From the Stage to theCUBE: A Conversation on FAIR, WordPress, and What’s Next
Just moments after Joost de Valk and I stepped off stage from delivering the keynote at the Linux Foundation's Open Source Summit North America, we sat down with Paul Nashawati on theCUBE for a live interview. After presenting the FAIR Package Manager project to a room full of open-source leaders, it was the perfect moment to reflect on what FAIR means, not just for WordPress, but for the future of open-source software.
FAIR stands for Federated and Independent Repositories, and as you know from my previous blogs, we’ve been working hard to build a more secure, resilient, and transparent distribution layer for the WordPress plugin and theme ecosystem. Backed by the Linux Foundation and supported by a growing group of contributors and stakeholders, FAIR has gained momentum, and this conversation captured that energy right from the summit floor.
Key takeaways
- Why FAIR is needed now
Joost did a great job laying out the recent supply chain issues in the WordPress ecosystem, from unilateral plugin takeovers to host access being cut off. These are not theoretical problems. FAIR is built to ensure the continuity and security of the ecosystem, especially for those who rely on WordPress at scale.
- A path forward that includes everyone
FAIR is not a fork, and it’s not a political move. It’s a technical solution built around community input and shared governance. We want everyone, hosts, plugin authors, enterprise users, to feel they have a voice and a seat at the table. - Designed for compliance and trust
At Crowd Favorite, we’ve seen firsthand how enterprise organizations struggle to balance flexibility with compliance. FAIR helps close that gap, baking in trusted, secure distribution and aligning with regulations like the EU’s Cyber Resilience Act. Whether behind a firewall or distributing publicly, it’s built for enterprise from day one. - Governance backed by the Linux Foundation
One of the major themes we stressed, both on stage and in this interview, is governance. This is why we’ve partnered with the Linux Foundation: to ensure that FAIR’s Technical Steering Committee is accountable, transparent, and community-elected. We're building this the right way. - It’s time for WordPress to mature as an ecosystem
As we said during the keynote, WordPress powers over 40% of the web. That makes it a single point of failure. FAIR aims to turn that fragility into resilience, by decentralizing distribution, enhancing security, and modernizing how updates and compliance are handled.
“As soon as you understand the supply chain risk, you realize this is a must-have, not a nice-to-have.”
- Paul Nashawati
“FAIR allows enterprises to install, certify, and control the software that runs their web infrastructure, without relying on a single, centralized repository.”
- Karim
“We've built FAIR to be a distributed system that evolves how WordPress is updated and maintained—without breaking the ecosystem.”
- Joost
Slides From the Talk
Photos From Linux Open Source Summit
Let’s Talk Digital Strategy
I believe open-source is the key to scalable, future-proof digital solutions. At Crowd Favorite, we help businesses like yours make it happen.
Video Transcription
Paul Nashawati: Welcome to Open Source Summit North America 2025. My name is Paul Nashawati and I'm covering the application development space and all things open source. I'm joined today by Karim and Yoast. How you doing, guys?
Joost de Valk: Good, good to see you.
Paul Nashawati: Why don't you guys introduce yourself to the audience?
Joost de Valk: I'm Joost. A couple of years ago—or more than a decade ago—I founded a company called Yoast, which I sold in 2021. It was focused on the WordPress space, an SEO plugin. And I've been an investor in the WordPress space ever since, doing all sorts of things.
Paul Nashawati: It's used very frequently. It’s awesome that it has been used by quite a lot of websites.
Joost de Valk: Yes, it has. Yes, it has.
Karim Marucchi: And I'm Karim Marucchi, CEO of Crowd Favorite. I've spent 30 years installing and managing teams that install content management systems in the enterprise—and the last 15 years I've been doing it with open source.
Paul Nashawati: Nice, nice. Well, this is the best place to be at, right? Open Source Summit. You can see the excitement here is just amazing. Let’s jump right into this. The keynotes were exploding with announcements. When we're looking at the FAIR package manager—let’s start there. What was the impetus to drive this project?
Joost de Valk: The FAIR package manager is a package manager for WordPress. It’s meant as a replacement for WordPress.org, for the reason that we’ve had a couple of incidents over the last couple of years—and more recently at the end of last year—where it was made very clear that we had a supply chain security problem in the WordPress space. Unfortunately, that problem came from within.
We were looking at how to solve that. One big host was cut off from WordPress.org access, disallowing all of their clients from getting plugins, themes, and updates. Later, a plugin—an open source software—was taken over and replaced with something else on WordPress.org. So we asked: how do we fix this without breaking up the community?
We didn’t want to break the community—we just wanted to change how things are distributed. That’s how we came up with FAIR: Federated and Independent Repositories.
Joost de Valk (cont’d): A lot of hosts started putting up their own mirrors of WordPress.org. But that still left us with a central point of failure. What we’re doing with FAIR is making all those mirrors into federated repositories, so if one goes down, we route around it—just like the internet.
That also allows us to host plugins and themes outside of WordPress.org and still make them findable inside the WordPress admin. That opens up innovation and allows for premium plugins and themes to thrive in a healthy ecosystem.
Karim Marucchi: What a lot of people don’t realize is that WordPress powers more than 40% of the web today. That’s a giant single point of failure. It’s time to evolve how we distribute, update, and create an ecosystem around the most successful content management system ever.
Paul Nashawati: Dependencies and security concerns are incredibly important, especially with 40% of the web involved. Can we double-click into federated and independent repositories? Karim, starting with you—what’s the benefit to developers, hosts, and end users?
Karim Marucchi: In my day job, I work with Fortune 50 and Fortune 500 companies. The cost of ownership of open source is a major reason they choose it. But even with WordPress, updates are often handled through packages and containers because they’ve been unreliable.
With FAIR, large organizations can set up their own nodes—public or behind the firewall. If you only want to make certain packages available internally, you can do that. Plus, we’ll be able to integrate more commercial plugins and modules that have helped the ecosystem grow over the last 22 years.
Paul Nashawati: That makes a lot of sense. You want innovation to occur. Joost, is the ecosystem welcoming this?
Joost de Valk: Yes, the response has been overwhelmingly positive. There’s been one entity in control for a long time, and many wanted that to change. This is a step toward proper governance and shared decision-making. We’ve already started testing with distribution hosts and expect more adoption.
Karim Marucchi: Think of it this way: we’re competing with SaaS and closed-source platforms that spend millions on ease of use. With FAIR, we’re evolving how we meet users—and clients—where they are in their journey. You don’t have to conform to one proprietary way anymore.
Paul Nashawati: When I was reading the press release, I saw the GDPR and telemetry concerns. Karim, what are your thoughts there?
Karim Marucchi: GDPR has already been a big concern, and with the upcoming CRA (Cyber Resilience Act) and future U.S. regulations, if we don’t adapt, WordPress will be left behind. As it stands, agencies, contractors, and hosts could all be held liable. We need to evolve how software is distributed to comply.
Paul Nashawati: Reporting needs to happen by September 2026, and compliance by December 2027 for CRA. Some say it doesn’t apply to them—but they do business globally.
Joost de Valk: Exactly. Being European, I see that firsthand. GDPR ideas are influencing other laws—like the CCPA in the U.S. We need better security practices. WordPress isn’t inherently insecure, but how it’s deployed often is.
Joost de Valk (cont’d): Telemetry and data sharing is part of that. In open source, we need to practice what we preach and make that data available across the ecosystem. As Stephen [Walli] said earlier: “Collaborate on core, compete on the edges.” That’s how we compete with closed-source systems.
Paul Nashawati: Yes—and AI will only increase the scale and impact of all of this. What are the next steps for FAIR in terms of community, sustainability, and the ecosystem?
Joost de Valk: We already have a big team and want to grow it. But we need to give the community governance and a home—which is why we joined the Linux Foundation. They’re helping us set up governance and sustainability structures.
Karim Marucchi: Today we opened a call for Linux Foundation members to join our governing board and help fund this initiative. We’re aiming to create the best open-source CMS for the next generation.
Paul Nashawati: So next year, when we’re in Minneapolis, what do you hope to say you’ve accomplished?
Joost de Valk: That depends on who joins us. Ideally, the entire ecosystem collaborates and FAIR becomes the de facto standard for WordPress—and maybe other CMSs. We’ve built it to be compatible. If we can add code signing, CRA compliance, and supply chain improvements, we’ll have made a major leap forward.
Karim Marucchi: Tactically, I’d like to see more hosts adopt FAIR, and we’re talking to major U.S. universities to host public nodes. We’re working with Bluesky (AT protocol) and other Linux Foundation projects. I want us to create an open ecosystem that supports small businesses, large enterprises, and sustainable growth.
Paul Nashawati: That’s fantastic. It sounds like the foundation is solid. Karim, Joost—thank you for your time today. I’m Paul Nashawati, coming to you live from the show floor at Open Source Summit North America 2025. And thank you to our audience for watching theCUBE, the leading source in tech.