The RubyGems Coup: When Parasites Take the Host

UPDATE (September 20, 2025): Read the followup analysis: Ruby Central’s Governance Crisis - covering community reactions, the collaborative governance work that was abandoned, and what to watch for in Monday’s Q&A.

261 repos versus 15. 207 repos versus 15. A decade of maintenance versus tutorials from 2010.

These aren’t random numbers. They’re the GitHub repository counts that expose the RubyGems coup for what it really is: builders being replaced by a suit.

On September 9, 2025, while most of us were writing code, Ruby Central executed a hostile takeover of RubyGems. They forcibly removed maintainers who’d been building and securing our package infrastructure for over a decade. Their replacement? Marty Haught—a “Director of Open Source” whose last Ruby contribution was a Rails tutorial when Obama was in his first term.

They call it governance. I’ve seen tapeworms with more legitimate claims to their host.

The September Purge: A Timeline

September 9, 2025: Without warning, someone renamed the “RubyGems” GitHub enterprise to “Ruby Central.” They added Marty Haught—who isn’t a maintainer—and removed every actual maintainer of the RubyGems project.

September 9-19: When called out, they partially reverted. Then did it again. Crossing that line twice proved they weren’t acting in good faith.

September 19: Andre Arko, creator of Bundler, posts: “The RubyGems team is no more.” Ellen Marie Dash resigns from Ruby Central “effective immediately” and publishes her exposé.

September 23: Ruby Central schedules a “community Q&A” to explain why they had to destroy the village to save it.

Ten days. That’s all it took to dismember a team that had been maintaining critical Ruby infrastructure for over a decade.

The timing couldn’t be worse. Ruby’s reputation was finally recovering—DHH’s Omarchy (his Arch Linux distro for developers) had people excited about Ruby again. Test suites running twice as fast on Linux compared to M4 Macs. 37signals moving their entire team to Linux. The community had momentum for the first time in years.

Then Ruby Central decided to execute a hostile takeover of the package manager we all depend on. Nothing kills developer enthusiasm faster than infrastructure drama.

Meet Your New Overlord: The Optics Parasite

Let me introduce you to Marty Haught, Ruby Central’s “Director of Open Source.”

His Ruby contributions:

• continuous-deployment (2010): Some deployment scripts
• couchcms (2009): Abandoned
• getlean (2010): RailsConf tutorial
• radiant-page-event (2008): A calendar plugin

Last meaningful Ruby code: 2015. Total repos: 15.

But wait, it gets better. I checked RubyGems.org. Number of gems published under his name? Zero.

His LinkedIn tells the real story. “Director of Engineering” at HashiCorp. “Director of Engineering” at Fastly. Before that? Java developer at VML (2002-2004). His actual Ruby experience? Running a consultancy that did “project rescues” and “developer training”—translation: telling actual developers what to do while not shipping code himself.

The cherry on top? He was “Advisor to RubyGems” from March to September 2024, focusing on “incident response, disaster recovery, and team processes.” Six months of advising, then boom—he’s running the place. Classic management coup: get close as an “advisor,” then execute the takeover.

Maybe he learned that move in the 101st Airborne (1992-1994, per his LinkedIn). Except this time he wasn’t taking out tanks—he was taking out maintainers.

This is who’s now in charge of RubyGems. A serial director who hasn’t published a single gem, whose Ruby experience peaked when we were still debating whether to use Prototype or jQuery.

Meanwhile, his own blog posts reveal his true expertise: writing about “governance,” “funding,” and “sustainability.” Translation: he’s mastered the art of talking about open source without actually doing open source.

The Builders They Destroyed

Ellen Marie Dash (duckinator)

• 207 repositories
• In the Ruby community since she was 13, maintaining RubyGems since 23
• Handled security vulnerabilities through HackerOne
• Actually understands the codebase

Andre Arko (indirect)

• 261 repositories
• Created Bundler—you know, that tool you use every single day
• Maintained RubyGems for over a decade
• Built the infrastructure Ruby depends on

These aren’t just numbers. Ellen and Andre have more repositories individually than Marty has total contributions to GitHub. They’ve been writing the code that powers our ecosystem while Marty was presumably in meetings discussing “stakeholder alignment” and “strategic initiatives.”

The Pattern: Corporate Capture Disguised as Safety

Ruby Central’s excuse? “Strengthening stewardship.” “Protecting against supply chain attacks.” “Ensuring security.”

Funny how “ensuring security” meant removing the person who actually handled security vulnerabilities.

Here’s their real playbook:

1. Create a crisis narrative: “Supply chain attacks! Security threats!”
2. Remove the builders: Those who know the code become the threat
3. Install managers: People who speak corporate but can’t code
4. Control the narrative: “We’re protecting you from… something”
5. Monetize the infrastructure: Wait for it—the consultant contracts are coming

This is the same pattern I’ve seen everywhere. AWS deleting accounts while claiming it’s for “security.” Observability vendors locking you in while claiming it’s for “reliability.” Now Ruby Central claiming they need to remove maintainers for “protection.”

Protection from what? From people who actually understand how the code works?

The Real Agenda

Look at what Marty’s actually done at Ruby Central:

• Grown the budget from $220k to $900k
• Created committees and governance structures
• Talked about funding and sustainability
• Given keynotes about “technical debt”

Notice what’s missing? Actually maintaining RubyGems.

This isn’t about security. It’s about control. Control of the budget. Control of the infrastructure. Control of the narrative.

They removed people who write code and replaced them with people who write governance documents. They removed people who fix bugs and replaced them with people who create bureaucracy.

The Community Bleeds

Andre Arko didn’t just leave—he’s gone completely. After creating Bundler, after a decade of maintenance, he’s focusing on other projects. His goodbye was polite, but we all know what it means: Ruby Central broke something that can’t be fixed.

Ellen Marie Dash was more direct. She called it what it is: “a hostile takeover.” She refused to watch silently. She resigned immediately.

These aren’t disgruntled employees. These are the people who built what we use every day. And Ruby Central drove them out to install someone whose last contribution was when Rails 4 was new.

The Hypocrisy Burns

Ruby Central claims this is about preventing supply chain attacks. You know what actually prevents supply chain attacks? Having maintainers who:

• Know the codebase intimately
• Have been securing it for years
• Understand the attack vectors
• Can spot malicious code

You know what doesn’t prevent attacks? Installing a “Director of Open Source” who hasn’t written Ruby in a decade.

This is security theater at its worst. They’re not protecting us from attacks—they’re attacking the people who were protecting us.

The irony is so thick you could cut it with a gem: Ruby Central was so afraid of supply chain attacks, they organized their own. They literally executed the hostile takeover they claimed to be protecting us from. Except instead of malicious code, they injected malicious governance.

The Pattern Repeats

I’ve seen this parasite before. Different host, same pattern.

In my post about Pattern Parasites, I wrote about open source maintainers burning out from entitled users. But there’s another parasite I didn’t mention: the Optics Parasite. They don’t contribute code. They contribute “governance.” They don’t fix bugs. They fix “processes.” They don’t build. They “oversee.”

And when they’ve accumulated enough “oversight” credentials, they make their move. They take control of what others built, claiming it’s for the greater good.

Marty Haught is a textbook Optics Parasite. He attached himself to Ruby Central, grew the budget (more money to control), created structures (more positions to fill), and then executed the takeover.

What This Means for Ruby

We’re watching the corporatization of Ruby’s core infrastructure in real-time. The people who built it for love are being replaced by people who manage it for control.

Today it’s RubyGems. Tomorrow it’ll be more. Every piece of critical infrastructure is a target for these parasites. They smell the budget. They smell the influence. They smell the opportunity to put “Director of Essential Infrastructure” on their LinkedIn.

And we’re letting it happen.

The Path Forward

Ruby Central scheduled a Q&A for September 23. They’ll explain why they had to destroy maintainer trust to save it. They’ll use words like “sustainability” and “governance” and “best practices.” They’ll avoid mentioning that their new leadership hasn’t written Ruby since the first iPhone.

But we don’t need their explanation. The pattern is clear.

What we need is resistance:

1. Call it what it is: A hostile takeover by non-contributors
2. Demand transparency: Who made these decisions and why?
3. Support the builders: Follow Andre and Ellen to their new projects
4. Create alternatives: If they can take RubyGems, we need backup plans
5. Remember who did this: When Ruby Central asks for donations, remember September 2025

The Bitter Truth

The Ruby community just learned what I learned when AWS deleted my account: infrastructure isn’t neutral. It’s controlled by people with agendas. And sometimes those agendas involve removing everyone who actually knows how things work.

The difference? AWS at least had the courtesy to be a faceless corporation. Ruby Central pretends to be community-driven while executing corporate takeovers.

They took RubyGems from people with 261 repos and gave it to someone with 15. They removed someone who’s been in the Ruby community since she was 13. They drove out the creator of Bundler.

And they want us to call it “strengthening stewardship.”

I call it what it is: parasitism. The Optics Parasite has taken the host.

The only question now: Will the Ruby community accept this infection, or will we build the cure?

To Ellen and Andre: Thank you for the years of maintaining what we all depend on. Your resignation letters were too polite. The community deserves to know what was taken from us.

To Marty Haught: 15 repos. Zero gems. Director of what, exactly?

To Ruby Central: You had the trust of maintainers who’d been part of this community for over a decade. You burned it for control. The community won’t forget.

At least when AWS deleted my account, they had the decency to restore it and conduct a Correction of Error. They admitted fault, fixed the system, and made sure it wouldn’t happen again. Ruby Central? They’re doubling down on the coup.

Captain Seuros, Building the Liberation Stack

“Every parasite needs a host. Not every host needs the parasite.”