[eutropia]

They buried the lede...

Arko wanted a copy of the HTTP Access logs from rubygems.org so his consultancy could monetize the data, after RC determined they didn't really have the budget for secondary on-call.

Then after they removed him as a maintainer he logged in and changed the AWS root password.

[JeremyNT]

What a truly wild situation.

In a certain sense this post justifies why RC wanted so badly to take ownership - I mean, here you have a maintainer who clearly has a desire to sell user data to make a buck - but the way it all played out with terrible communication and rookie mistakes on revoking access undermines faith in RC's ability to secure the service going forward.

Not to mention no explanation here of who legally "owned" the rubygems repo (not just the infra) and why they thought they had the right to claim it, which is something disputed by the "other" side.

Just a mess all around, nobody comes off looking very good here!

[anon84873628]

I can give benefit of the doubt that making a proposal to monetize user data is a poorly-considered, bottom-scraping effort to find a replacement funding source for the on call work. Most of us would not consider it, but I think it should be ok to occasionally pitch some bad ideas, all else being equal and lacking full context.

But messing with the credentials crosses an ethical line that isn't excused no matter how much you disagree with the other party's actions.

[JeremyNT]

I totally agree, assuming all this is accurate he immediately proved that RC was right all along to be concerned about him!

[fouc]

I can only assume it is silly revenge seeking behavior. Look at how symmetrical it is:

  1. RC takes over GitHub Repository and locks everyone out
  2. Arko takes over RubyGems server and locks everyone out.

He was an authorized actor right up until they tried to remove him, but they forgot to revoke his access credentials. I wonder if legally-speaking he was even considered unauthorized.

EDIT: Missed their email notification revoking his production access. Yeah looks like they could have a legal basis.

[heartbreak]

This is not legal advice, but if you get fired and then break into the office later, the police won’t care that you used your spare key.

Seems someone took it a step further and changed the locks too.

[picadi]

really disappointing. it's such a huge security concern and privacy/ethical lapse, i am super disappointed in him, despite his contributions to the world of Ruby package management

he's now started a competing gem.coop package manager, and while they haven't released a privacy policy it does make me suspicious about how they were planning to fund it

no single person should have Github owner + AWS root password for a major language's package manager and ecosystem just sitting around on their laptop while they fly around to different conferences in Japan e.g. (as Andre did while hacking rubygem's AWS root account to show off)

[case]

[citation needed]

[evolve2k]

From the article:

“Following these budget adjustments, Mr. Arko’s consultancy, which had been receiving approximately $50,000 per year for providing the secondary on-call service, submitted a proposal offering to provide secondary on-call services at no cost in exchange for access to production HTTP access logs, containing IP addresses and other personally identifiable information (PII).”