It's true. He doesn't claim to know anything about the code. He is just trying to expose the "secret fixes". His thesis (for all of his blog posts) is that the Ruby community sucks. He did all this digging in the name of "proving" that, not to help make Ruby better, nor to prove that he knows anything about security.
Read the last line -- "I guess we’ll find out after the Ruby guys passively aggressively kill me for looking at their open source and …. telling people things."
Read the last line -- "I guess we’ll find out after the Ruby guys passively aggressively kill me for looking at their open source and …. telling people things."