Jason Meller
@jmeller.bsky.social
Founder of Kolide.com
VP, Product at 1Password
Author of honest.security
CT, USA
I write about entrepreneurship, Ruby, IT, and cyber security.
VP, Product at 1Password
Author of honest.security
CT, USA
I write about entrepreneurship, Ruby, IT, and cyber security.
The reason legal stuff is so important when first setting up entities, is that’s when everyone is in alignment and there are smiles all around the table.
Once that’s gone, it turns into a knife fight and it becomes impossible. Now courts will need to ultimately litigate.
Once that’s gone, it turns into a knife fight and it becomes impossible. Now courts will need to ultimately litigate.
October 10, 2025 at 1:28 PM
The reason legal stuff is so important when first setting up entities, is that’s when everyone is in alignment and there are smiles all around the table.
Once that’s gone, it turns into a knife fight and it becomes impossible. Now courts will need to ultimately litigate.
Once that’s gone, it turns into a knife fight and it becomes impossible. Now courts will need to ultimately litigate.
Let’s be clear this post shows that operationally, this whole set up is a mess. You have creds all over the place, a confused OSS manager, and no clear cut docs that establish clear ownership. No IT inventory.
Ruby Central and Ruby Together set this up to only work if everyone perfectly got along.
Ruby Central and Ruby Together set this up to only work if everyone perfectly got along.
October 10, 2025 at 1:28 PM
Let’s be clear this post shows that operationally, this whole set up is a mess. You have creds all over the place, a confused OSS manager, and no clear cut docs that establish clear ownership. No IT inventory.
Ruby Central and Ruby Together set this up to only work if everyone perfectly got along.
Ruby Central and Ruby Together set this up to only work if everyone perfectly got along.
I got so excited thinking about banana splits that I typoed!
October 3, 2025 at 7:02 PM
I got so excited thinking about banana splits that I typoed!
Congrats, I can’t eat banana splits nearly that fast, but I similar heart rate though.
October 3, 2025 at 6:54 PM
Congrats, I can’t eat banana splits nearly that fast, but I similar heart rate though.
Yep became a member last year and yes I was at Rails world and spoke about passkeys.
September 30, 2025 at 10:10 PM
Yep became a member last year and yes I was at Rails world and spoke about passkeys.
A great start for Andre is to sign an affidavit attesting he didn’t abuse his access to the systems or retain any PII from that access either during his contracted employment or afterwards. That would be a great start rebuilding trust.
September 30, 2025 at 10:09 PM
A great start for Andre is to sign an affidavit attesting he didn’t abuse his access to the systems or retain any PII from that access either during his contracted employment or afterwards. That would be a great start rebuilding trust.
Andre is entitled to have an IP dispute.
What I won’t do is watch silently as he erodes the public trust in the only legal entity capable of running all of Rubygems.[org] so that he has an monitor advantage in the IP dispute. That’s an existential threat to the Ruby community.
What I won’t do is watch silently as he erodes the public trust in the only legal entity capable of running all of Rubygems.[org] so that he has an monitor advantage in the IP dispute. That’s an existential threat to the Ruby community.
September 30, 2025 at 10:08 PM
Andre is entitled to have an IP dispute.
What I won’t do is watch silently as he erodes the public trust in the only legal entity capable of running all of Rubygems.[org] so that he has an monitor advantage in the IP dispute. That’s an existential threat to the Ruby community.
What I won’t do is watch silently as he erodes the public trust in the only legal entity capable of running all of Rubygems.[org] so that he has an monitor advantage in the IP dispute. That’s an existential threat to the Ruby community.
How do you know Andre didn’t use it? You continue to assert things you can’t possibly know. I truly hope he didn’t use it and I hope Ruby Central investigates to make sure.
I also hope he didn’t retain copies of any PII. Someone should look into that.
I also hope he didn’t retain copies of any PII. Someone should look into that.
September 30, 2025 at 10:05 PM
How do you know Andre didn’t use it? You continue to assert things you can’t possibly know. I truly hope he didn’t use it and I hope Ruby Central investigates to make sure.
I also hope he didn’t retain copies of any PII. Someone should look into that.
I also hope he didn’t retain copies of any PII. Someone should look into that.
Literally the exact opposite of the definition of responsible disclosure.
September 30, 2025 at 9:52 PM
Literally the exact opposite of the definition of responsible disclosure.
I frankly do not care (and did not care) about GH repos. What I care about is Arko had (has?) access to prod systems with my PII in it after being terminated & didn’t responsibly disclose it by virtue of telling you.
This is all the evidence I need to know something is extremely wrong here.
This is all the evidence I need to know something is extremely wrong here.
September 30, 2025 at 9:42 PM
I frankly do not care (and did not care) about GH repos. What I care about is Arko had (has?) access to prod systems with my PII in it after being terminated & didn’t responsibly disclose it by virtue of telling you.
This is all the evidence I need to know something is extremely wrong here.
This is all the evidence I need to know something is extremely wrong here.
If I left any company (fired or otherwise) and still had access to prod systems and told them and also told the press or social media about it I would rightfully be permanently unhirable.
I would NEVER do what he just did to my worst enemy. It’s just not done.
I would NEVER do what he just did to my worst enemy. It’s just not done.
September 30, 2025 at 9:35 PM
If I left any company (fired or otherwise) and still had access to prod systems and told them and also told the press or social media about it I would rightfully be permanently unhirable.
I would NEVER do what he just did to my worst enemy. It’s just not done.
I would NEVER do what he just did to my worst enemy. It’s just not done.
You are allowed to point it out and deal with the consequences when the full story comes out. It usually always does. You are placing your entire reputation in this community on the line based on incomplete info. Hope you know what you doing.
September 30, 2025 at 9:34 PM
You are allowed to point it out and deal with the consequences when the full story comes out. It usually always does. You are placing your entire reputation in this community on the line based on incomplete info. Hope you know what you doing.
It is simply no longer relevant if Arko is right or not. The whole ecosystem is at risk and you are contributing to the risk.
If you are successful and Ruby Central can’t the service, who exactly wins?
Not anyone. Let’s get it functional and deal with this Arko thing when the stakes are lower.
If you are successful and Ruby Central can’t the service, who exactly wins?
Not anyone. Let’s get it functional and deal with this Arko thing when the stakes are lower.
September 30, 2025 at 9:31 PM
It is simply no longer relevant if Arko is right or not. The whole ecosystem is at risk and you are contributing to the risk.
If you are successful and Ruby Central can’t the service, who exactly wins?
Not anyone. Let’s get it functional and deal with this Arko thing when the stakes are lower.
If you are successful and Ruby Central can’t the service, who exactly wins?
Not anyone. Let’s get it functional and deal with this Arko thing when the stakes are lower.
This is a big deal. Ruby Central is running this service and if they fail to do so, it will have dire consequences that far eclipse the minor spat.
I speak for many when I say we need to get Ruby Central healthy. Them failing is threat to the whole Ruby community.
I speak for many when I say we need to get Ruby Central healthy. Them failing is threat to the whole Ruby community.
September 30, 2025 at 9:28 PM
This is a big deal. Ruby Central is running this service and if they fail to do so, it will have dire consequences that far eclipse the minor spat.
I speak for many when I say we need to get Ruby Central healthy. Them failing is threat to the whole Ruby community.
I speak for many when I say we need to get Ruby Central healthy. Them failing is threat to the whole Ruby community.
I agree they should have locked him out right away. Them not doing so doesn’t prove they don’t think of him as a risk. It shows they aren’t prepared to do access revocation. They need help not mudslinging.
His actions of putting them on blast paint him unfavorably to in the know security folks.
His actions of putting them on blast paint him unfavorably to in the know security folks.
September 30, 2025 at 9:25 PM
I agree they should have locked him out right away. Them not doing so doesn’t prove they don’t think of him as a risk. It shows they aren’t prepared to do access revocation. They need help not mudslinging.
His actions of putting them on blast paint him unfavorably to in the know security folks.
His actions of putting them on blast paint him unfavorably to in the know security folks.
> He email them to disclose that he still had access.
Yes and then he told you so you can be manipulated into covering it.
I agree it's not great that Ruby Central didn't revoke access. I wouldn't have a job if orgs got that right every time, let alone a resource constrained non-profit.
Yes and then he told you so you can be manipulated into covering it.
I agree it's not great that Ruby Central didn't revoke access. I wouldn't have a job if orgs got that right every time, let alone a resource constrained non-profit.
September 30, 2025 at 9:09 PM
> He email them to disclose that he still had access.
Yes and then he told you so you can be manipulated into covering it.
I agree it's not great that Ruby Central didn't revoke access. I wouldn't have a job if orgs got that right every time, let alone a resource constrained non-profit.
Yes and then he told you so you can be manipulated into covering it.
I agree it's not great that Ruby Central didn't revoke access. I wouldn't have a job if orgs got that right every time, let alone a resource constrained non-profit.
You have no way of knowing what Ruby Central knows about Arko. How could you possibly know they lied?
September 30, 2025 at 9:06 PM
You have no way of knowing what Ruby Central knows about Arko. How could you possibly know they lied?
This settles it. Based on this blog post, I believe Ruby Central acted correctly in parting ways with Arko
I'm eager to hear Ruby Central's side. Arko is not in charge of RubyGems[.]org. Him using the info of lingering access as a wedge to win in the court of public opinion is clear manipulation.
I'm eager to hear Ruby Central's side. Arko is not in charge of RubyGems[.]org. Him using the info of lingering access as a wedge to win in the court of public opinion is clear manipulation.
September 30, 2025 at 9:00 PM
This settles it. Based on this blog post, I believe Ruby Central acted correctly in parting ways with Arko
I'm eager to hear Ruby Central's side. Arko is not in charge of RubyGems[.]org. Him using the info of lingering access as a wedge to win in the court of public opinion is clear manipulation.
I'm eager to hear Ruby Central's side. Arko is not in charge of RubyGems[.]org. Him using the info of lingering access as a wedge to win in the court of public opinion is clear manipulation.
Clearly not always true, but it’s a good sign that you did something right.
November 18, 2024 at 7:55 PM
Clearly not always true, but it’s a good sign that you did something right.
“Shine a flashlight into the soup. If the beam bends slightly, it’s properly seasoned.”
November 17, 2024 at 11:37 PM
“Shine a flashlight into the soup. If the beam bends slightly, it’s properly seasoned.”