Introducing New Policies for RubyGems.org: Feedback Thread

[rubyFeedback]

Recently new policies were added to rubygems.org here:

https://blog.rubygems.org/2025/03/20/introducing-new-policies.html

It was suggested to use an email to provide feedback, as one option. I tried to write an email but it became
way too long and "unwieldy". So I thought a discussion here may be easier.

I won't add all content I had prepared, so just some feedback, a bit random.

For instance, at https://rubygems.org/policies/terms-of-service, there is the sublicence clause:

"You retain your rights to Your Content. You grant to Provider a non-exclusive, worldwide, royalty-free, perpetual, license (including the right to sublicense) to use, host, store, cache, reproduce, publish, display, perform, distribute, transmit, adapt, and modify Your Content, in all media now known or later developed, for the purpose of operating, promoting, and improving the Service, and developing new services."

I assume in part this is so that the old code can continue to be hosted. But there are two questions I
have:

a) What is the term "sublicense" meaning exactly? Because if someone writes a project, it usually has a licence already. Does this mean there is an additional implicit licence to be given to rubygems.org?

b) In addition to that, the term "modify Your Content" - will you guys actually announce if you made any modification? Technically I would call this a fork, and I think a fork should be marked as one, in particular when the original owner already left rubygems.org. Isn't it usually the original licence that is the one that is important? E. g. GPL and BSD should allow without any further ado to be hosted and people can use it, as long as they adhere to the licence (easier to comply with the BSD family). So the confusion is what this means in regards to rubygems.org.

There is also "7. Termination". Here I think it would be nice if you could clarify what happens when people de-register. Will their gems be removed? (I assume right now yes, but if you look at the prior content of the policy, e. g. with sublicences and being able to modify content at will, technically it could be that such gems remain hosted.) I think additional clarification here would be useful, e. g. what happens with old gems? In a permissive licence, e. g. GPL and BSD, of course anyone can fork the projects, so having old versions of gem hosted is a non-issue. But here my question retains more to a scenario such as someone having left rubygems.org, original gems may still be hosted, as well as modified, without notice that this was done.

Let's have a look at another policy:

https://rubygems.org/policies/acceptable-use

Most of this seems ok or semi-ok but a few things are awkward.

For instance:

"is discriminatory toward, harasses or abuses another individual or group"

A few months ago I was in heavy disagreement with another ruby software
developer. We had discussions on reddit in addition to github. At the end of
the day he locked me out of his github projects, as well as did a few more
things, but I don't want to expand this here, as this is a side-topic. The question
now is: would this qualify under "harassment" or "discriminatory"? So if
someone qualifies under this, technically rubygems.org would be forced to
remove these developers. In case both developers are guilty of this, both
would have to be removed, right? I am not sure how I feel about that clause.
It seems hugely generic and extremely difficult to apply correctly. The "it is
our discretion" unfortunately does not help here - after all what if both developers
would not agree that rubygems.org maintainers should interfere in this?
Is this even really necessary, anyway? It seems kind of like an extension of
the prior Code of Conduct, which already is rather arbitrary. Anyway, these
are some things one could consider.

There are some more items that I find hugely problematic, such as:

https://rubygems.org/policies/acceptable-use

"TIn line with our goal of a reliable immutable registry, we do not permit gem owners to delete their gems unilaterally. "

(By the way, you guys have a typo - rather than "TIn" it should be "In":)

On github, Microsoft does not ad-hoc interfere like that trying to control
what gem authors do, such as removing projects. My gripe is not with the
hosting of the gem code - that part is fine. My gripe is that it is insinuated
by rubygems.org that the original authors have anything to do with old
code they no longer want to maintain or be associated with in any way,
shape or form, which I object to. I also did not see that this was originally
in place in rubygems.org, so one also has to ask who is doing those ad-hoc
policy changes anyway. Then again, this will only affect those who use
rubygems.org, not those who are no longer active as gem authors on
rubygems.org. I just think it is not a good idea to leverage rubygems as a
political tool with more and more restrictions in place against gem authors -
it is ok to protect gem users, but to do so at the expense of gem authors is
not a good trade-off. Anyway, these are just some semi-random thoughts;
this is about 1/10 of the original content I had written. (There are a few more
questionable entries by the way - someone really needs to go through each
point and really ask WHY was this added, and also WHO added this. Who are
making these policies? This should become transparent. Right now I have no
idea who is writing these things, other than by Marty Haught. I am having a
few deja vu moments too, e. g. when the original author of bundler did not
understand licences such as GPL and BSD and others critizised this like 10
years ago or so. I have no link towards that, but I remember this vaguely.)

[colby-swandale]

please leave any policy feedback at [email protected]