2025·06·26 · 16:32
Karim Marucchi & Joost de Valk | Open Source Summit 2025
At Open Source Summit North America 2025, I discuss the FAIR Package Manager with Karim Marucchi. We explain what motivated the project: a major host was cut off from WordPress.org access, leaving their users unable to get updates, and then a plugin was replaced on WordPress.org without announcement. Enterprise companies immediately identified this as a supply chain security problem. FAIR creates a federated network of repositories so distribution no longer depends on a single point of control, and I explain how hosting providers can run their own nodes, what code signing and moderation look like in practice, and how compliance frameworks like GDPR shaped our architecture.
0:08 Welcome to Open Source Summit North America 2025. My name is Paul Nashawati and I'm covering the application development space and all things open source. I'm joined today by Kareem and Yoast. How you doing guys? Good. Good to see you. Why don't you guys introduce yourself to the audience? Uh I'm Yoast. I a couple of years ago, well more than a decade ago, founded a company called Yoast, which I sold in 2021, which was focused on the WordPress space. So, an SEO plug-in um and I've been an investor in that WordPress space ever since. Uh doing all sorts of
0:39 things. It's used very very uh frequently. It's very awesome. It has been used by quite a lot of websites. Yes, it has. Yes, it has. Kareem and I'm Kareem Marooi um CEO of CRUD Favorite. I've spent 30 years installing and managing teams that install content management systems in the enterprise and the last 15 years I've been doing it with open source. Nice. Nice. Well, this is uh the best place to be at, right? Open source summit, right? It's it's uh open source. It's you can see the the the the excitement here is just amazing, right?
1:11 But like let's start jump right into this because we we we're talking about different projects and different initiatives here. the keynotes were, you know, exploding with a lot of just announcements and things that are happening, you know, and so when we're looking at uh the fair uh project manager, right? This is a what let's start there and talk about like what was the impetus to kind of drive this project. So the fair package manager is is a package manager for WordPress. It's meant as a replacement for WordPress.org
1:44 work um for the reason that we've had a couple of incidents over the last couple of years and more recently the end of last year where it was made very clear that we had a supply chain security problem in the in the WordPress space and unfortunately that problem came from within uh and we we were looking at how do we solve for that so we had the a big host being cut off from WordPress org access basically disallowing all of their clients to get plugins and themes and
2:16 updates to WordPress itself at that point. And then later on we had a a plugin so piece of open source software being taken over and replaced by something else um on WordPress.org and we were looking at like how do we fix that without breaking up the entire community because we we didn't want to do that. We wanted to keep the WordPress community the way it is, right? but just change how it's distributed. Um, and that's how we came up with the fair package manager. Fair stands for federated and independent
2:49 repositories. So, the idea is that a lot of hosts when this happened started putting up their own mirrors of WordPress.org, but you still had this central problem, this central point of well a a point of failure in many ways. Um, and what we're doing with fair is we're making all those mirrors that actually become repositories at that point, making them federate with each other so that if one of the lines is cut, we just route around it and and
3:20 we well work just like the internet itself, right? Which has some added benefits uh because we can now also host plugins and themes outside of WordPress.org and still make them findable within the WordPress admin. So you can make premium plugins and and themes findable in the admin and have an entire ecosystem around that which we hope will foster innovation in the in the space a bit more and allow people to build profitable products. Sure makes sense on top of WordPress. What a lot of people don't realize is that WordPress powers more than 40% of
3:51 the web today. Right. Right. I realize that it's it's a giant single point of failure. Yeah. And it's time for an evolution of how we distribute and how we update and how we create an ecosystem of products around the biggest most successful content management system that's ever happened. Right. Well, I mean dependencies and security concerns is incredibly important especially when you're talking about 40% of the the population using or you know in the in the in the ecosystem. The the ecosystem is quite large, right?
4:22 Yeah. And when we start looking at, you know, the you touched on a little bit here about the the federated and independent repositories and what this means. Can we talk like just double click a little bit down? Kim, I'm going to start with you. Like when we look at the federated work models and how this is all coming together, what benefit does that offer to developers, hosts, and and end users? Like when you think about it, right? So in my day job, I spend all my time with Fortune50, Fortune 500 companies, right? And the cost of ownership of open source is already really the reason to come to open source
4:53 as the beginning of it, right? But then to in today's content management system, even something as simple as WordPress, we're using literally um packages and containers to even do updates because it hasn't been reliable and it hasn't been something that you could actually just say this is going to be 100% the way we do it even behind the corporate firewall. So with a fair package manager, large organizations are actually going to be able to put up their own nodes, okay, in front of the firewall, they could
5:24 share with the entire world. If you're an open organization that wants to help or behind the firewall, if you have only a subset of things that you want to make available to your organization, you can actually do that. but also we're going to be able to actually integrate more of the commercial plugins and modules that have helped this open- source ecosystem grow and be so successful over the last 22 years. I mean that makes a lot of sense though right because it is an open community right you have all these different plugins you want it to grow and you want innovation to occur right
5:56 so yos when we talk about this ecosystem is it is it being wellreceived by the e by the ecosystem or is it I I think the community was very welcoming to it yeah no the response has been very overwhelmingly positive um with lots of people reaching out and uh and well I mean there's been this this system where basically one entity has been in control of the ecosystem for a very long time and a lot of people wanted that to change and I think this is a good step towards us actually setting up proper governance
6:27 and they and a system where we can all benefit a bit more from our each other's knowledge and and work together and also decide together where this goes instead of one person or company deciding hey we're going that way. Um so it's been very well received. People are are very happy. We we've been testing with quite a few uh of the distribution hosts uh when we started working on this and I expected for a lot of them to roll this out over time. I' I'd like to add also think of it this
6:58 way as as an open-source content management system. We're competing with SAS and closed source systems that are spending tens of millions of dollars on ease of use and onboarding, right? and the ecosystem all the modules and plugins around WordPress for the last 22 years it's been an ongoing fight to try and make it easier and easier for the end users. Sure. So with fair we're able to actually have an evolution of how this happens now.
7:29 Well and you also meet in the development community but the the clients where they are in their own journey right you don't have to say like oh this is this is a prepackaged proprietary way of doing it do it our way or no way. It's like you can now you can build it the way the client wants it to be built and they can either be very mature or just starting out. So it's kind of a like I like that kind of evolution. The one thing that that I was very much interested in um when we when I was reading through the press release was the GDPR impacts the the the you know the data.
8:01 Yeah. Right. And also the telemetry pieces right the data. So like so these so Karine let's start with you what what are your thoughts there on that? So GDPR has already been uh a big concern of how we're going to address that and really with the upcoming CRA and eventually what's going to come to the United States as its own version of that. Um, if we don't do something about that, WordPress is going to be left behind because as it stands today,
8:33 the agency installing it, the the contractors installing it, the hosts themselves would all be um liable, right, for the software, right? So, it we need to have an evolution of how this works so that way we can comply. Well, yeah. Well, reporting has to occur by September 2026, I believe, and then by everything needs to be complied by December of 2027 for CRA, right? But it's it's interesting when I have these conversations about in development world, uh, organizations are like, well, that doesn't apply to us. We don't
9:04 really do a lot in Europe. But it's like, no, but you do worldwide like we're no longer anymore of like which which space you're working. The compliance is the compliance and regulations are the regulations. So you're going to box out just customers if you don't have the applications working in a certain way. Yeah. And it's quite being European, it's quite a large market. Of course it is. And uh and and as Kareem said, a lot of this is coming to the US and other places in the world in in maybe a slightly adapted form, but but the the basic underlying ideas of what this
9:36 legislation does, especially if you look at GDPR, you've you've seen that already happen with the CCPA. And this is going to happen to to the um to these other things as well. we we will have these security rules because honestly we need them right because a lot of the uh WordPress sites are also well we WordPress has a a pretty bad name in some ways in terms of security not because WordPress itself is insecure but because how it's being dealt with is sometimes very insecure
10:08 and getting better practices in ter in that and getting more uh ways of of figuring out like hey this could be vulnerable you could do things about that is actually very important. Yeah. And coming back around to telemetry and GDPR and that sort of that data and analytics side, it it's time that we practice what we preach in open source and make that data also available to the rest of the ecosystem that's creating products around. You know, Stephen on
10:39 stage earlier was talking about uh collaborate on core and compete on the edges. The only way we're going to be able to really compete on the edges and collaborate on core to truly compete with the closed source systems is if we understand those analytics and are open about it and complying with GDPR. Yeah, there's no question. But it's not just uh uh GDPR. It's not just you know one location. I I I agree with you. I think this is a this is a global impact. I mean we see this with executive orders for us bombs and software development. I
11:10 mean this this is happening across the world, right? So we have to be aware of it and I think that the adaptability and scalability is key especially when we start looking at AI right AI is going to just continue to make things you know ex make the project you know a bigger project right if we look at it so one one final thing I want to kind of talk through is is the when we looked at the press release we talked about the shared packet uh repository and how that's working um what are the next steps for fair like how is it moving forward excuse me in terms of community
11:42 engagement ment um sustainability and then the ecosystem overall. What what are your next steps? What are you thinking? Where does this go? Want to talk about the team? Yeah. So, we have a big team of people already um which we'd like to expand, of course, because who says no to more people? But um we need to give that team and and the wider community the governance and the home, which is why we came to the Linux Foundation in the first place. Like, hey, we we've done all this in the WordPress world. we are not really good about at this whole
12:13 governance stuff because we've never done this before. Let's find a partner that we can do this with. Sure. And the Linux Foundation has actually been great at helping us figure out like how do we set this up and how do we make this work for everyone. So part of it is setting up that governance which we're literally doing right now and in part have already done. Today is us going out and finding funders that that fund this foundation. So today we announced the open call for Linux
12:44 Foundation members to be able to join and help us found a foundation to have a direct fund to expand fair. Okay. So we are asking uh Linux Foundation company members to join us on the governing board and to come and help us have open transparency what hopefully will create the best open-source CMS for the next generations. So we're sitting here a year from now in Minneapolis and right we're having a conversation of what's
13:15 happening at the next OSS right and what do you you know you you kind of gave a a road map of where you want the whereas you know go what would be the ideal goal of saying hey these are the things we accomplished a year from now so I think part of this is a bit of a political question in our ecosystem it depends a bit on who joins and who doesn't join and whether we get to do this with all of us together or there are parties that remain separate and we have to do do this outside of that uh a bit. Um my ideal situation is where we all come
13:46 together and do this together. Sure. And fair becomes the de facto standard for the WordPress ecosystem and then maybe other ecosystems after that because we've set it up to be compatible with other CMSs if if possible in in the future. Um, I would love for us to all be together and and and and say, "Hey, we've actually gotten to a next step in the supply chain security of our project. We've added all these things that modern projects require code signing and and
14:17 all these things that WordPress right now doesn't have. We've made the project CRA compatible and we we've actually made it better for everyone in doing so. I that's the future we strive for. And I'm going to take the tactical side of that. I'm going to say I'd like to see the hosts adopt this and help us expand it. I'd like to see we're talking to some major American universities to put up publicly available nodes. We we're getting help from Blue Sky with the AT protocol for the Federation. We'd really like to work
14:49 with there's a package management um project here at Linux Foundation. We'd like to work with other projects. So we're hoping that in a year we've created such a rich ecosystem around what what needs to be the next open source content management system that we're able to say here's an open place for these small businesses that are doing these modules for these large hosting companies for the enterprise that's using WordPress to save massive amounts on licensing to actually
15:20 understand that there's a 20-year future in it without worrying ing about what the next company cycle is. Yeah. And I like it cuz you're growing with them. That's really really great. I really think that this is the the right direction. You you it sounds like you set up the foundation for this to happen that the roads are, you know, the roads are already paved, right? You're kind of going through this pave following those paved roads is going to be the key. It is. And I think what what really is important for the WordPress community is also to become part of the larger open-source ecosystem because we've
15:51 definitely not been a very good uh player in that wider ecosystem and I think this is an opportunity to do that. Absolutely. You know, Kareem, thank you for your time today. This has been really great. I know you're busy. You have a lot in front of you, a lot of work to do here. So, I won't keep you much longer for this, but but thank you again for for being on the show with with me today. And thank you for joining me today. I you know I I my name is Paul Nashwati and I'm coming to you live from the show floor at Open Source Summit North America 2025 and thank you to the audience for watching the cube the
16:26 [Music]