I'm not saying that they're just "a nice community member", I'm saying that they're the ones doing the work. They're not randos, they're trusted maintainers in the ecosystem with a proven track record. After the purge, rubygems and Bundler has only one active maintainer, one who's splitting his time between Rails, Ruby core, and many other open source projects. The bundler and gem-specific experts have been removed, and we've gone from a bus factor of 4-5 to a bus factor of 1. This is much, much more unacceptable then the theoretical risk of a trusted, active maintainer with 10+ years of community experience suddenly deciding to go rogue and rewrite history (has this ever happened in the history of a supply chain attack?)
Also, commit access to Github doesn't even say anything about access to deploying the actual package on rubygems. If security really was the goal, there were a million less invasive ways to make this change then revoking commit access from the active maintainers. Set up branch protections, require approvals, etc. There are a lot more tools in the toolbox other than "remove all of the maintainers".
Also, commit access to Github doesn't even say anything about access to deploying the actual package on rubygems. If security really was the goal, there were a million less invasive ways to make this change then revoking commit access from the active maintainers. Set up branch protections, require approvals, etc. There are a lot more tools in the toolbox other than "remove all of the maintainers".