Uncached Podcast
Uncached is where WordPress professionals drop the filters and talk shop with Christos Paloukas from Pressidium; raw, real, and straight from the source.
From hot takes on core development to the future of open-source, we dive deep into the ideas shaping the WordPress ecosystem.
No PR fluff, just honest conversations with the people pushing the web forward.
Uncached Podcast
All's FAIR in Love and WordPress
In the debut episode of the Uncached podcast, host Christos Paloukas is joined by Karim Marucchi, CEO of Crowd Favorite, for a deep dive into the FAIR initiative. The conversation addresses a critical vulnerability in the WordPress ecosystem: its reliance on wordpress.org as a technical single point of failure for software distribution and updates.
Karim explains the official goal of FAIR, which is to rethink how software is distributed and managed for the open web, specifically within WordPress. The core of the solution is to "federate" the system; creating a decentralized network of repositories and mirrors, much like the Linux ecosystem has successfully used for decades. This approach aims to build a more resilient and robust infrastructure for the future of WordPress.
Throughout the discussion, they tackle key questions and concerns:
- Security: How FAIR will prevent security nightmares and dependency confusion by implementing proven protocols for provenance and code signing.
- Governance: The crucial role of the Linux Foundation in providing governance, ensuring anti-monopoly practices, and creating a neutral ground for competitors to collaborate.
- Ecosystem Growth: How a federated system could break down walled gardens, make premium plugins discoverable directly from the dashboard, and allow hosting companies to offer their own curated lists of vetted plugins.
- Community: The project's significant momentum, with nearly 300 individuals contributing, and collaborations with organizations like OpenJS, CNCF, and the BlueSky Protocol.
Uncached is brought to you by Pressidium, a managed WordPress hosting business delivering Managed WordPress Hosting Engineered for the Future.
Follow us on social media for updates and future episodes:
- X (Twitter): https://x.com/Pressidium
- LinkedIn: https://www.linkedin.com/company/pressidium
- Facebook: https://www.facebook.com/Pressidium
- BlueSky: https://bsky.app/profile/pressidium.com
- YouTube: https://www.youtube.com/Pressidium
Teaser
---
Karim: wordpress.org today, is a technical single point of failure.
Christos: Is more about decentralization or battling over-centralization? Because what you described right now doesn't sound like,
Karim: The bottom line here is to be able to keep your WordPress running.
It's time to federate.
Christos: Cool. So we're addressing the, over-centralization of the WordPress repositories that everyone that uses WordPress relies on.
Karim: Most of the people out there who are going, oh my God, this is gonna be a security nightmare, are people who quite literally have only been in the WordPress space. They are sheltered.
We're starting to cross the the 300 number of people who are actually
Christos: Props
Karim: starting to, help out in one way or the other.
We're actively trying to get Automattic and Matt to be involved because we like to stop fragmentation. We like to keep all of us together.
The whole point is to keep this ecosystem together and have a way for the ecosystem to grow and iterate and expand.
Intro
---
Christos: Hi, Christos Paloukas here with a new experimental podcast and my friend Karim as our first guest. Uncached is the name of this podcast, and what we're going to do in this podcast is address real problems in and around WordPress with a raw, real, and straight from the source kind of format.
Karim, do to introduce yourself?
Karim: Hi everybody. My name's Karim Marucchi. I am CEO of Crowd Favorite. We are an enterprise consulting agency that specializes in architecting WordPress, Laravel, and other open source solutions for the enterprise.
What's FAIR?
---
Christos: Cool. Awesome. And I brought Karim on this, first episode of this podcast so we can discuss what the FAIR initiative is. People might have heard about it. It's definately gathering some speed, some traction.
Karim: Mm-hmm.
Christos: So the official goal of FAIR, I have it noted here so I don't say it wrong, is simply to rethink how software is distributed and managed in the world of open web publishing specifically for WordPress. Do you want to add to that?
Karim: Sure, So the idea is simple. If you're already in the WordPress community, if you're outside the WordPress community, it might be, little bit more, work to figure out. So I try to make it simple by saying the following: To support your WordPress, there needs to be an entire ecosystem of plugins, repositories,
Christos: Okay.
Karim: ...updates, everything that, for the last 22 years, all of us have relied on wordpress.org for.
Christos: Yeah.
Karim: WordPress today is depending on which number you pick, 42% of the internet or 65% of the CMS market, blah, blah, blah. It's really important and It's become mission critical in a lot of enterprise spaces where we work. And wordpress.org today, is a, technical single point of failure.
Christos: Okay.
Karim: So the bottom line here is to be able to keep your WordPress running, it's time to federate and use the internet the way it was meant to be used to make sure that WordPress can continue to be the word, the content management system of reference for the next 20 years.
The Need for Federation in WordPress
---
Christos: Okay, "Federate." That's an interesting term to use. I have to ask why?
Karim: Right.
Christos: And I know it has to do with more than just the acronym.
Karim: Think of it this way, you know, a lot of us know that the internet was made in a way that if for some reason one route for data to get through is cutoff, it finds another route to get there. It's self-repairing, so to speak. The idea here is that right now wordpress.org is the only place to get.
All these services in this infrastructure and what federation means is, being able to have multiple nodes, being able to say that, university X, major company Y hosting, company Z all can put up mirrors of the shared resources and also create their own versions for their own customers of add-on services.
Right now, we've spent the last 22 years in a world where, plugins, there's wordpress.org for the free plugins, and then the ecosystem for paid plugins gets very complex and it's very hard to manage for a regular user. It's time to bring those two together. With a federated system, you can start having what we call aggregators or trusted individual entities that, are running the right checks and saying, I trust these plugins, and you can start having it so there's not only no signal point of failure, but you can start to branch out and have a more rich ecosystem.
Christos: Okay.
Karim: Breaking down the walled gardens and making it more open. But to do that, you have to be very careful about security. You have to be very careful about how you're doing it and processes and that's why it's a complicated project that's taking so many people and resources to put together.
Christos: Do you have a rough number on the people and the resources and the where we're at with the project so far?
Karim: Today we're starting to cross, threshold. We're starting to cross the threshold from, 200 number to the 300 number of people who are actually
Christos: props
Karim: starting to to, to um help out in one way or the other
Christos: That's exciting.
Karim: Yeah.
Christos: Huge jump. Cool So we're addressing the, I'm going to say the over-centralization of the WordPress repositories that like. Everyone that uses WordPress relies on for, it be updates for WordPress Core maybe too, plugins, all of that?
Karim: Yes, could, put in all of that so that you can federate the entire system.
Christos: Cool. I love that you used the word federate over and over.
Karim: You can decentralize. How's that?
Addressing Security Concerns
---
Christos: I don't know. See, that's what my next question was going to be before I forgot. Is more about decentralization or battling over-centralization? Because what you described right now doesn't sound like, I've read some articles online saying that, attack surface increases and some other things like, dependency confusion might be a security risk.
We can go into those in detail in a few minutes but, my question was it doesn't seem like it's going to be something that's going to be, I don't know, I can spin up my own server, run up whatever I want, wherever I want, and be part of the repository, be part of the
Karim: No.
Christos: distribution system for the plugins, because Linux doesn't work like that.
Karim: Correct.
Correct. So exactly what you were saying, And.
This really is catchall answer. Most of the people out there who are going, Oh, my God, this is gonna be a security nightmare, are people who quite literally have only been in the WordPress space. They are sheltered.
Christos: Oh, okay.
Karim: People who have experience with Linux and package managers and understanding the idea of, protocols around, provenance and making sure that things are signed, don't have a problem with this because this has been being done for Linux for
Christos: Decades.
Karim: over 30 years. Yeah. Decades.
On the other hand. Just because let's say FAIR was up and running perfectly.
Right now we're, at, next week we're launching 0.4.
Christos: Okay.
Karim: 1.0 is our goalpost. Let's say we're past 1.0 today. You and I might want to put up our own repositories, might want to put up our own. Aggregators where we're pointing to repositories. But to do that, you'll have to apply and be accepted and go through a protocol, and there's technical requirements and security requirements.
It's not like just anybody can pop something up and go 'Here, I'm going to offer plugins'. And really they're just bad faith copies of somebody else's plugin.
The whole point is to not have that happen. The whole point is to keep this ecosystem together and have a way for the ecosystem to grow and iterate and expand, because right now we have a choke point and that choke point is also the single point of failure.
So we want to get past that. We wanna see where we can go as a community and still rely on, as you said, decades of experience of secure package management. That's been done with a, with Linux and the general open source community.
Christos: Yeah, that's very true. We did cover one of the concerns, or one of the questions I had, rather, the attack vector with policy. I agree that's something can be controlled and that can be enforced, you know, the we used with Linux, we didn't mention the Linux Foundation. We should bring that up.
Karim: Cool.
Christos: Dependency confusion. for anyone listening that might not know what that is, that's when a hacker or a person with malicious intent would upload a malicious version of the package or identified in the same way as the package that you're trying to download or the plugin in this situation.
Karim: Right.
Christos: Giving them potential access to your system or malware, I don't know, the list goes on and on.
Karim: Here's an example for WordPress world. most people know that I'm just gonna pick a plugin like Gravity Forms, right?
Christos: Okay.
Secure Custom Repositories
---
Karim: Today you can't get Gravity Forms on wordpress.org because there is no free version. It's a paid for plugin only. So if the Gravity Forms folks went through the process of putting up their own mini repository with their products, and they went through the process of being verified and the security and getting onto the aggregators. Then you could actually search directly from WordPress for 'form plugins' and Gravity Forms would pop up.
Christos: Okay. That's helpful. That's definitely helpful. You mentioned it before, you touched on it a bit, and what you talk about right now reminds me that you could also make custom repositories. So Pressidium we're a WordPress hosting, managed WordPress hosting business. Maybe we can have a list of our vetted plugins.
Karim: Yes.
Christos: How would that work? We would have to submit to be accepted as an aggregator, correct?
Karim: Exactly, you could also put up your own mirror of repositories and you could, there's different levels that you could participate in, right? But let's say then, you have a specific service that because of your settings is twice as fast as all of your competitors, but it only works with PHP 8 code, right?
Christos: Okay.
Karim: So could, actually set a filter on your own repository for plugins, for my end customers only surface plugins that are PHP compatible.
Christos: Okay. That sounds like it cuts off a layer of support that we have to build into our platform either way, because we do need that granular control, on a per plugin and per version of each plugin basis. But, that's been built in-house. That is probably with most managed WordPress providers now.
Karim: Right. What if. What if you and your competitors had a shared foundational platform that you didn't have to maintain and that,
Christos: Explain
Karim: and that plugin what the, so what you've built in-house, right?
Christos: Yeah.
Karim: What if all of you and your competitors had a shared foundation that you didn't have to actually spend the resources to maintain? That was done by the FAIR project, so that way you could build on your own customization still if you wanted to. But the idea of having to each individual enterprise company, if they have their own or host as their own, has to maintain all of their own infrastructure, goes away. Because it's a shared infrastructure, it's much cheaper to contribute to an open source project than it is to build your own solution.
That's why we're all using WordPress.
Christos: Exactly. Good point. is beneficial, actually. It's amazing as hell what you just, table. Why? Because, Pressidium, a managed WordPress hosting provider, we would offload having to worry about all of that in the entire process. And we could probably, I don't know, donate a, contribute rather. I'm just going to say a random number, 10 hours per week to that project rather than
Karim: having to do it, yourself.
Christos: Right.
If it's 2 hours a week, two hours a week across 20 people...
Karim: You're still cutting down. Exactly. Yeah. And that's the reason why FAIR seems so interesting to people 'cause everybody's taken for 22 years, everybody's taken for granted what wordpress.org could do and then anything past that had to build on their own.
It's time to iterate, it's time to evolve. How we know we need this WordPress ecosystem to move forward.
Christos: Okay. I like all of that. I like what all of what you're saying. It sounds interesting. I'm going to move on to another question that I have about data integrity and reliability and, how potential inconsistencies between the actual aggregators or nodes would be handled . This question is answered already because we talked about policy before and this has, again, somewhere where policy has to be applied, but I don't know if you want to add anything else.
Technical Implementation and Partnerships
---
Karim: Oh, really? It, so the documents are also being released on, the GitHub of the FAIR plugin.
Christos: I saw that, yeah.
Karim: But the bottom line is that, we're putting in a complete. Idea of how to deal with aggregators and repositories and federation. And really we've been very lucky to be able to get a lot of good advice from our friends, once we joined the Linux Foundation, which I know we're gonna talk about, OpenJS came and said, how can we help? CNCF came and said, how can we help? We're working with, working with Laravel developers for part of this. the other hand, BlueSky, the BlueSky Protocol, they've been extremely helpful.
When we said we want to federate using BlueSky, they've actually added code to their protocols specifically for FAIR.
Christos: Awesome.
Karim: Yeah.
Christos: I didn't expect that.
Karim: So that's, this is starting to catch some real momentum.
Christos: Yeah.
Karim: it's starting to actually move forward. We have hosts testing it, playing with it, understanding what their needs are from here to version 1.0, looking towards what we're doing this fall.
And it feels this could be really, something that we hope everybody will get behind.
Christos: it sounds like it. I don't know. It sounds like it. It's moving pretty fast too. Question answered, data integrity is not going to be an issue. We talked about, okay, the WordPress ecosystem, and I am curious about potential ecosystem fragmentation that might occur from using something or splitting into, having FAIR and having WPorg is a different repository.
Karim: We've been working very hard to stop fragmentation. To be blunt, we've been trying to pull projects together. you might be familiar with, but you maybe your listeners aren't. We didn't actually build a repository because the AspirePress project had already done that.
Christos: Okay.
Karim: We brought. Our ideas with FAIR together with AspirePress, and now we're working together, we're bringing code in from three or four other projects we're, we've been talking to hosts that already put up their own mirrors, understanding their needs were and what their features were, and applying that to 1.0.
we're actively trying to get Automattic and Matt to be involved. Because we like to stop fragmentation. We like to keep all of us together, and that was the whole point of starting FAIR, was to keep everybody working together rather than having the possibility of through, through architectural drift of each host putting their own mirrors up of each host.
Having to really go deep into what you just mentioned about how your team has to do things. If they can't rely on one single source, how do we make sure that we can federate that source? Distribute it.
Christos: Perfect. we go into the Linux Foundation or do you want me to ask two other questions that I have here noted.
Karim: And you wanna finish up on the technical stuff, let's do that. Then we'll get over to the organizational stuff.
Christos: Cool. about the, all the policy that we're talking about for verifying the plugin, like not Rather what the Plugin Team does, the plugins that are submitted for the repository, the current repository. How do you like, do you guys have an idea?
Do we rather have an idea of how that's going to be handled?
Karim: we are extremely lucky. With a FAIR project. We have three technical co-chairs, so not one leader, but three leaders of the technical team, and one of them is Mika Epstein.
Christos: Okay.
Karim: For those of your audience who don't know who that is, for over 10 years, Mika ran the plugin repository for DOΤorg and yeah she has,
Christos: She wrote the document too.
Karim: Sorry, go ahead.
Christos: No no. Go ahead continue. I just mentioned that she wrote the document too.
Karim: Exactly, and she has years of thoughts and documentations and experience on how it should evolve. This is our chance to implement that.
Christos: Okay.
Karim: So we are doing everything that.org did plus. Code signatures plus new ways of verification, plus the DID work replacing slugs and keeping that secure plus plus plus. Not all of it is on FAIR right now.
It's getting there in the next, I think couple of weeks is gonna be even more documentation coming towards 1.0. but this version, 0.4 is the first one that has true federation, instead of just mirror, and it's going in the right direction. So it's gonna be much more secure yet, have a lot more options than the existing repository ever had.
Christos: Awesome. That definitely covers, the inconsistent review processes that might happen, I don't know, between the current repo or FAIR and the inconsistent quality and coding standards that I had noted. I don't have any other concerns from my end.
Karim: It can't fix. Everything but even partnerships with, security companies and partnerships with how we review and working with the hosting companies themselves. We'll be able to get a much more accurate picture than we've ever had before.
Christos: Definitely plus you're starting from, not necessarily the ground up, but I'm going to say the ground up because it's a team of experienced people, that already done most of what I don't know, FAIR is trying to accomplish.
Karim: Absolutely.
Christos: I don't see why not. It started really strong. Governance started, I was it the ticket, second something about governance the Git.
Linux Foundation & Governance
---
Karim: So the, actually, before we started writing code, the first thing that we did as a group is we went to the Linux Foundation. We spoke to a few, but really we decided early the Linux Foundation and we said, basically the concept here is how do we create really, a infrastructure that can breed trust?
How do we stop any one entity, any one bad actor from being able to manipulate the System through governance, through manipulation. and the answer came by looking like we were talking about earlier, technically looking to Linux for the last 30 years they've been dealing with this stuff and the infrastructure that was put up by the Linux Foundation to create independent projects, the policies and governance bylaws that they've set up ensure anti-monopoly practices. In fact, every meeting that we go to starts with reminders about anti-monopoly practice policies that the Linux Foundation has.
Christos: Really?
Karim: Absolutely.
Christos: Sounds very Linuxy.
Karim: Yeah, it is. It is. and it's. It's important because you do have competitors sitting around the same table talking and trying to, help a central project move forward so then we can all compete around the edges.
Christos: Yeah, the system works.
Karim: Yeah, so the system works. It's just WordPress hasn't ever been involved with the rest of the Linux world.
Christos: Okay.
Karim: As a community. So what we're trying to do is we're trying to bring the entire ecosystem to work within the same ecosystem that Linux works in today and solve two problems with one stone, so to speak.
Christos: Yeah, that's saying a lot. BlueSky was very helpful and everything, was Foundation or were the Linux Foundation people, helpful too.
Karim: Oh, extremely. We wouldn't be talking today if it wasn't for them, honestly,
Christos: Awesome.
Karim: we couldn't have made the progress we've made in the short amount of time without their support, and we're continuing to work with them. Right now pulling together the first board and we're pulling together, which companies are supporting at what levels.
And we're having a lot of success in attracting, support and a roadmap for FAIR into the future.
Christos: FAIR into the future. Sounds like the slogan. How do individuals get involved with, necessarily businesses? I'll ask you about businesses too, but how do individuals get involved?
How to Get Involved
---
Karim: So we've got few different aspects speaking about individuals. If, if your gift is in writing code in WordPress, Laravel, server, infrastructure, anything, go to the GitHub repo, get in touch.
Christos: Okay.
Karim: There's a, publicly available Slack now. Available that you can apply for if you're an individual and you want to contribute code.
If you're an individual and wants to work on the infrastructure, the community, the messaging, the documentation, also get in touch with us through, Slack and through the GitHub repo. there's an email address there too that you can send a request to, looking for folks to help us with content on the website that's coming.
We still don't have the website up running because we've been running code on the actual system. so any individual who wants to help get in touch, we probably have something you could help with. As far as the community goes. Please jump in, the water's warm. Companies, we are actively looking for companies to join the Linux Foundation and join our, board of Governance.
Christos: Is that a prerequisite for the businesses that wanted to get involved with FAIR? The Linux Foundation?
Karim: As a business you can just like WordPress as a business, you can send people to contribute without officially joining the Linux Foundation.
You can go right onto our, GitHub and do a PR if you'd like to right. now.
Christos: That's open source.
Karim: It's open source.
If you want to get involved in the roadmap, if you want to get involved in helping, where we're going and supporting team that's there doing it as a company, you can get in touch directly with us at info@fair.pm.
And. We'll come and talk to you about joining the FAIR Project as a company, and what that looks like.
Christos: Cool. information. I'm gonna make sure I put all that information in the video description. I don't know, I don't have any other, I don't know, questions about the FAIR Program. Oh, actually I do. Last question. What's the difference between the FAIR initiative as a whole and the current project, the FAIR Package Manager? Is there something different?
Karim: There. There is no difference. The technical project is the FAIR package manager for WordPress and the FAIR initiative is the entity, the foundation that is working on FAIR.
Christos: Awesome. Sounds FAIR. I had to make that cheesy joke some point. I was thinking about it this whole time.
Karim: There you go. Absolutely. Absolutely.
Outro
---
Christos: I don't have anything else to add. Do you have anything else to add about, FAIR, the initiative? What's going on?
Karim: No, it's just, I'm really excited because this is the first opportunity we've had to head off where certain infrastructures, content management systems, CMSs, have had a problem in relying only on one financial entity. This is the first true open source way of applying CMS, and I'm really excited to see where it goes from here.
Christos: Yeah, I'm excited too. Great way to close off the show too, literally trying to address problems in the WordPress workspace and we're trying to get the people that are relative to the solutions on this podcast. So we're going for the raw, real, and straight from the source.
Karim: Thank you.
Christos: That's all I have for everyone.
Karim it's been awesome. Thanks being on the show.
Karim: Absolutely. Cheers.
Christos: Bye.
.jpg)
