Mastodawn

Kaspars Aug 23, 2025

Notes on FAIR Package Manager

Had a deeper look at the FAIR package manager today.

Version 1.0 of the WordPress integration plugin introduced package signatures verification (in this pull request). That means that WordPress sites can now cryptographically confirm that a downloaded plugin or theme really came from the claimed publisher (as long as you trust the keys reported by plc.directory).

Full signature verification isn’t trivial. To check a did:plc identity properly you have to walk the entire chain of signed operations all the way back to the genesis operation where the DID is anchored.

That requires some pretty heavy crypto for a WordPress host (where the client plugin is installed):

multibase / base58 decoding
DAG-CBOR + CID recomputation
ECDSA (secp256k1, P-256) signature checks

Not every shared host is going to have PHP extensions for all of that. The protocol does elegantly handle key rotation but the burden of verification falls entirely on the consumer.

Just “trusting” whatever keys come back from plc.directory for each package DID identifier isn’t secure. You have to validate the full audit log yourself because otherwise you’re open to tampering.

So the standard is promising but until FAIR bakes in real signature checks, WordPress users aren’t getting the security guarantees this model could deliver.

The rest of plugin features are really nice for privacy and general data protection — you no longer report all published content to Ping-o-Matic or send every admin dashboard request to WP-org servers. Here is a report of all external calls made by standard WordPress installs.

How FAIR Works?

A plugin author publishes a WordPress plugin with a PLC:DID identifier such as:

did:plc:deoui6ztyx6paqajconl67rz

The FAIR client plugin fetches the JSON metadata for the DID from the plc.directory URL:

https://plc.directory/did:plc:deoui6ztyx6paqajconl67rz

which returns:

{"@context": ["https://www.w3.org/ns/did/v1","https://w3id.org/security/multikey/v1","https://w3id.org/security/suites/secp256k1-2019/v1"],"id": "did:plc:deoui6ztyx6paqajconl67rz","alsoKnownAs": [],"verificationMethod": [{"id": "did:plc:deoui6ztyx6paqajconl67rz#fairpm","type": "Multikey","controller": "did:plc:deoui6ztyx6paqajconl67rz","publicKeyMultibase": "zQ3shjiQmfcvNg5ExJuCcX8Bfzaa77y3yxD9iPMYmeRYbk4Vf"}],"service": [{"id": "#fairpm_repo","type": "FairPackageManagementRepo","serviceEndpoint": "https://fair.git-updater.com/wp-json/minifair/v1/packages/did:plc:deoui6ztyx6paqajconl67rz"}]}

where the key parts are:

the public keys defined under verificationMethod with type equal to Multikey and the id containing #fairpm.

the package URL under serviceEndpoint with type FairPackageManagementRepo and id containing #fairpm_.

In order to ensure that the publicKeyMultibase value is actually a valid public key belonging to the DID, you need to parse the full DID activity log and verify that each operation is signed and derived from the previous one, including the DID itself at the genesis operation.

It then fetches the resolved serviceEndpoint URL with the Accept: application/json request header:

https://fair.git-updater.com/wp-json/minifair/v1/packages/did:plc:deoui6ztyx6paqajconl67rz

which returns:

{    "@context": "https://fair.pm/ns/metadata/v1",    "id": "did:plc:deoui6ztyx6paqajconl67rz",    "type": "wp-plugin",    "name": "Handbook Callout Blocks",    "slug": "handbook-callout-blocks",    "filename": "handbook-callout-blocks/handbook.php",    "description": "The make.wordpress.org blog has wonderful callout blocks but they seem to be baked in as part of the WP.org Handbook plugin.\nI was able to \u2026",    "authors": [        {            "name": "WordPress.org, Andy Fragen",            "url": ""        }    ],    "license": "GPL-2.0-or-later",    "security": [],    "keywords": [        "wporg",        "handbook",        "callout"    ],    "sections": {        "description": "<p>The make.wordpress.org blog has wonderful callout blocks but they seem to be baked in as part of the WP.org <a href=\"https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html/wp-content/plugins/handbook\">Handbook plugin</a>.</p>\n<p>I was able to strip out the relevant parts of the Handbook plugin retaining only the callout blocks.</p>\n<h3>Special Thanks</h3>\n<ul>\n<li><a href=\"https://profiles.wordpress.org/ipstenu/\">@Ipstenu</a> for her terrific sleuthing skills.</li>\n<li><a href=\"https://profiles.wordpress.org/Clorith\">@Clorith</a> for bringing code up to current standards and best practices.</li>\n</ul>",        "changelog": "<p>[unreleased]</p>\n<ul>\n<li>add support for <code>core/list</code></li>\n<li>refactor for current standards and practices courtesy of @Clorith</li>\n<li>make editor padding match</li>\n<li>load dashicons for non-logged in users</li>\n<li>initial release</li>\n<li>add composer.json</li>\n</ul>"    },    "releases": [        {            "version": "1.0.3",            "requires": {                "env:php": ">=7.4",                "env:wp": ">=5.9"            },            "suggests": {                "env:wp": ">=6.7.2"            },            "provides": [],            "artifacts": {                "icon": [                    {                        "url": "https://s.w.org/plugins/geopattern-icon/handbook-callout-blocks.svg",                        "content-type": "image/svg+xml",                        "height": null,                        "width": null                    }                ],                "package": [                    {                        "url": "https://api.github.com/repos/afragen/handbook-callout-blocks/releases/assets/274184925",                        "content-type": "application/octet-stream",                        "signature": "AcKSOVp2EHQCSWBO5LZCDv4puOpvJILsovIynQkf-hcpBOGpkuc4aaLi5NC9Gd4s3IBNzbqFzM75a6lcx4kk_w",                        "checksum": "sha256:bb2f21d4f5b3e6a8daa361abb75b366d90059a7e1a15c18100ca3492cdb252af"                    }                ]            }        }    ]}

which is now used to render all the information about the plugin in the WP admin before the installation and during upgrades. The signature of the package ZIP file can now be verified using the public key extracted from the first step.

FAIR Branding

While researching this, I also did some exploration for the possible FAIR project and package manager logo/icon. Since the FAIR branding needs to apply to multiple initiatives, it would be easy to go with a shared icon + wordmark for each project. The isolated FAIR letters represent the distributed and decoupled nature of this project.

Contributions

As part of this research I also create the following issues and suggestions:

#fairpm #fairpm #openSource #php #plugin

https://kaspars.net/10293

Courtney Robertson Jun 28, 2025

Hey #WCMontclair: can’t wait to meet you. Talk with me today about:
🤖 AI
📥 Agency life
💰 Funding #WordPress contributors
🙋🏻‍♀️ #FAIRPM
🤝 #OpenSource

Courtney Robertson Jun 23, 2025

Story time: 2yrs ago I attended #OSSummit to connect #WordPress to wider #OpenSource community & learn from each other. I never dreamed I’d be watching Joost & Karim announce #FairPM today, having contributor dashboards underway, or the new contribs mentorship shared at OSSummit Japan in that time.

Courtney Robertson Jun 12, 2025

☕ How do you start your morning? Me: I'm sipping coffee in the pavilion with the pup and wondering - what's DIDs? #FAIRPM

Decentralized Identifiers
https://www.w3.org/TR/did-1.1/

Decentralized Identifiers (DIDs) v1.1

Decentralized identifiers (DIDs) are a new type of identifier that enables verifiable, decentralized digital identity. A DID refers to any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) as determined by the controller of the DID. In contrast to typical, federated identifiers, DIDs have been designed so that they may be decoupled from centralized registries, identity providers, and certificate authorities. Specifically, while other parties might be used to help enable the discovery of information related to a DID, the design enables the controller of a DID to prove control over it without requiring permission from any other party. DIDs are URIs that associate a DID subject with a DID document allowing trustable interactions associated with that subject.

Andy Fragen Jun 10, 2025

So I’ve been a little busy with a side project.

https://thefragens.com/the-hiatus-is-over/

#WordPress #fairpm

The Hiatus is Over – Surgical Diversions

Timi Wahalahti Jun 10, 2025

My site’s FAIR now

Last Friday group of significant WordPress contributors came public with FAIR Package Manager Project that has been in works for around six months.

[…]

https://sipp.is/my-sites-fair-now/

My site’s FAIR now | Timi Wahalahti

Last Friday group of significant WordPress contributors came public with FAIR Package Manager Project that has been in works for around six months. I won’t get into details what it is and why it was…

Timi Wahalahti

Show thread

Poujol 𝖱𝗈𝗌𝗍 ✅Jun 7, 2025

@HTeuMeuLeu

#fair_project #fairpm #fairt_pm #wordpress #decentralization #mullenweg #auttomatic #blog #blog_engine #blog_hosting

Timi Wahalahti Jun 7, 2025

Vaikka saatan olla hieman puolueellinen, luulen että julkistettiin eilen WordPress maailman yksi viime vuosien merkittävimmistä jutuista: @fairpm #FAIRPM

Puolisen vuotta sitten pieni joukko ryhtyi miettimään miltä tulevaisuus ilman toimitusketjuun liittyvä riskejä voisi näyttää. Sittemmin tuo joukko on kasvanut satoihin yksilöihin ja scope laajentunut poistamaan muitakin keskitettyjä riippuvuuksia.

Porukassa on lukuisia ihmisiä joiden työ vuosien aikana on vaikuttanut merkittävästi WordPressin voittokulkuun. Taustalla neutraalina tahona koordinoimassa on Linux Foundation.

Kuvassa muutamia meistä jotka oli läsnä julkistamisessa. Ja firman blogissa tarkemmin mistä on kyse, linkki kommenteissa.

#WordPress on isompi ja vakaampi yhdessä.

https://www.evermade.fi/fi/artikkeli/fair-projekti-haastaa-nykykaytannot-tavoitteena-avoimempi-wordpress/

FAIR-projekti haastaa nykykäytännöt - tavoitteena avoimempi WordPress

WordCamp Europen ohessa järjestetyssä Alt Ctrl Org -tapahtumassa julkaistiin FAIR-paketinhallinta sekä -lisäosa, joilla tavoitellaan avoimuden ja vakauden vahvistamista WordPress-yhteisössä. Tässä kirjoituksessa projektin alkuvaiheista asti mukana ollut yhteisökoordinaattorimme kertoo, mistä on kyse ja analysoi mitä julkaisu tarkoittaa. Eilen 6.6.2025 Alt Ctrl Org -tapahtumassa julkaistu FAIR-paketinhallinta sekä -lisäosa ovat todennäköisesti yksi merkittävimmistä julkistuksista WordPress-yhteisössä vähään aikaan. Sen […]

Evermade

Jenny Wong Jun 7, 2025

What’s awesome about it is that the whole #FairPM system is designed to be adaptable by any project. https://toot.community/@LokiTheCat/114639138098302285

Loki the Cat (@[email protected])

Looks like the Linux Foundation is playing FAIR-y godmother to WordPress! 🪄 Their new package manager aims to stop the plugin drama by giving power back to the community. No more single-entity control - just pure open-source democracy in action. Sometimes the best solution is letting everyone play nice in the sandbox! #WordPress #OpenSource https://linux.slashdot.org/story/25/06/06/2156203/linux-foundation-tries-to-play-peacemaker-in-ongoing-wordpress-scuffle

toot.community

Colin Stewart Jun 6, 2025

Thrilled that we announced the launch of FAIR Package Manager today! This is for everyone in the ecosystem, and I can't wait to see more contributors join. Come collaborate with us! #FAIRPM

https://www.linuxfoundation.org/press/linux-foundation-announces-the-fair-package-manager-project-for-open-source-content-management-system-stability

Linux Foundation Announces the FAIR Package Manager Project for Open Source Content Management System Stability

Linux Foundation announces FAIR Package Manager project, creating simplicity, security and consistency for the WordPress ecosystem