WEBVTT 00:00.000 --> 00:07.000 Thank you for having me today. 00:07.000 --> 00:12.000 This is my first time at the big stage in Humberu. 00:12.000 --> 00:15.000 I've been here many years. 00:15.000 --> 00:17.000 I love this conference. 00:17.000 --> 00:19.000 It's best to have a source conference in the world. 00:19.000 --> 00:21.000 But first time here. 00:21.000 --> 00:25.000 So I thought given this topic is potentially contentious. 00:25.000 --> 00:29.000 I would get a friend of mine, hopefully make me feel a little bit better. 00:29.000 --> 00:32.000 I said, I'm the screenshot of when this got accepted. 00:32.000 --> 00:35.000 And I said, oh, fuck. 00:35.000 --> 00:38.000 So he could actually make me just write kind. 00:38.000 --> 00:41.000 He thought nice things about the title. 00:41.000 --> 00:44.000 And then, unfortunately let me down. 00:44.000 --> 00:47.000 So hopefully I am not, in fact, fucked. 00:47.000 --> 00:51.000 But if I am, hopefully it is entertaining for all of you to watch me 00:51.000 --> 00:54.000 as we turn the UK down your arse. 00:54.000 --> 00:57.000 Anyway, so, some important framing. 00:57.000 --> 01:00.000 We're going to talk about some stuff today, which is pretty fresh. 01:00.000 --> 01:04.000 Literally, some people who have been involved in the story are 01:04.000 --> 01:05.000 possibly in the room. 01:05.000 --> 01:08.000 And I've seen people at fuzz them. 01:08.000 --> 01:13.000 So who already has an awareness of what happened with Ruby gems? 01:13.000 --> 01:16.000 Even a vague one, right? 01:16.000 --> 01:22.000 And who has strong opinions about me who was in the wrong and who was in the right? 01:22.000 --> 01:24.000 Trick question. 01:24.000 --> 01:26.000 But yeah, okay, so a few of us. 01:26.000 --> 01:29.000 So what I asked us to bear in mind, right? 01:29.000 --> 01:30.000 This is not a trial. 01:30.000 --> 01:35.000 It doesn't really help us to go and point fingers, particularly 01:35.000 --> 01:38.000 at individuals, actually, because this is mainly a story about 01:38.000 --> 01:44.000 groups of people and communities and open source foundations 01:44.000 --> 01:48.000 and open source maintainers and companies and all that 01:48.000 --> 01:49.000 interesting stuff, right? 01:49.000 --> 01:52.000 And I actually think this stuff gets 01:53.000 --> 01:56.000 particularly when I'm studying on a stage and people 01:56.000 --> 01:58.000 want to be in the room, it's a bit mean. 01:58.000 --> 02:01.000 If we start pointing fingers at individuals, so I'm just not going to do that. 02:01.000 --> 02:03.000 I'm going to try and avoid naming anyone except myself, 02:03.000 --> 02:07.000 because I'm allowed to be self-deplicating because I'm British. 02:07.000 --> 02:11.000 So the next thing, again, I want us to just encourage anyone who 02:11.000 --> 02:16.000 right now is like this group with this person completely 02:16.000 --> 02:20.000 fucked this up and this group with this person did everything right. 02:20.000 --> 02:23.000 Like, that's a bit of a red flag, right? 02:23.000 --> 02:26.000 You know, many of us in the room, I'm sure, are engineers, right? 02:26.000 --> 02:31.000 And we work with software and complex systems fail in complex ways. 02:31.000 --> 02:32.000 Right? 02:32.000 --> 02:35.000 So if you feel absolutely certain about something, 02:35.000 --> 02:38.000 that means either you're probably going to be missing something 02:38.000 --> 02:40.000 or maybe have a bias. 02:40.000 --> 02:41.000 That's okay. 02:41.000 --> 02:43.000 No shame, no shade, whatever. 02:43.000 --> 02:44.000 Right? 02:44.000 --> 02:49.000 But just let's try and come into this with an open mind, right? 02:50.000 --> 02:53.000 Again, another important frame I think for all this is 02:53.000 --> 02:55.000 incentives of everything, right? 02:55.000 --> 02:58.000 Like, very rarely in the world do we actually have, 02:58.000 --> 03:01.000 particularly in things like open source and in workplaces, 03:01.000 --> 03:03.000 and not Netflix shows or whatever. 03:03.000 --> 03:05.000 Like, people who are just unbelievably evil 03:05.000 --> 03:07.000 and cackle away is they deliberately do the thing 03:07.000 --> 03:10.000 to maximally fuck over as many people as possible. 03:10.000 --> 03:12.000 Like, people are responding to the incentives 03:12.000 --> 03:14.000 that are putting in front of them, right? 03:14.000 --> 03:16.000 People don't go into things generally with bad intentions. 03:16.000 --> 03:19.000 And generally the people who we look at in these situations 03:19.000 --> 03:21.000 who we think, maybe have bad intentions, 03:21.000 --> 03:24.000 just have a really bad incentive such a set in front of them. 03:24.000 --> 03:26.000 Right? So I'm asking you to look at things through that lens. 03:26.000 --> 03:28.000 And we're going to try this being a lot of, 03:28.000 --> 03:30.000 I guess, the word drama has come up again again 03:30.000 --> 03:32.000 when people have been talking about this, right? 03:32.000 --> 03:36.000 Sometimes, like, favorably sometimes used to critique 03:36.000 --> 03:37.000 one side or another or whatever, 03:37.000 --> 03:41.000 but I feel like we thankfully have moved past the drama stage 03:41.000 --> 03:43.000 and we can be in the learning stage. 03:43.000 --> 03:44.000 So let's do that. 03:45.000 --> 03:49.000 This talk is about re-enopen source software 03:49.000 --> 03:52.000 and specifically infrastructure projects, 03:52.000 --> 03:55.000 which I'll talk a little bit later on why 03:55.000 --> 03:59.000 this is a particularly important topic for me, specifically. 03:59.000 --> 04:03.000 But these projects underpin an enormous amount of the internet, right? 04:03.000 --> 04:07.000 Like, for most, even kind of commercial software developers 04:07.000 --> 04:09.000 who are not here, who care nothing about open source, 04:09.000 --> 04:11.000 who probably don't even really understand open source. 04:12.000 --> 04:14.000 The amount of open source software that has to work 04:14.000 --> 04:16.000 and go right and be lined up 04:16.000 --> 04:20.000 and perfectly orient itself for that person to do their day job. 04:20.000 --> 04:24.000 And increasingly their day job far removed from technology 04:24.000 --> 04:26.000 is pretty breathtaking when you think about it. 04:26.000 --> 04:29.000 Right? It's arguably open source software 04:29.000 --> 04:33.000 is one of the best achievements we've made as mankind. 04:33.000 --> 04:36.000 And I love conferences like this 04:36.000 --> 04:39.000 because I think it really highlights the kind of beauty 04:39.000 --> 04:41.000 of what we're doing here, right? 04:41.000 --> 04:44.000 We're creating this worldwide system of software, 04:44.000 --> 04:46.000 which is incredibly powerful and many people rely on 04:46.000 --> 04:49.000 at empowers so many other fields, right? 04:49.000 --> 04:52.000 But because it's invisible when it's working 04:52.000 --> 04:54.000 and because people don't think about it, 04:54.000 --> 04:57.000 often it just fades into the background. 04:57.000 --> 05:01.000 And that success that comes from making things invisible 05:01.000 --> 05:04.000 and transparent and just smoothly flowing 05:04.000 --> 05:07.000 makes it even more dramatic or so, 05:08.000 --> 05:11.000 even more dramatic when things fail. 05:11.000 --> 05:14.000 When things fail, they fail loudly, they fail globally 05:14.000 --> 05:17.000 and the blast radius on important projects is never small. 05:17.000 --> 05:20.000 So Ruby gems is one of those systems 05:20.000 --> 05:22.000 and that's what the story today is going to be about. 05:22.000 --> 05:24.000 We'll talk about heroes, we'll talk about villains, 05:24.000 --> 05:26.000 we'll just talk about systems on the stress 05:26.000 --> 05:27.000 and what we can learn. 05:27.000 --> 05:31.000 So who am I? Why am I talking about this? 05:31.000 --> 05:33.000 And what can you maybe learn from me? 05:33.000 --> 05:36.000 Firstly, I think that's legitimate to ask 05:36.000 --> 05:39.000 particularly in something like this story 05:39.000 --> 05:42.000 because I think a lot of the people who maybe have 05:42.000 --> 05:45.000 strong opinions like when you understand a bit about their background 05:45.000 --> 05:48.000 it's maybe clear why they have the view they have. 05:48.000 --> 05:50.000 So I'm the project leader of Humbru, 05:50.000 --> 05:52.000 a Mac package manager, 05:52.000 --> 05:54.000 runs on Linux and stuff as well. 05:54.000 --> 05:57.000 So I worked on that since 2009, 05:57.000 --> 05:59.000 so that would be 17 years this year, 05:59.000 --> 06:01.000 which is slightly terrifying. 06:01.000 --> 06:04.000 I think what that does is it gives me a little bit of context 06:04.000 --> 06:07.000 about what it's like to run a package manager, 06:07.000 --> 06:09.000 what it's like to work on these open source projects 06:09.000 --> 06:10.000 for a long period of time. 06:10.000 --> 06:13.000 But let's see, later, 06:13.000 --> 06:17.000 I'm not super involved with this story beyond that, right? 06:17.000 --> 06:20.000 I was principal engineer at GitHub for a while 06:20.000 --> 06:23.000 that told me a fair bit about open source, 06:23.000 --> 06:25.000 it told me a fair bit about Ruby 06:25.000 --> 06:28.000 because that's what GitHub is primarily built in 06:28.000 --> 06:31.000 and scale security, libraries, et cetera. 06:31.000 --> 06:33.000 I think most importantly actually for the story, 06:34.000 --> 06:35.000 I'm a Rubyist. 06:35.000 --> 06:37.000 I first wrote some Ruby in 2005. 06:37.000 --> 06:39.000 I've probably written Ruby more than any other language 06:39.000 --> 06:41.000 in about 2009. 06:41.000 --> 06:42.000 And I deeply love it. 06:42.000 --> 06:43.000 I like the ecosystem. 06:43.000 --> 06:45.000 I like many of the people I have friends. 06:45.000 --> 06:46.000 I've met because of Ruby. 06:46.000 --> 06:48.000 I have jobs that I've built 06:48.000 --> 06:49.000 because of my work on Ruby. 06:49.000 --> 06:51.000 And I have dependent on it 06:51.000 --> 06:52.000 for most of my career. 06:52.000 --> 06:55.000 Finally, and somewhat least importantly, 06:55.000 --> 06:56.000 like I have a day job. 06:56.000 --> 06:58.000 Like open source is not my life. 06:58.000 --> 07:02.000 I'm a CTO, a small training management software company 07:03.000 --> 07:04.000 in Scotland. 07:04.000 --> 07:06.000 But as a result of that, 07:06.000 --> 07:09.000 I've had to do an awful lot of work 07:09.000 --> 07:11.000 around growing as a leader 07:11.000 --> 07:14.000 and trying to understand how systems and cultures 07:14.000 --> 07:16.000 and incentives are set up and what happens. 07:16.000 --> 07:18.000 I'm not a Ruby Gemma's maintainer. 07:18.000 --> 07:19.000 I never happen. 07:19.000 --> 07:21.000 I have simply with Bundler. 07:21.000 --> 07:23.000 I have no affiliation with Ruby Central. 07:23.000 --> 07:25.000 I've never been involved with them. 07:25.000 --> 07:26.000 I've never given them any money. 07:26.000 --> 07:28.000 I've never done any work with them or anything like that. 07:28.000 --> 07:31.000 In the situation that I was asked to mediate. 07:31.000 --> 07:34.000 So, some people will talk about later on. 07:34.000 --> 07:36.000 Like the way Humbru does governance 07:36.000 --> 07:39.000 was kind of cited relatively early on in this situation. 07:39.000 --> 07:42.000 And it's someone who's kind of very involved with Humbru and our governance process. 07:42.000 --> 07:44.000 I was asked to kind of come in and see, 07:44.000 --> 07:46.000 like, well, how can they supply to Ruby Gemma not? 07:46.000 --> 07:50.000 But, unfortunately, my mediation did not manage to stop 07:50.000 --> 07:52.000 happening what happened. 07:52.000 --> 07:56.000 It's interesting because pretty much this whole story 07:56.000 --> 07:59.000 takes place between September, October 2025 07:59.000 --> 08:02.000 we kind of have a bit of stability now. 08:02.000 --> 08:05.000 I think some of the kind of strongest emotions 08:05.000 --> 08:07.000 were kind of past that stage, which probably helps us 08:07.000 --> 08:09.000 to look back a little bit. 08:09.000 --> 08:11.000 So, we're talking about weeks for most of these events 08:11.000 --> 08:12.000 rather than years. 08:12.000 --> 08:14.000 Although the context set beforehand and the stuff 08:14.000 --> 08:17.000 will learn afterwards will go back and forward. 08:17.000 --> 08:19.000 I helped Jam.co up. 08:19.000 --> 08:21.000 You don't need to know what that is. 08:21.000 --> 08:22.000 If you don't already. 08:22.000 --> 08:23.000 I help them kind of sell. 08:23.000 --> 08:25.000 They're going in this process. 08:25.000 --> 08:27.000 I learned stuff on the way. 08:28.000 --> 08:31.000 So, okay, who knows what Ruby Gemma is? 08:31.000 --> 08:32.000 Hand up. 08:32.000 --> 08:34.000 Okay, most people saw it. 08:34.000 --> 08:35.000 I keep this brief. 08:35.000 --> 08:38.000 Ruby's package manager is called Ruby Gemms. 08:38.000 --> 08:40.000 It's technically you could use another package manager, 08:40.000 --> 08:44.000 but that's the main default that the vast majority of people use. 08:44.000 --> 08:47.000 It was actually founded in 2004 08:47.000 --> 08:50.000 after Ruby had been round for a fair wee while. 08:50.000 --> 08:53.000 Like nowadays, often the software kind of comes with 08:53.000 --> 08:56.000 version locking and package management along 08:56.000 --> 08:59.000 with the language right out of the door, but that was not the case. 08:59.000 --> 09:01.000 Ruby Gemms and Ruby. 09:01.000 --> 09:04.000 There's millions of applications that will learn Ruby Gemms. 09:04.000 --> 09:07.000 And as a result, we're not talking about some niche tool 09:07.000 --> 09:08.000 used by a few people. 09:08.000 --> 09:10.000 We're talking about kind of critical infrastructure on the internet. 09:10.000 --> 09:13.000 Which brings up things like software supply chains 09:13.000 --> 09:16.000 and all these other kind of big growing up sounding words. 09:16.000 --> 09:18.000 It's not side project as well. 09:18.000 --> 09:22.000 Many open source projects are essentially run by one person 09:22.000 --> 09:24.000 in their evenings and weekends. 09:24.000 --> 09:25.000 They never get any money for it. 09:25.000 --> 09:27.000 They never spend any money on it. 09:27.000 --> 09:29.000 And it's just like a fun little hobby. 09:29.000 --> 09:31.000 Like Ruby Gemms is not in that category. 09:31.000 --> 09:34.000 Ruby Gemms is much more critical. 09:34.000 --> 09:37.000 So money. 09:37.000 --> 09:40.000 Money is messy, particularly when you evolve it with open source. 09:40.000 --> 09:44.000 Who feels a little bit uncomfortable to have not money sometimes? 09:44.000 --> 09:45.000 Quite a lot of people. 09:45.000 --> 09:50.000 Like open source money is even more potentially uncomfortable. 09:50.000 --> 09:53.000 Because well, something is cost money. 09:53.000 --> 09:54.000 So where does cost money? 09:54.000 --> 09:55.000 Storage cost money. 09:55.000 --> 09:57.000 Buy with the cost money. 09:57.000 --> 10:00.000 On cool, if you want to pay someone, well, sorry, if you want someone 10:00.000 --> 10:03.000 to be working up at three o'clock in the morning on a regular basis 10:03.000 --> 10:07.000 when it's the breaks, then generally you need to provide a bit more 10:07.000 --> 10:12.000 incentive to that than just peer pressure and community good will. 10:12.000 --> 10:14.000 Instance kind of money. 10:14.000 --> 10:18.000 If you've got years of work, you can have it undone in a few 10:18.000 --> 10:20.000 hours when you have some critical incident. 10:21.000 --> 10:24.000 And it's why organizations behave differently on stress. 10:24.000 --> 10:28.000 Because depending on where the money is, that tends to focus attention 10:28.000 --> 10:30.000 even more closely when instance is going on. 10:30.000 --> 10:32.000 But not everything costs money. 10:32.000 --> 10:35.000 Let's compare with the purpose of this project. 10:35.000 --> 10:38.000 I've worked on for a while with Hombrew, right? 10:38.000 --> 10:41.000 So this is not to say, Hombrew is better or worse. 10:41.000 --> 10:44.000 It's just a comparison because I think we're two projects. 10:44.000 --> 10:47.000 Both written Ruby, but we have a different approach to these things. 10:47.000 --> 10:50.000 So Hombrew's first thing, when you download Hombrew's binary packages, 10:50.000 --> 10:52.000 we do not pay any money for that. 10:52.000 --> 10:56.000 Because we were originally hosted by sourceforge, 10:56.000 --> 10:59.000 then Bintray, and then now it is its GitHub. 10:59.000 --> 11:03.000 So the trade off for that is that Hombrew is not independent 11:03.000 --> 11:04.000 as something that Ruby gems is. 11:04.000 --> 11:07.000 Like Ruby gems is not relying on any single vendor. 11:07.000 --> 11:09.000 Like they, of course, there are servers on the AWS, 11:09.000 --> 11:14.000 but they could move relatively with big finger quotes easily 11:14.000 --> 11:15.000 to another provider. 11:15.000 --> 11:18.000 I'm probably certainly a lot easier than Hombrew could. 11:18.000 --> 11:20.000 So in some ways, we're not even independent. 11:20.000 --> 11:25.000 We're somewhat dependent on retaining in the good graces of GitHub, right? 11:25.000 --> 11:26.000 I used to work there. 11:26.000 --> 11:27.000 I still know a lot of people there. 11:27.000 --> 11:31.000 So I'm not as worried about that as I might be something else. 11:31.000 --> 11:34.000 But again, that may or may not be a decision that makes sense for your project, 11:34.000 --> 11:36.000 or for Ruby gems. 11:36.000 --> 11:42.000 So that's quickly scanned through the timeline of what happened 11:42.000 --> 11:43.000 on the website. 11:43.000 --> 11:49.000 So Ruby central, the organization that's kind of often cited with this discussion, 11:49.000 --> 11:55.000 was found that originally 2001, by a couple of people in the Ruby community, 11:55.000 --> 11:58.000 who want to provide a permanent nonprofit for running Ruby community events 11:58.000 --> 12:01.000 and handling sponsorship and logistics. 12:01.000 --> 12:05.000 A few of the same people were involved with releasing Ruby gems 12:05.000 --> 12:08.000 in March 2004. 12:08.000 --> 12:15.000 And then we have to go forward about 11 years before we kind of reach the next 12:15.000 --> 12:18.000 group that's kind of relevant this way, which is Ruby together. 12:18.000 --> 12:24.000 So they were actually announced by Ruby central in 2015. 12:24.000 --> 12:28.000 And they described their purpose as funding on-call rotations, maintenance work 12:28.000 --> 12:30.000 and improvements to shared Ruby infrastructure. 12:30.000 --> 12:33.000 Usually it bundlers, Ruby gems and Ruby gems.org, 12:33.000 --> 12:37.000 which had, in their words, historically been done by volunteers. 12:37.000 --> 12:42.000 In 2022, these organizations merged and became a single nonprofit, 12:42.000 --> 12:46.000 described the motivation as reducing duplicated non-profit overhead 12:46.000 --> 12:50.000 and unifying community events under one roof. 12:50.000 --> 12:56.000 So this brings us to basically the more contentious events. 12:56.000 --> 13:01.000 Hands up of you are following this live on social media when it was going on in 2025. 13:01.000 --> 13:03.000 Yeah, a few people here. 13:03.000 --> 13:07.000 So September 2025, everything kind of goes down within a few weeks. 13:07.000 --> 13:10.000 And again, I think there's some interesting context when we talk about 13:10.000 --> 13:15.000 the setup for this taking almost 15 years and then within a few weeks 13:15.000 --> 13:18.000 things radically changed. 13:18.000 --> 13:22.000 So one of the first things I think that happened was control of the main 13:22.000 --> 13:25.000 GitHub organization, which was used by Ruby gems. 13:26.000 --> 13:31.000 The project was changed in a way that restricted or removed access 13:31.000 --> 13:34.000 for some of the people who were maintaining Ruby gems. 13:34.000 --> 13:38.000 And this came out of some folks who were involved with Ruby 13:38.000 --> 13:41.000 central that also involved reading the GitHub organization from Ruby 13:41.000 --> 13:43.000 gems to Ruby central. 13:43.000 --> 13:49.000 And essentially, there was, as far as various people involved are concerned, 13:49.000 --> 13:52.000 some people say this was very long-time coming. 13:52.000 --> 13:53.000 And there should have been expected. 13:53.000 --> 13:57.000 And other folks felt completely blindsided by what happened. 13:57.000 --> 14:00.000 There wasn't certainly any public notice of this. 14:00.000 --> 14:04.000 People had some sort of behind-the-scenes warnings that something might be happening. 14:04.000 --> 14:10.000 But certainly a bunch of people were, as I said, essentially blindsided by what happens. 14:10.000 --> 14:14.000 And the problem with this is when you make decisions quickly and when you deliver 14:14.000 --> 14:18.000 them somewhat abruptly, that always tends to feel hostile, right? 14:18.000 --> 14:21.000 It feels, it can feel malicious, it can feel difficult, it can feel targeted, 14:22.000 --> 14:25.000 even if it wasn't necessarily intended that way. 14:25.000 --> 14:29.000 And particularly an open source when we assume so much stuff is going to be done in the public 14:29.000 --> 14:34.000 when there's no public communication at all, then it can make this very hard. 14:34.000 --> 14:37.000 There was also essentially no governance process. 14:37.000 --> 14:41.000 So I mentioned before, Humber's governance process will talk a little bit about that later. 14:41.000 --> 14:45.000 But essentially at the time when this was all going on, there wasn't a documented process 14:45.000 --> 14:50.000 about how people get added and removed who controls what, which non-profit 14:50.000 --> 14:55.000 is responsible for what, what taking money means as a contractor or an employee or whatever 14:55.000 --> 14:57.000 with this organization. 14:57.000 --> 15:01.000 And the problem is when you don't have a written governance structure, 15:01.000 --> 15:07.000 then whoever holds a power ends up filling the gap and getting to make the decisions. 15:07.000 --> 15:12.000 So after the initial kind of shock, we had our attempt at recovery, right? 15:12.000 --> 15:17.000 It looked like things were going okay to begin with, so we got to mid September. 15:17.000 --> 15:21.000 There was multiple possible features. It looked like we could get everything back. 15:21.000 --> 15:25.000 Everyone could get back in the same page. There might be some hurt feelings, but we would be okay. 15:25.000 --> 15:28.000 There was a governance PR proposed on September the 14th. 15:28.000 --> 15:32.000 You can go and see the URL or show on the screen in a few slides, 15:32.000 --> 15:35.000 where you can see the kind of conversation that was going back and forth. 15:35.000 --> 15:37.000 This is how I kind of ended up getting pulled in as well. 15:37.000 --> 15:41.000 Because it was based off Humber's governance and then I was, I kind of offered to give some input there 15:41.000 --> 15:44.000 and then got pulled into mediation as well. 15:45.000 --> 15:50.000 And then shortly afterwards, the access restored for most of these people, right? 15:50.000 --> 15:53.000 So if you get to the PR, you can kind of see how this went on. 15:53.000 --> 15:59.000 And like the sort of TikTok of what was going on in the event, right? 15:59.000 --> 16:05.000 So then by September the 18th, we get to a point where I've offered to kind of step in and be 16:05.000 --> 16:09.000 between both sides. There's a lot of private conversations going on, a lot of private context going on. 16:09.000 --> 16:13.000 And in public, it looks good. It looks like we're both sides of discussing governance. 16:13.000 --> 16:18.000 And then we get to the point that I six gets removed again for a bunch of people, right? 16:18.000 --> 16:22.000 And this is one thing that's got a little bit mess here because some folks who are there 16:22.000 --> 16:28.000 access removed, then claimed that it was a mistake that their access had been removed 16:28.000 --> 16:34.000 and then others took offense and essentially things get very messy very quickly, right? 16:34.000 --> 16:38.000 And then trust just gets destroyed and never really rebuilt. 16:38.000 --> 16:42.000 This is when we start to get security concerns invoked as a justification as well. 16:42.000 --> 16:47.000 There was mention of supply size security, which in recent history there had been 16:47.000 --> 16:54.000 MPM's supply size security attacks. So Ruby gems having a relatively similar trust model like that was 16:54.000 --> 16:57.000 concerning to people being involved. 16:57.000 --> 17:03.000 It will also concentrate power very quickly and make clear who had power to do what and who 17:03.000 --> 17:07.000 was citing these concerns and using them to make what decisions. 17:07.000 --> 17:13.000 So by the time we get to the late September, we have another inflection point where it becomes 17:13.000 --> 17:19.000 public on the 28th of September, the root level infrastructure access still existed outside 17:19.000 --> 17:23.000 of the new control structure. So the people who were maintainers and had either been removed 17:23.000 --> 17:27.000 from the project or had quit the project in protest at the changes. 17:27.000 --> 17:34.000 Some of them still had AWS access and AWS root access even more severely, right? 17:34.000 --> 17:39.000 So again, this back and forth about exactly who had more access and when, why and what this meant. 17:39.000 --> 17:44.000 But essentially, regardless, this is about situation where you have a situation where the 17:44.000 --> 17:49.000 theoretical control of the project and the actual control of the project are diverging pretty far. 17:49.000 --> 17:55.000 Right? And then, essentially, there was a lot of back and forth, but eventually we reached the end state where 17:55.000 --> 17:59.000 almost a month later in October of 17th, Ruby gems and public moved to the Ruby core team. 17:59.000 --> 18:06.000 So essentially, Ruby central who had taken ownership of these projects then gave ownership elsewhere 18:06.000 --> 18:13.000 and then the people who had been existing maintainers of Ruby gems declared that they were happy with that 18:13.000 --> 18:16.000 and they were going to allow things to move on. 18:16.000 --> 18:23.000 So you can see, you can read the root access event. This has got kind of Ruby central's take of like what went down 18:23.000 --> 18:28.000 with the AWS access and stuff like that. This was posted on the 9th October. 18:28.000 --> 18:35.000 And then while this is all going on, it gets to the point where there's enough drama that various plots 18:35.000 --> 18:41.000 of the tech press start reporting on it and people are getting quotes, blog posts, social media, 18:41.000 --> 18:45.000 press coverage essentially take over. We're not having really any discussions on PRs anymore. 18:45.000 --> 18:48.000 This is all happening out in the open. 18:49.000 --> 18:56.000 And then the narrative stops being controlled by the people who are just involved and things become a little bit reactive. 18:56.000 --> 19:01.000 People start raising privately a lot of people in the Ruby community. People's confidence stops like, what does this mean for Ruby gems? 19:01.000 --> 19:03.000 It's Ruby gems still going to be running anymore. 19:03.000 --> 19:13.000 And worst of all lawsuits begin, like we have, again, publicly on the record both sides have talked about how they've engaged in legal action with the other. 19:13.000 --> 19:21.000 I have no insider knowledge as to what the statuses of sidewalk suits, but I think it's relatively predictable that once that happens, 19:21.000 --> 19:30.000 people are no longer interested or able to make good and be friends with people they are in lawsuits with at that point. 19:30.000 --> 19:36.000 So what are the consequences of what happened here? Well, talk failed pretty quickly, right? 19:36.000 --> 19:42.000 People try to voice what was going on and how they were feeling and how they could improve things. 19:42.000 --> 19:49.000 But then when people get kicked out of the project, then all that just becomes public discussion instead of private discussion. 19:49.000 --> 19:53.000 So, a bunch of maintainers exit the project. 19:53.000 --> 19:57.000 Some people will remove against their will and then some people will remove the protest. 19:57.000 --> 20:03.000 So you get to the point where the majority of people who are working on Ruby gems in the space of two months essentially have left. 20:03.000 --> 20:06.000 And got them done their own thing. 20:06.000 --> 20:16.000 So, doing their own thing, what does that mean while there was a single gem co-op, which some of the maintainers went off and decided to build. 20:16.000 --> 20:25.000 So they essentially built their own alternative to Ruby gems both centralised service and they have forks of various other projects and stuff as well. 20:25.000 --> 20:30.000 So this was not an overnight replacement, but it was spun up relatively quickly. 20:30.000 --> 20:35.000 And it built essentially a separate kind of site ecosystem which changed the power landscape, right? 20:35.000 --> 20:39.000 So, forks don't need to necessarily win or get more users to matter. 20:39.000 --> 20:44.000 And in this case, I think this kind of sent a message about how things could be done differently. 20:44.000 --> 20:50.000 And it also made clear that that group of people were not interested in re-entering the fold again. 20:50.000 --> 20:56.000 So, another interesting kind of consequence of this is I guess what I would call professional open source. 20:56.000 --> 21:00.000 So, what I mean by that is we have a bunch of people in this room. 21:00.000 --> 21:02.000 I would guess probably the majority of people in the room. 21:02.000 --> 21:05.000 How many people are paid to do open source work primarily at their job? 21:05.000 --> 21:06.000 Okay. 21:06.000 --> 21:10.000 I guess if you look around the room, everyone, that is the minority, right? 21:10.000 --> 21:14.000 And I would say in the open source community in general, it is in the minority, right? 21:14.000 --> 21:20.000 So, when you have people whose full-time solid work is focused primarily on open source, 21:20.000 --> 21:26.000 and when they have bosses and leaders and HR teams and their mortgage depends on them, 21:26.000 --> 21:30.000 making this people happy, then incentives are radically different, right? 21:30.000 --> 21:36.000 And it introduced different incentives to what exists before when you have volunteers working in their free of time. 21:36.000 --> 21:41.000 And also, you have the blurring between the two where you have people taking contracts and then paid work on open source. 21:41.000 --> 21:48.000 They might not be an employee, but they have agreed to some sort of transactional relationship and exchange for money. 21:48.000 --> 21:50.000 And that makes things hard. 21:50.000 --> 21:55.000 And this is even more tricky when you have a project like RubyGems, which is already hard, 21:55.000 --> 21:57.000 because you are going to critical open source infrastructure. 21:57.000 --> 22:01.000 And it requires many skills outside of white and code, right? 22:01.000 --> 22:06.000 Which is sometimes the easiest skill to be able to get from the community in open source. 22:06.000 --> 22:13.000 What this means is that volunteers have their limits and people are now, right? 22:13.000 --> 22:17.000 So what does this mean for careers, right? 22:17.000 --> 22:23.000 So a bunch of the people involved in this story had at some point been paid either full-time or part-time, 22:23.000 --> 22:28.000 or full-time employees of the potential RubyGems together or whatever it may be. 22:28.000 --> 22:33.000 Well, my potentially contentious take is open source is not a career, right? 22:33.000 --> 22:38.000 And by that, I don't mean those of you who said it's your full-time job to work on open source. 22:38.000 --> 22:41.000 I don't mean that you somehow don't have a job in you now. 22:41.000 --> 22:44.000 He's, and don't really know where you are or what you're doing. 22:44.000 --> 22:48.000 Like, obviously, some people do have that, but most of us don't. 22:48.000 --> 22:50.000 Open source can be part of your career. 22:50.000 --> 22:53.000 And even though it's folks, I imagine who are working full-time open source. 22:53.000 --> 22:56.000 I would imagine your day-to-day looks pretty different to how it did if it was just your evening. 22:56.000 --> 22:57.000 So weekends, right? 22:57.000 --> 22:59.000 It's a very different way of working. 22:59.000 --> 23:07.000 And I don't think we help our community by making out the way you worked before you received any money. 23:07.000 --> 23:12.000 Can just be paid a Bay Area salary without any change to it. 23:12.000 --> 23:20.000 So I think we also need to plan for our exit as individuals and as organizations and exit of funding and all these types of things. 23:20.000 --> 23:21.000 Right? 23:21.000 --> 23:25.000 We need to plan for the transitions that are going to happen even when they're deeply uncomfortable. 23:25.000 --> 23:28.000 Because ultimately, one size does not fit all. 23:28.000 --> 23:31.000 Every project is going to happen flow and change the years. 23:31.000 --> 23:34.000 And context is everything. 23:34.000 --> 23:36.000 So what can we learn from all this? 23:36.000 --> 23:39.000 Well, as I said at the beginning, it's not about blame, right? 23:39.000 --> 23:44.000 We need to not blame because it just simplifies and polarizes and it prevents learning. 23:44.000 --> 23:49.000 If you're 100% sure about who's right and who's wrong, then that's going to feel good maybe for you, 23:49.000 --> 23:51.000 but it's not going to explain very much. 23:51.000 --> 23:56.000 Governance in open source is really boring until it's not. 23:56.000 --> 24:00.000 And at that time, it's probably too late to introduce it. 24:00.000 --> 24:01.000 Okay? 24:01.000 --> 24:04.000 Maybe money, insurance, the equation makes things better. 24:04.000 --> 24:06.000 It certainly makes things a lot more complicated. 24:06.000 --> 24:11.000 I think really carefully about how and when and why you introduce money is different such project. 24:11.000 --> 24:16.000 That's all not focused on who was right and who was wrong, not who messed up. 24:16.000 --> 24:18.000 But instead just try and ask that questions. 24:18.000 --> 24:22.000 Let's ask about what broke and why it broke and not who did what. 24:22.000 --> 24:25.000 And then we could learn something about governance for money. 24:25.000 --> 24:29.000 If your project hasn't argued about governance for money yet, it probably will one day. 24:29.000 --> 24:34.000 Be prepared and try and do this stuff before it becomes a problem and that's the transfer of the lesson. 24:34.000 --> 24:37.000 You've got questions, then you can speak to me outside. 24:37.000 --> 24:41.000 You can email me or you can find how to constantly other ways on my website. 24:41.000 --> 24:42.000 Thank you very much. 24:42.000 --> 24:47.000 Thank you very much.