The Puppet Master: How Shopify Orchestrated Ruby Central's Hostile Takeover

BREAKING: Joel Drapper’s investigation and insider confirmations reveal Shopify orchestrated the entire Ruby Central takeover. The threats, the betrayal, the personal vendettas—it’s all here.

The Smoking Gun: Shopify’s Ultimatum¶

Joel Drapper’s investigation has uncovered what Ruby Central tried to hide: Shopify pressured Ruby Central to take control of RubyGems by threatening funding.

As Joel reports:

“Shopify pressured Ruby Central to take control of the RubyGems repositories” and “threatened to withdraw funding if Ruby Central did not comply”

Even more damning, Shopify had specific targets:

“Specifically demanded exclusion of André Arko, a long-time RubyGems maintainer”

This wasn’t about security. It wasn’t about governance. It was about a corporation using financial leverage to seize control of critical infrastructure and eliminate specific people.

The Ultimate Betrayal: “Kick André Off the Team”¶

Ellen Marie Dash revealed the exact ultimatum Ruby Central delivered to maintainers on September 24, 2025:

“They were trying to coerce us into doing what they want, and every time we were close to doing what they stated they wanted, they changed it. Eventually, their demand became: ‘kick André off the team, if you want access back.’ That’s a line I refused to cross. THAT is why I spoke up.”

Ellen clarifies her motivations weren’t personal:

“I am not & was not upset that MY access was revoked. My attention was elsewhere and I was considering stepping down in December. I am upset that Ruby Central revoked access from us, including the most-active contributor, and demanded we kick someone off the team to get it back.”

Her final assessment is devastating:

“A company has committed a supply chain attack against the entire Ruby ecosystem, in broad daylight, via financial coercion of a nonprofit. Ruby Central is not innocent here. They actively participated. But it’s bigger than that.”

Ellen emphasizes this isn’t personal:

“Some people seem to think this is a ‘me vs Ruby Central’ thing. It’s not. Making me the focus is missing my fucking point. I brought it to light, because what I saw was unacceptable in every way.”

She put it all on the line:

“Speaking out has been a net negative for me as an individual, but I owe it to the people who worked alongside me & the community that supports me, so I accept it. I will not bite my tongue in the name of peace and quiet when two decades of many people’s work is being shat on in the name of money.”

The Betrayal Has a Name: hsbt¶

The maintainer who “broke the shared contract” on September 9? hsbt (Hiroshi Shibata).

Multiple sources confirm hsbt was the one who added Marty Haught to the GitHub organization without consent from other maintainers, enabling the entire takeover. The betrayal came from someone trusted within the community.

As one Reddit commenter claimed:

“hsbt is also a Shopify employee. He works on the Ruby Infrastructure team at Shopify.”

However, hsbt’s LinkedIn profile shows he works at 株式会社アンドパッド (AndPad Inc.), not Shopify. The Reddit claim appears to be incorrect. The motivations behind his actions remain unclear, but the betrayal of his fellow maintainers enabled the corporate takeover.

Community Dynamics and Historical Context¶

The Ruby community has long had complex relationships between key figures. DHH publicly endorsed Ruby Central’s approach on September 19, stating they were “making the right moves to ensure the Ruby supply chain is beyond reproach.”

Some community members have noted historical tensions. knzconnor observed:

“DHH has personal issues with Andre. If memory serves correctly this goes back to the bundler adoption in Rails. Even without that there have always been simmering issues between the two.”

These historical dynamics add complexity to an already challenging situation, though different community members interpret their significance differently.

The rv Threat: Why Shopify Had to Act¶

Andre Arko’s new project rv (Ruby version manager) through his cooperative Spinel wasn’t just another tool—it was seen as a direct threat to Shopify’s control ambitions.

Joel Drapper’s investigation reveals Shopify specifically viewed rv as problematic:

“The new rv tool by Spinel (André’s cooperative) was seen as a potential threat”

Shopify couldn’t allow an independent project led by the very maintainers they were trying to remove. The takeover had to happen before rv gained momentum. This wasn’t paranoia—it was calculated elimination of competition.

The Money Trail: Events Over Maintenance¶

The financial crisis that gave Shopify leverage began with RailsConf. After losing Sidekiq’s 250,000$ annual sponsorship following the conference, Ruby Central became almost entirely dependent on Shopify’s funding.

knzconnor reveals:

“They ran out of money earlier this year by continuing to fully fund the conferences when attendance dropped rather than scale back. After floating salaries and bills from reserves, they did fundraising and got the money from a few sponsors, with Shopify likely being the largest.”

Ruby Central chose conferences over maintainers. When the money ran out, Shopify had leverage. The price of the bailout? Control of RubyGems.

simi’s Technical Breakdown: The Great Conflation¶

Josef Šimánek (simi) published a devastating technical analysis showing how Ruby Central deliberately conflated two distinct responsibilities:

Maintainers vs Operators¶

Maintainers (what was taken):

• Develop the codebase
• Fix bugs and add features
• Review and merge pull requests
• Define technical direction
• Own the intellectual property

Operators (what Ruby Central actually runs):

• Keep servers running
• Handle infrastructure
• Pay AWS bills
• Manage uptime
• Run the service

As simi notes:

“Running Rubygems.org AWS account is something, developing rubygems/rubygems.org codebase is something totally different.”

Ruby Central used their role as service operators to justify seizing control of the code itself. It’s like your hosting provider claiming ownership of your application because they run your servers.

The Timeline of Corporate Capture¶

Phase 1: Create the Crisis¶

• Ruby Central burns through money on conferences
• Maintenance funds depleted
• Financial crisis manufactured

Phase 2: The Shakedown¶

• Shopify threatens to withdraw funding
• Ultimatum: Give us control or lose everything
• Ruby Central board given “less than 24 hours”

Phase 3: The Inside Job¶

• hsbt adds Marty Haught on September 9 without consent
• Maintainers removed without warning
• Access revoked across all repositories

Phase 4: The Cover-Up¶

• “Security” and “governance” cited as justification
• Community endorsements secured from influential figures
• Community Q&A scheduled to control narrative

Phase 5: The Revelation¶

• Freedom Dumlao breaks ranks, reveals board was misled
• Martin Emde exposes the lies
• Joel Drapper uncovers Shopify’s orchestration

The Pattern: Corporate Capture Playbook¶

This isn’t unique to Ruby. It’s the standard corporate capture playbook:

1. Financial Dependency: Create financial crisis or exploit existing one
2. Ultimatum: Threaten to withdraw funding unless given control
3. Inside Actor: Use employee or ally to execute takeover
4. Narrative Control: Frame as “security” or “governance” issue
5. Useful Idiots: Get community figures to endorse without revealing true motives
6. Fait Accompli: Once control seized, make reversal impossible

What Shopify Really Wanted¶

Look at what Shopify gains:

• Control over Ruby’s package ecosystem
• Ability to prioritize their needs
• Elimination of independent maintainers
• Prevention of competing projects like rv
• Narrative control over Ruby’s future

They didn’t want to contribute. They wanted to control.

The Human Cost¶

While Shopify executives played corporate games:

• Ellen Marie Dash works to avoid losing her home
• Andre Arko walks away after a decade of service
• Martin Emde exposes lies while maintaining grace
• The community loses trust in its institutions

Shopify’s market cap: 136$ billion. Cost to maintain RubyGems properly: A rounding error. Price paid: The soul of the Ruby community.

The Broader Implications¶

If Shopify can capture Ruby’s infrastructure through financial threats, what’s next?

• npm under corporate ultimatum?
• PyPI facing funding “crises”?
• Go modules getting “governance improvements”?

Every open source project dependent on corporate funding is vulnerable to this playbook.

Joel Drapper’s Call to Action¶

Joel ends his investigation with a critical point:

“The Ruby community needs to decide: Do we accept governance by corporate ultimatum, or do we build alternatives?”

He’s right. But the question goes deeper: Can open source survive when corporations can simply buy control through manufactured crises?

What We Know Now¶

1. Shopify orchestrated the takeover through funding threats
2. hsbt was the inside actor who enabled it
3. Historical tensions between community figures created additional complexity
4. Ruby Central’s board was manipulated or complicit
5. The “security” justification was fabricated
6. The rv project was seen as a threat to control
7. Maintainers vs operators distinction was deliberately obscured

The Path Forward: Liberation or Subjugation?¶

The Ruby community faces an existential choice:

Option 1: Accept Corporate Rule¶

• Let Shopify control RubyGems through Ruby Central
• Hope they’re benevolent dictators
• Pray they don’t prioritize their needs over community needs
• Watch independent maintainers leave

Option 2: Build the Alternative¶

• Support Andre’s rv project
• Create independent funding models
• Fork the infrastructure if necessary
• Reclaim community governance

Option 3: Force Transparency¶

• Demand full disclosure of funding arrangements
• Require public board meetings
• Implement true community representation
• Create checks on corporate power

To Those Involved¶

To Shopify: You had the money to maintain RubyGems properly. Instead, you chose control through coercion. Your 136$ billion market cap built on Rails, and this is how you repay the community?

To hsbt: You broke the trust of your fellow maintainers. The community trusted you as a steward of critical infrastructure.

To Ruby Central Board: You were either deceived or complicit. Either way, you failed your duty to the community. Freedom’s confession shows you knew something was wrong.

To Joel Drapper: Thank you for the investigation that exposed what they tried to hide. Your courage in publishing this matters.

To the Rails community: This situation reveals the complexity of maintaining open source infrastructure when corporate and community interests diverge.

The Uncomfortable Truth¶

Ruby Central didn’t have a governance crisis. They had a corporate capture.

Shopify didn’t save Ruby’s infrastructure. They bought it through financial pressure.

The community’s complex history and relationships created an environment where corporate interests could exploit existing tensions.

The board didn’t strengthen stewardship. They surrendered it to the highest bidder.

The Ultimate Irony: This WAS the Supply Chain Attack¶

Ruby Central claimed they needed to remove maintainers to prevent supply chain attacks. Ellen Marie Dash identifies what really happened:

“A company has committed a supply chain attack against the entire Ruby ecosystem, in broad daylight, via financial coercion of a nonprofit.”

The corporation claiming to protect the supply chain executed the very attack they warned against. Except instead of malicious code, they injected corporate control.

What Happens Next?¶

The mask is off. We know who orchestrated this, how they did it, and why. The question now: What does the Ruby community do with this knowledge?

Continue accepting corporate rule? Build alternatives? Demand accountability?

The RubyGems you use tomorrow depends on what you choose today.

To Shopify executives: We see you. Your threats, your ultimatums, your puppet strings—all exposed.

To the Ruby community: They took your infrastructure through threats and betrayal. The question isn’t whether to resist, but how.

To future historians: Document this. Study it. Learn from it. This is how open source dies—not through technical failure, but through corporate capture.

Captain Seuros, Exposing the Puppet Masters

“When corporations pull the strings, open source dances to their tune. Cut the strings, or become the puppet.”

Updates¶

September 24, 2025: Ellen Marie Dash reveals the specific ultimatum: “kick André off the team, if you want access back.” She clarifies this isn’t personal—she was planning to step down anyway—but about protecting “two decades of many people’s work” from being destroyed “in the name of money.” She identifies this as a corporate supply chain attack executed through financial coercion.

This article synthesizes investigations by Joel Drapper, direct testimony from Ellen Marie Dash, technical analysis by Josef Šimánek (simi), board revelations from Freedom Dumlao, and rebuttals from Martin Emde. The full story of Ruby Central’s corporate capture is finally exposed.