All's FAIR: Why WordPress needs a decentralized package management system
Image
Early in June, the WordPress community converged in Basel, Switzerland, for WordCamp Europe. Beyond the two days and three tracks of amazing talks, an independent side-event took place: AltCtrlOrg. Just steps away from the main venue, many WCEU attendees flocked to AltCtrlOrg for a major announcement: the launch of Federated and Independent Repositories (FAIR).
FAIR has already drawn some attention from the larger ecosystem outside of WordPress. It is a concept and project based on an idea posited by Joost deValk (founder of Yoast SEO) and detailed by Karim Marucchi (CEO of Crowd Favorite) in December 2024, except now it’s backed by an actual prototype and the Linux Foundation.
What’s FAIR?
Without getting too deep into the weeds (and the weeds are thick, believe me), think for a moment about where you get your WordPress code. Let’s pretend that you are running a site that does not have any premium plugins or themes – only what you can get from the CMS itself and custom code. Where do your updates come from?
They come from WordPress.org. That’s the project’s website and the source of the WordPress plugin and theme repositories as well as the canonical home for WordPress’ source code. What’s unique about WordPress’ built-in package management system (as compared to other package management systems, like Composer or Linux) is that there’s a single source of truth for all things related to WordPress and WordPress updates (wordpress.org), whereas other systems allow for alternative sources for code.
For years, premium plugin authors have had to build workarounds to allow them to ship updates to their plugins through the WordPress update mechanism natively. Without these workarounds, any time a premium plugin would need to be updated, it would mean downloading the zip file from the developer and uploading it to your site – it’s much nicer to use the internal updater, especially if that’s what you’re doing for all of your other plugins. When that’s not built-in, it means users are less likely to actually update their premium plugins, which can be a problem for a variety of reasons.
A single source of truth also means a single point of failure. If a plugin or theme hosted on WordPress.org is compromised – say, by a bad actor who gets commit access to a plugin – then malicious changes could appear in the next update to that plugin. If you're a WordPress user with this plugin installed, you are encouraged to download it. And why wouldn’t you? It’s coming from a trusted source. Or, at least, you assume it’s a trusted source – you wouldn’t know if a malicious user had access to push code to that plugin and that you shouldn’t update it unless there was some means for the plugin developer to alert you.
The FAIR protocol supports canonical sources of truth for packages via a Decentralized ID (DID). Think of DIDs like an IP address – each package (a package could be a plugin, theme, WordPress core itself, or even other CMS code or modules) has a unique DID that tells the protocol where the canonical home of that package lives. The owner of that home validates this by a cryptographically signed manifest file that proves authenticity. If a package mirror or a version of the package lacks this signed manifest – which is linked to the owner of the package – it is rejected by the discovery system.
In the case of a plugin that was compromised at the source (for example, a plugin committer that “goes rogue” and pushes malicious code), unless that committer was the plugin owner, the rogue update would be prevented from appearing in users’ dashboards.
In other words, FAIR isn’t just one thing. It’s a couple of things. Fundamentally, FAIR is a package management protocol that’s being designed in a CMS-agnostic way – it’s not just a WordPress thing. Users who want to tap into this new way of package distribution can do so by installing the FAIR plugin.
What does the FAIR plugin do?
The broad goal of the plugin is to remove the dependency on the hard-coded WordPress API URLs (e.g. api.wordpress.org) and replace them with decentralized or FAIR-specific alternatives. Right now, the most obvious effect of this switch is that WordPress.org is not used directly as a source for plugin or theme updates (currently, the FAIR plugin does not support a decentralized source for WordPress core code updates). Instead, plugin and theme updates are sourced from a FAIR protocol-based mirror hosted by AspirePress. But even this nuance is largely invisible to you as a user – you won’t see anything different when you update plugins or themes, they work the same as they ever did.
By default, FAIR uses a PHP constant to determine the default repository from which to pull updates to WordPress plugins and themes. The default FAIR repository is an AspirePress-powered mirror of WordPress.org. Using that mirror means that you trust AspirePress’s repository more than WordPress.org. You can swap the default FAIR repository to use api.wordpress.org. This opts out of a key feature of the FAIR protocol: cryptographically secure package signing that ensures the code you download is coming from a trusted source.
WordPress.org does not today (and potentially will not in the future) support FAIR-based manifests that validate the packages are trusted. AspirePress, on the other hand, signs packages on the developers’ behalf. In the future, developers can publish their packages to a repository with their own signatures (or host them themselves), and they will be discovered natively at their canonical home, wherever on the internet that might be. For plugins and themes that aren’t hosting their own FAIR-compatible source, the AspirePress repository is used as a fallback.
Other API integrations that rely on communication with third-party domains like wordpress.org (for things like emojis, secret generation, browser and PHP version checks, and Ping-o-matic) are replaced with functional alternatives inside the plugin.
Image
Possibly the most immediately obvious change caused by removing this reliance on third-party APIs, is disabling Gravatar support by default. Gravatar is the Globally Recognized Avatar service originally created by Tom Preston-Werner in 2004 and acquired by Automattic in 2007. Gravatars are widely used by many services outside the WordPress ecosystem (Pantheon uses them in our admin dashboard, for example) as a single place to update your profile image and have it recognized wherever you go. However, using a Gravatar requires creating a WordPress.com account and uploading your photo and information to the Gravatar service. The FAIR plugin adds an options page to allow you to turn Gravatars back on, but by default, Gravatars are disabled with a built-in avatar system instead, scoped to a given WordPress site.
Image
Additionally, the events widget is replaced by a new widget that sources community events from The WP World. This means that WordPress events outside the WordCamp ecosystem might show up. Additionally, the news source has been modified slightly, too, and is sourced from a FAIR news aggregator including updates from WordPress.org news as well as community sources like OpenChannels.fm (formerly DoTheWoo).
Image
Using the FAIR plugin on Pantheon
We have an open issue in our WordPress upstream that we are using to evaluate whether (and how) we might add FAIR directly to our WordPress upstreams. The issue describes our plan to initially default to api.wordpress.org instead of the AspirePress-based mirror to reduce the impact of the change, but allow that setting to be modified by users who would prefer to opt in to the alternate repository.
In the meantime, you can start using the FAIR plugin today by downloading the zip file and uploading it to your site. It can be used as a normal plugin (in which case it uses its own internal update logic) or as a mu-plugin, as shown in my demo custom upstream repository. If we put FAIR directly in our upstream, we would likely install it as a mu-plugin to minimize the interaction required to use it.
I encourage you to check it out. And once you try it out, we want to hear your thoughts in the GitHub issue on our WordPress upstream repository! You can also learn more and engage with the community discussions around FAIR in the official FAIR GitHub discussions board. I’m excited to see this new framework grow and increase and improve the stability of WordPress distributions.
