Arko wanted a copy of the HTTP Access logs from rubygems.org so his consultancy could monetize the data, after RC determined they didn't really have the budget for secondary on-call.
Then after they removed him as a maintainer he logged in and changed the AWS root password.
In a certain sense this post justifies why RC wanted so badly to take ownership - I mean, here you have a maintainer who clearly has a desire to sell user data to make a buck - but the way it all played out with terrible communication and rookie mistakes on revoking access undermines faith in RC's ability to secure the service going forward.
Not to mention no explanation here of who legally "owned" the rubygems repo (not just the infra) and why they thought they had the right to claim it, which is something disputed by the "other" side.
Just a mess all around, nobody comes off looking very good here!
I can give benefit of the doubt that making a proposal to monetize user data is a poorly-considered, bottom-scraping effort to find a replacement funding source for the on call work. Most of us would not consider it, but I think it should be ok to occasionally pitch some bad ideas, all else being equal and lacking full context.
But messing with the credentials crosses an ethical line that isn't excused no matter how much you disagree with the other party's actions.
I can only assume it is silly revenge seeking behavior. Look at how symmetrical it is:
1. RC takes over GitHub Repository and locks everyone out
2. Arko takes over RubyGems server and locks everyone out.
He was an authorized actor right up until they tried to remove him, but they forgot to revoke his access credentials. I wonder if legally-speaking he was even considered unauthorized.
EDIT: Missed their email notification revoking his production access. Yeah looks like they could have a legal basis.
really disappointing. it's such a huge security concern and privacy/ethical lapse, i am super disappointed in him, despite his contributions to the world of Ruby package management
he's now started a competing gem.coop package manager, and while they haven't released a privacy policy it does make me suspicious about how they were planning to fund it
no single person should have Github owner + AWS root password for a major language's package manager and ecosystem just sitting around on their laptop while they fly around to different conferences in Japan e.g. (as Andre did while hacking rubygem's AWS root account to show off)
“Following these budget adjustments, Mr. Arko’s consultancy, which had been receiving approximately $50,000 per year for providing the secondary on-call service, submitted a proposal offering to provide secondary on-call services at no cost in exchange for access to production HTTP access logs, containing IP addresses and other personally identifiable information (PII).”
I think that if they had been up front and transparent, and cut the PR bullshit corpospeak from their damage-control post, this would have been something that's much less embarrassing for all involved.
Something like:
"Hey all, RC here: with the very real threat of supply-chain attacks looming around us, one of the critical financial backers of our nonprofit org gave us a deadline around tightening access to the Github Account for rubygems/bundler. We tried and failed to arrive at a consensus with the open-source volunteers and maintainers for the best path forward and were forced to make a decision between losing the funding and taking decisive (if ham-fisted) action to keep Ruby Central financially healthy. We think RC's continued work is important enough that we stand by our decision, upsetting though it might be, but want to work out a better one ASAP. We are genuinely sorry for any fear/disruption this has caused."
Something simple that just owns the fact that they screwed up and tried to handle it as best they could. Doing this proactively as soon as they made the changes and broadcasting it would have been even better, but even posting this in reply to the controversy would have done more imo...
Sounds like you should volunteer for Ruby Central to help them with their communications! I don't mean that facetiously: it seems that they could use you, or someone like you, with comms. As the OP readily admits, this is not a strong point for them.
My general take on this:
1) Nerds are often not the best at communicating.
2) People on the Internet can be very cruel towards people they don't know.
We could all do better, especially with #2. The Internet used to be cool as hell. Now, by and large, it sucks.
Could someone with more insight as to the decision-making at Ruby Central weigh in on what's going on here? Between this and drama with the conferences over the years I'm just confused. They've been busy launching podcasts and doing fundraising, email campaigns and all that. Has there been a change in leadership?
Oh wow. I'm absolutely alarmed after reading that. To be honest, I had been wondering if some of the PR disasters this year could be laid on Rhiannon's shoulders, but it sounds like the rot is coming from the top.
Yikes! At least they'll have someone "results-driven, client-focused," and "driving stakeholder engagement", because that's really what a software repository needs.
It feels like funding for conference participation at US companies has plummeted since COVID. Pre-COVID, most engineers I worked with would attend at least one conference a year on the company’s dime. That’s now become uncommon for anyone below staff engineer or director level, at the places where I work anyway.
I built a newish gaming PC on AMD components and flashed SteamOS onto it. It just works out of the box, although it does sort of think that it's an oversized steamdeck.
My previous gaming PC was a 2016-vintage windows machine with a very hacked and lobotomized win10, so nvidia graphics drivers were starting to become a problem what with the lack of windows update and all that...
There are a couple of SaaS products in Australia that do examination transcription.
I know of one practice that went all-in on the stuff. They had to re-hire their secretaries after their AI transcription recorded "this bone normal, no damage to this other area" but totally failed to mention that the first part of the sentence was "distal fracture to whatever", ultimately failing at it's most basic bloody function.
I'm pretty sure the founders are not doctors but tech industry types, who figured that there was some non-zero error rate and just like, collectively shrugged at the consequences.
> There could well be many other functions that have since joined in with the sleep cycle (such as memory consolidation), but the authors hypothesize that mitochondrial function is the process that underlies all of them. If you need oxygen, then you need sleep!
I think it should have been “If you need oxygen and have a CNS, then you need sleep.” Other tissues can take oxidative break during wakefulness, but since CNS is _generating_ wakefulness, if it takes a break, by construction there is sleep.
They need oxygen for the mitochondrial electron transport chain to produce ATP. The vast majority of multicellular organisms need oxygen for that reason, and I can count the exceptions on one or two hands (i.e. Pogonophoran tube worms, some anaerobic sponges, a few parasitic helminths).
Plants respire oxygen continually, day and night. It's a myth that they only respire at night.
Like every other organism except for anaerobes (mostly microbes, some fungi) they need oxygen in order to burn fuel for cellular processes. Plant cells are doing things day and night.
The origin of the myth is simply that they produce more oxygen via photosynthesis than they respire, and so are net producers of oxygen during the day.
But their cells still consume oxygen during the day, don't they? In sunshine they produce more oxygen than they consume, but the cells are still fundamentally powered by mitochondria oxidizing glucose
Plants have chloroplasts that produce oxygen and sugar. But plants also have mitochondria that consume oxygen and sugar and run many of the same metabolic functions as in animals.
I would be surprised by any organism that can sense its environment and doesn’t change behaviour at night. The difference is pretty extreme, whether its temperature, light or just all other beings changing what they’re doing. Even if you don’t notice yourself, you’ll probably be affected by second-order effects.
> Across the animal kingdom sleep satisfies most, though not necessarily all, of the following criteria: (1) decreased brain arousal and its behavioral correlate, decreased responsiveness to an animal’s surroundings, which distinguishes sleep from immobile wakefulness (also known as rest); (2) electrical changes in the brain’s activity patterns relative to the waking state; (3) behavioral quiescence, often accompanied by a preferred location and characteristic posture; (4) rapid reversibility, which distinguishes sleep from hibernation, anesthesia and coma; (5) homeostatic regulation, in which lost episodes of behavioral quiescence and low arousal are followed by compensatory (rebound) episodes [10].
And you don't think different criteria might apply to plants? I mean, look, we are just discovering how plants function as a society. They are immobile and 4 and 5 might be caused by the fact that an animal is mobile, at least for the most examples, but where not, it can at least react in some manner. Plants have a very very slow reaction time so to them 4 and 5 don't apply even in waking condition, I mean unless you consider several hours to be a reaction. Let's be frank: we don't know (yet).
What I don't appreciate is an outright dismissal "plants do not sleep".
We know plants have a diurnal cycle and react to sun/day and some visibly change between night and day. If we say that one of these states is less active, we may decide to call it dormant. Dormant comes from latin dormire, which is sleep. So... why not?
Animals have a sleep-wake cycle that is usually synchronized with the day-night (24 hour) cycle of the Earth. But this synchronization is not essential. All animals with nervous system have a sleep-wake cycle, even if they live underground or in the deep ocean, where the day-night cycle has no significant effect. So there must be an actual need for the sleep-wake cycle that is independent of the rotation of the Earth.
...Except I clocked Israel as having genocidal ambitions within days of Hamas' attack, right about the time their generals started talking about cutting off power and water to the entirety of gaza.
I have imagine I am both less informed and more naive than any of these politicians. I don't have to applaud them when they spinelessly slither with the prevailing political winds.
hamas could surrender tomorrow and end any pretense or cover for the "genocidal ambitions". you are being incredibly racist towards palestinians by infantilizing them and suggesting that hamas doesn't have any agency or responsibility for this war or it's effect on innocent civilians.
I think you are putting too much weight on the organization rather than the idea and collective it represents. From a very westernized idealized perspective.
Hamas is not this all encompassing high communication stable organization able to surrender tomorrow.
Hamas, or rather the idea, is instead made up of everyone who had a family member, relative or friend killed by Israel wanting to live a good life without the threat or pain of past actions.
One group of a loosely connected collective surrendering won’t materially change the situation on the ground.
Right. Anyone with basic empathy, the ability to read past the coordinated consent manufacturing media machine & actually listen to what the Israeli and Western governments were saying, and an understanding of what Israel really thinks of Palestinians, would have almost immediately realized a genocide is in the works.
The people who didn't realize it had many chances to do so over the past 2 years. First, the ICJ motion by South Africa: why would they have gone through the effort to even bring a case to the ICJ if nothing was amiss? Second, the ICC warrants.
In the US specifically, the biggest chance/wake up call of note was the coordinated wave of college protests. I mean, if you had sat down and seriously considered why so many colleges decided to protest across the nation, and expended just a tiny bit of effort to read past US gov statements and Western media pundits, you would have quickly realized that something was truly wrong.
If after all of this you still didn't see what was happening, then you can be proud to know that you'd likely have reacted to any other genocide the exact same way. At best, know that the skin color or "otherness" of the victim most likely contributes to your lack of empathy - so it would be good to take this as an opportunity to do some self-reflection :)
Arko wanted a copy of the HTTP Access logs from rubygems.org so his consultancy could monetize the data, after RC determined they didn't really have the budget for secondary on-call.
Then after they removed him as a maintainer he logged in and changed the AWS root password.
reply