Arko kind of did address it in his most recent blog post. He claims he was doing what was in Ruby Central's best interest.

Unfortunately for him he basically admitted to a crime because it came after he was terminated. He tried appealing to community and whatnot but anyone who's ever worked for a corporation knows that once you're terminated, it doesn't matter if HR forgot to take away your credentials or not, you simply don't attempt to access anything ever again. Having keys to something doesn't make you the owner.

He stated that he didn't know he had been terminated. RC admitted that no harm had been done. Yes, he should have communicated changing the password.

He changed the AWS root password for the account.

Yes, and he already explained why he did it. Yes, he should have communicated it clearly. That's on him.

At the same time, why didn't RC call him to ask? Was it easier to write about a security INCIDENT throwing shade at Arko?

With that said, let's keep focused on the real issue: RC did a hostile takeover of the projects. That's not been properly disputed so far. Matz is, therefore, accepting to steward stolen projects.

João, you're going to have to work a lot harder than this to cancel Matz.

You misspelled accountable.

It was a security incident!

It doesn't matter why you break into your former employer's server. That's the point.

> Matz is, therefore, accepting to steward stolen projects.

You know Arko didn't even start working on Rubygems until it was nearly 10 years old, right?

One of the original authors is in here and on X saying he supports it being taken over by RubyCore. Which matters much more than whatever the maintainers who were locked out think.

With that interpretation Marty Haught attempted to incite a federal crime on Oct 3rd, where he tried to trick Arko into doing trial logins:

https://andre.arko.net/2025/10/09/the-rubygems-security-inci...

"Please confirm that you cannot access the Ruby Central AWS root account credentials, either through the console or by access keys."

Alternatively, we could see the whole issue for what it is: a power struggle between political factions of an open source project that is unprofessionally handled by at least one side.

Incite? It was already done at this point. He was letting him dig his own grave...

> It doesn't matter why you break into your former employer's server.

Arko already stated that he didn't know he had been fired. Geez.

> You know Arko didn't even start working on Rubygems until it was nearly 10 years old, right?

The project was stolen from a set of maintainers, not just Arko. Let's stick to the facts: someone with admin rights over the repos revoked the access of other admins without their consent. What do you call this?

> One of the original authors is in here and on X saying he supports it being taken over by RubyCore. Which matters much more than whatever the maintainers who were locked out think.

How in the world is that relevant? I have a lot of respect for Rich, but he wasn't a maintainer.

> have a lot of respect for Rich, but he wasn't a maintainer.

LMAO

No. He's one of the few people on the planet that could lay claim to it's copyright. He also gave the insight that Rubygems has literally ALWAYS been a part of RubyCentral.

Copyright? WTF are you talking about? Who's talking about copyright? Did or didn't RC perform a hostile takeover of the repos?

Arko tried to copyright Rubygems and file a claim against RC. That's literally part of the issue here... Because the repo doesn't matter that much, it's OSS, you can fork...

But if you do care about the repo, once again, RC has always controlled Rubygems. From the day it was written. The maintainers were even paid by RC. That makes it RC's, not the maintainers'.

How would it protect anyone?