The Linux Foundation recently announced the FAIR Package Manager project, an open-source, distributed WordPress plugin and theme repository that decentralizes control of the repository. A distributed theme and plugin repository became a priority for many in the WordPress community after Matt Mullenweg took control of certain paid premium plugins and created free versions from them, in addition to removing access to the free versions of the original plugins.
The Linux announcement, made on Friday, June 6, came during the middle of WordCamp Europe, all but assuring that it would be a topic of discussion at the three-day conference.
According to the Linus foundation announcement:
“…The FAIR Package Manager project paves the way for the stability and growth of open source content management, giving contributors and businesses additional options governed by a neutral community…”
It was inevitable that Matt Mullenweg would be asked about it and that’s what happened, twice. Mullenweg was gracious about answering the questions but he was also understandably cautious about it, given that it had only been less than 24 hours since the FAIR project had been announced.
Initial Reaction To Project FAIR
The first question was asked early in the question and answer period, where Mullenweg was asked how he sees such initiatives coexisting with WordPress and asking what he sees as the ideal outcome.
Mullenweg expressed cautious optimism, praising the open source nature of WordPress by saying that that’s the point of open source, that it can coexist with everything. But he also was reluctant to say much more. He did seem a little annoyed that the FAIR project was created “in secret.” I don’t know the extent of whether the FAIR project was created in secret but it did seem as if the Linux foundation essentially ambushed WordPress and WordCampe with their announcement.
Mullenweg answered:
“…I think that’s part of the beauty that something like this can be written with the APIs that WordPress has. I don’t know if I want to comment too much further on it just because kind of just found out about it last night, there hasn’t been that much time. There’s a lot of code and uh and complexities.
You know, I do wish if the team did want to collaborate or the team says we want to be transparent and everything. But it did sort of drop as a surprise. It was worked on in secret for six months. But we can work past that and look at it. “
Do Users Want A Federated Repository?
Mullenweg next turned the question away from what he might think about it and asked if this is something that WordPress users would want. He also explained the immensity of the undertaking a decentralized system for the repository.
He continued his answer:
“I do think things we need to keep in mind are, you know, what are users asking for?
What are the challenges they’re facing around finding the right things, knowing it’s secure, getting updates? You know the stats around how many sites that are hacked are from out of date plugins. Those are things that are top of my mind for the plugin directory and so the trust and safety elements of that for the.org directory.
…So we’re now up to 72,000 plugins and themes. This is about 3.2 terabytes, like zip files. That’s not counting all the SVN history and everything like that. So there’s a there’s a lot of data there, which also we need to make sure, like if 500 mirrors are set up and they’re all sucking down the directory like, that could DDOS us.”
About twenty minutes later someone else stepped up and asked the question again, sharing about her long history with WordPress and her opinion of why the FAIR project may be useful.
She said:
“I’ve been contributing to the communication team for 14 years and contributing to plug in review team for a couple of years and my whole work in documentation was serving the user every decision we made we made was to serve user. And in plugin review team we also include plugin authors So everything we do we do for plugin authors and users to make their lives easier and better.”
Next she offered an explanation of why she thinks the FAIR project is good for plugin authors and users:
“So the Fair project is actually federated and independent repository of trusted plugins and teams. And it is under the Linux Foundation. So that means a lot when it’s under the Linux foundation.
And what it means for users and plugin authors and team authors is actually making their lives easier and better, more secure. It makes all the products more discoverable and also developers can choose their source. Where are they using their supply chain from.
But also, it is helping WordPress.org because these are mirrors so it will reduce the load from WordPress.org for every update and all of that.
…I don’t know if you trust me, but it seemed to me that this aligns with the idea of having users and developers first in mind. Would you as wordpress.org consider collaborating with this project?”
Mullenweg’s answer was cautious in tone, giving the impression that he didn’t know much about the FAIR project aside from the public announcement made by the Linux Foundation.
He answered:
“Of course we consider everything, but even in what you said, I think there’s a lot of challenges to it. So for example, right now, a supply chain attack needs to breach wordpress.org which has never been hacked.”
At this point loud laughter rang out in the hall, catching Mullenweg by surprise.
He then continued, offering an idea of the complexity of a federated theme and plugin repository:
“The… now all of a sudden there is N places that could potentially be compromised that you know there’s ways to do that, many ways. There’s N places with uptime issues.
And… it makes it much more difficult for, I don’t know if it’s actually better for WordPress.org, because it makes it much more difficult to do things like rollouts, phased rollouts, or let’s say we get plugin authors the ability to ship to 5% of users and then see what happens, which means we also need things being checked back and then we can roll out to the rest, which is something that I’ve heard a ton of plugin authors ask for.
It will break all the analytics and stats that we provide and also that we internally …use to make decisions, for example which versions of PHP we support…
So I think that it’s uh a big part of why WordPress is where it is today is because of the infrastructure and the sort of feedback loop that we get from wordpress.org.
Also, the trust that we’re able to engender by having that be a resource. When you look at marketplaces, people aren’t asking necessarily for I want it to be downloaded from more locations.
- They’re asking for how do I know this is trustworthy?
- How do I know these reviews are real?
- Who’s moderating?
- Who’s checking the IP’s on these different reviews?
- What’s the plug in rating?
- What’s the compatibility for it?
- How does it, compatible with my other plugins?
These are things I’m hearing from users, not I need it hosted in a different place. This is one example.
And again, I don’t want to get too far into it because I want to read the code. I want to dive more into it. I want colleagues to look at it. So, I think it’s kind of premature, less than 24 hours in to say like we’re going to …this or not.”
At this point Mullenweg praised the fact that people were being constructive rather than arguing.
He continued:
“But I do think it’s awesome that people are shipping code versus just arguing or talking or writing blog posts. I think that’s a pretty productive way to sort of channel possible disagreements or anything, and then we can see how it looks. Might be a super niche thing that a few people use, maybe one or two hosts or it might be something that maybe there’s something in there that becomes …popular.”
Then he returned to listing things that still need to be looked into, trying to give an idea of how complex creating a decentralized repository is.
Mullenweg continued:
“Like something that we probably need to do in the plug and review is something about these admin banners right, now how is that enforced in a distributed FAIR system?”
Mullenweg then asked the person asking the question how she would solve all of those problems to which she answered that she’s not the smartest person in the room but that this is something to be collaborated on and then she tossed off a joking remark that maybe they can ask ChatGPT, which drew laughter and applause, breaking the tension of the moment and ending the question on a light note.
Watch the question and answer session in about the 8 hour mark of the video:
