8 months, accepted in 12 months" so there's something to have an initial impression of expectations.
Co-authored-by: Edouard CHIN <chin.edouard@gmail.com>
@schneems this part deserves update after our call. 🙏 |
jeremyevans
left a comment
jeremyevans
left a comment
There was a problem hiding this comment.
@schneems asked me to provide feedback on this PR. Note that while I've contributed to rubygems in the past and recently, I'm not very active in the project. Please consider these as recommendations from an outsider with significant open source experience, but not significant experience with rubygems itself.
In general, I think this governance document is a step in the right direction. It does seem overly bureaucratic to me at first glance, but that's probably because it is detailed and written down. While I generally prefer less bureaucracy, considering rubygems history, I think the level of bureaucracy is reasonable.
| @@ -0,0 +1,96 @@ | |||
| # Governance of `ruby/rubygems` | |||
|
|
|||
| The objective of this document is to provide a minimum version of Governance and plan for a more comprehensive iteration later. Governance is **“a well-defined set of norms, written down.”** We intentionally minimize legalistic language and expect this document to be treated as a tool for understanding and collaboration, and not a “point of order” procedural technicalities. | |||
There was a problem hiding this comment.
| The objective of this document is to provide a minimum version of Governance and plan for a more comprehensive iteration later. Governance is **“a well-defined set of norms, written down.”** We intentionally minimize legalistic language and expect this document to be treated as a tool for understanding and collaboration, and not a “point of order” procedural technicalities. | |
| The objective of this document is to provide a minimum version of Governance and plan for a more comprehensive iteration later. Governance is **“a well-defined set of norms, written down.”** We intentionally minimize legalistic language and expect this document to be treated as a tool for understanding and collaboration, and not as a tool for “point of order” procedural technicalities. |
| * Committer - controls contributions to the software | ||
| * Triage - controls triaging of software issues | ||
|
|
||
| ## Access Team (`access`) |
There was a problem hiding this comment.
I think ruby/rubygems should be treated similarly to other projects managed under the the ruby organization. I don't think rubygems should have non-committers with the ability to make access changes. This should be treated as an open source project, where the committers (or a subset of them) are in charge of handling access.
Just because RubyCentral hires someone shouldn't allow them to be granted access rights, nor should access rights be removed just because RubyCentral no longer employs the person. This is rubygems, not rubygems.org (I think these employment conditions would make sense for rubygems.org). I'm grateful for RubyCentral's funding of rubygems development, but funding should not imply control.
All rubygems committers should work from the perspective of improving rubygems, and should not make any changes to rubygems based on direction of Ruby Central or any other party unless they would make the same changes based on their own judgment in the absence of that direction. In terms of work on rubygems, all committers should represent themselves individually and not represent their employer or any other party.
|
|
||
| ## Security Team (`security`) | ||
|
|
||
| The Security team members will have the ability to recommend the removal of administrative access from any other team member. The access team is expected to respect this request unless they have strong reason to counter. The security team is able to temporarily pause or revoke access if platform and service security depend on the temporary removal, however, only the `access` team can make the removal permanent. |
There was a problem hiding this comment.
Currently, this has the security team only "advise" on security issues. It should be the security team's responsibility to fix/address security issues, not only advise of them.
Most of this section involves access, which I don't think is appropriate. My assumption is that any committer can make recommendations to the access team, and it is up to the access team to act of them. The security team should focus on code security, not on access issues. The members of the security team should not have permissions to add/remove accounts (unless the person is a member of both the security team and the access team).
|
TL;DR:
I’d like to clarify my own situation here, because it seems the project is currently in a strange semi-state, and some assumptions are being made on my behalf. I was never contacted, and I never rejected any access. As far as I understand, technically, I am still a maintainer. If that is not the case, I would genuinely appreciate a clear explanation:
The only action I took was leaving the RubyGems GitHub organization on my own initiative. I did so after @hsbt ignored existing team policies and added a new member with full access (@mghaught from Ruby Central), bypassing the documented process and all other maintainers: After that, I saw the final ownership state of the RubyGems GitHub organization (screenshot from 19.9.2025, 18:35): 
At that point:
From my perspective, this was the moment when the RubyGems GitHub organization lost its independence and effectively came under Ruby Central’s control. It’s important to be explicit here: This is why I believe this is the core issue, and why introducing new governance documents without first addressing this violation does not solve anything. As long as it is silently accepted that:
then no governance document can prevent the same thing from happening again. The necessary first step is to review the legitimacy of those actions and make a clear statement to the community explaining either:
Without that, trust cannot be rebuilt, and governance changes alone are meaningless. |
11 participants
This provides a starting point for a Governance doc. It attempts to:
ruby/rubygemsrepository. This is achieved by separating administrative access (ability) from decision-making capability. Under this model, Ruby Central would need to work through a core team (via norms/communication) for permanent changes.This document was reviewed and approved by the RC board. It was previously shared privately for feedback with Ruby core contributors (specifically, @hsbt, who is listed as the Ruby integrator of RubyGems) and with a maintainer of
ruby/rubygems@colby-swandale, who had commit access prior to the repo being moved fromrubygems/rubygemsand has commit access now.I've also reached out to several of the group of six who identify themselves as "the maintainers." The ones I spoke to expressed that they're unhappy with the communication and how events unfolded, and don't wish to work for or with RC. They're not willing to accept access as it's been discussed. I understand that they've moved on to gem-coop and spinel-coop.