The WP Minute Podcast: FAIR Package Manager for WordPress

MATT: We are going to talk about FAIR today. FAIR has been in the news. We got a taste of it at PressConf. But for folks who don't know who you are and what you do, Carrie, I'll start with you first. What have you been up to these days? 

CARRIE: Sure. My name's Carrie Dils, long time developer in the WordPress space and instructor. And lately I've been working as a co-chair for the Technical Steering Committee for the Fair Project Fair. For anyone that doesn't know stands for Federated and Independent Repositories.   

MATT: Awesome stuff. And Karim? 

KARIM: Hi Karim Marucchi, CEO of Crowd favorite, and also working with the Captain Planet Foundation on their board and working with the Scale Consortium for trying to promote WordPress into the enterprise.

MATT: Awesome stuff. The post, the blog post from the Linux Foundation on June 6th, the title is Linux Foundation announces the Fair Package Manager project for open source content management system stability. There's a lot of words there, in that title, and the way that I understand it is I, listen, I was a Linux enthusiast many years ago. I, folks that listen to my podcast for a while know that I used to sell computers at a place called Circuit City. And at Circuit City you could actually walk into the store, go to a shelf and pick up Linux Mandrake, Red Hat. I'm forgetting the others that they offered. But you could also buy a Linux Bible. As an accessory and I was steeped into Linux many years ago, and I'm very accustomed to when we installed Debbie in, I remember watching all the servers connect to all the or I remember the systems connecting up to all the servers to APT get, install all these packages and they'd come from servers around the world. And I thought it was really cool and it made sense to me and the technology made sense to me. And that was like 30 years ago. And,  the technology makes sense to me, but what's the core of what Fair offers to WordPress, at least in the context of June 19th, 2025? 

KARIM: Sure. If you don't mind, Carrie, I'll do the plain English version and then you can jump into some of the WordPress technologies.

CARRIE: Perfect.

KARIM: So you hit the nail right on the head, Matt. It is a package manager for WordPress. And for the folks who don't know Lennox or package managers, the idea is that we've had a wonderful ecosystem and the WordPress universe for many, many years. And unlike other open source projects where when you download the zip file, it is everything, it is self-contained. We've had a reliance on the infrastructure that was put up by WPorg wp.org for a long time. And that infrastructure isn't just where you get your plugins and themes and other things, but there's a whole universe of things there that basically is a single point of failure. So to try and do what the entire world is doing with trying to secure supply chains and trying to make sure that you can always get access to the things you need. It was time for an evolution of that ecosystem into being available no matter what, of being available from multiple points. And there's been so many  evolutions in the last 30 years of how package managers work and the federated infrastructure. Carrie will talk about the at protocol, but basically how blue sky works. Instead of being one server, it goes across the world and uses many servers. It was time to have that surety in the WordPress universe. That's the short, compact business version of it. 

CARRIE: Thank you, Karim. You did a pretty good job. How technical do you wanna get? 

MATT: What's, what do we envision? Let's say, I, lemme ask this question real quick if it's a, if it's a quick answer is FAIR. Officially launched? Is it, would you deem it officially launched? 

CARRIE: Yes. So currently it exists as a plugin, so you could go download it directly from the GI repo yesterday or no, Tuesday, the 0.3. Version release happened and you could download that today, upload it onto your WordPress all and activate it. You're not really gonna see much happen. But behind the scenes, it's now serving your, any updates coming from Aspire Cloud. In the future the idea is to extend that so that others can point to any source. This is just the one we happened to start with 'cause the Aspire  press team had already done a tremendous amount of legwork, getting that up and running. But the future roadmap part of that involves letting other people or instructing other people on how to open up these repositories.

MATT:  Yeah. Back to my example of installing Linux packages back in the day I, depending on what I was installing, sometimes I'd see a server from NYU. Sometimes I'd see a server from the government. Sometimes I'd just see some random server. I have no idea where it's coming from. At launch, is there a sense of how many servers there are? Just from a high level overview? Is it just one on the east coast, one on the west coast? Is it deeper than that? What does it look like technically from the server footprint right now anyway? 

CARRIE: I will let you answer that one, Karim. 

KARIM: All right. Yeah. So right now we have the Aspire Cloud running, and on top of that we have 32 nodes from Fastly. Is that Carrie? How many nodes is that? 30 i 29, 32 something. That sounds about right. We have multiple nodes, dozens of nodes across the world. I'd have, we'll fact check that number and put it in the notes. But that way it's replicated around the world and available today around the world. Before we get to version 1.0 that it's actually gonna have the, at Protocol Federation, at that point, it'll be exactly like you, you said, Matt, where there may be a major US university, there may be a hosting company that creates it. There might be a major. Corporation that says we're gonna host a node for failover and make it publicly addressable.  The thing is, for the end users today, nothing changes. You go, you can go and update your plugins if you already have WordPress installed and you don't notice a difference. You'd have to hover over the link and look at the URL down at the bottom of your browser and understand there's a difference at all today. 

MATT: Yeah. And these nodes. And again, I'm just sticking more on the technical side because I do want people to understand that like this technical stuff, this is a good thing. Right, we'll talk about 'cause I have questions about Linux foundation and management and all this other stuff. But I think from the groundwork level, yeah. We want this right. Anyone in systems, in tech anyone running a website knows. Yeah, I need a backup of whatever it is. I have my kids' photos, my corporate website, whatever, like we need, we need that continuity to happen and this makes sense. So talk to me about this Aspire Press, are they like the man, the technical management layer to all of the nodes? In other words, in the future when somebody says, Hey, I wanna run a node, I'm Microsoft, we wanna run a node, do they knock on the door of. Aspire Press Tech stack and that's how it gets incorporated into Fair. How does one become a hosted node if they wanted to? 

CARRIE: So there's something called, and the TLDR is, no, you don't have to go knock on aspire Press's door. There is something called a fair protocol, and that's currently being developed that will provide full technical instructions for how someone can participate in that. Along with sort of the rules of engagement. So when I say rules of engagement, things that in order to participate, things that need to be in place around privacy, around contact information for people hosting these packages, things that would bring a node into compliance with things like GDPR. And give and additionally give users an opportunity to moderate or provide feedback if there is a bad actor, for example. 

KARIM:  This would be a good time to probably mention that one of Carrie's co-chairs is Mika Epstein, who we all know, but for those who don't basically ran the plugin repository for almost a decade. And has sorted through tens of thousands of plugins. She wrote basically a Bible. She dropped a 40 page document recently that basically says, here's the concept of a protocol so that we can all make sure we have safe sources of plugins, we have safe contact information. We're complying with GDPR, we're complying with a CRA that's upcoming in Europe. But how do we do it that's safe, secure, yet distributed for that failover and distributed so that we can open up the ecosystem?

MATT: One of the things that somebody might be concerned with and something that I was concerned with when I was running Linux stuff and I guess still am today is how does one or how does FAIR safeguard the plugin introduced from Matt's server running in his basement. Maybe you wouldn't approve my server running in a basement, but if somebody put a server online and hey they cleared the protocol to become part of fair and the rules of engagement, et cetera, et cetera. But it's not like you're overseeing all the servers or are you?  But how does one know that the package from a particular server is going to be safe and from the plugin author that they expect? And if any of these questions are too early on you can certainly tell me it's too early on to figure this stuff out. But how does one know that the plugin that they're getting is the one that they want?

CARRIE:  Do you wanna take that Karim, or.. 

KARIM:  You go ahead and start? I'll wrap up.

CARRIE:  Okay.  So you're right in the sense that there will not be a central body monitoring and personally reviewing all of the code that goes up. That's been historically a bottleneck to plug in publishing on .Org and something that hopefully this distributed model can solve for by leaving moderation at ultimately in the hands of the community and the users. But initially, those checks to ensure compliance on a variety of levels. Now, if there's, I don't know what's being done specifically, and Karim, maybe you might know the answer to this in terms of what security scans it's passing or that, that sort of thing. Do you wanna elaborate more? 

KARIM:  Yeah. So I wanna start by comparing it to what we have today.  Let's talk about wordpress.org and the 72,000 plugins that are there. There are some automated checks and a basic human check that will be able to be replicable in this system, included in The Federated Repository. Plus, we're working with partners like Patch Stack to say, what's the next level of security? What's the next level of checks? With everything that we're seeing, here comes the magic word of the moment with AI, with everything we're seeing with how different rep Feder different repositories in Unix do take care of these same exact issues. We, this is already a step above what we have today as we've now federated it. Part of the protocol is creating an easy way to quickly catch, if somebody does that right now, you'll be able to have the same type of checks we have right now. So it isn't getting worse. It's definitely getting better. It's what it is today. Plus the question is how quickly can we do that? And we are actively working with hosting companies to have those conversations. 

MATT: Is, and this is okay if it's not, I'm just curious, but is the infrastructure of all of this Open source or transparent. In other words, somebody could see much like you can go to a GitHub repository and see, like the last committed line of code. Could somebody do that on a particular node to understand, wait a minute, I see NYC servers updated here, time.gov over here is  not that visible that folks in this community can actually see it at that degree? 

CARRIE: Do you mean a specific package? 

MATT: I'll even preface it this way 'cause we ain't no, we get no idea what's happening on wordpress.org. That was pretty obvious over the last six to eight months. Let's all of a sudden, like we all had this kind of idea of what it was and what it is. It's come to find out it's slightly different. So I'm wondering if there's more transparency, more visibility. On a server. So could you, yeah, so for example, Carrie, could you look at a server and say, oh, it's got these thousand plugins over here, but it doesn't have any themes, it just has plugins. Are we able to see that kind of thing in this network?

KARIM: I think we're still building the technical answer to that, but the governance answer to that is today in open source you have the idea of. People who do pull requests, people who, who can maintain and people who can actually commit to core. This system will be a lot like that there. Over time, there will be trusted nodes, trusted administrators that will be able to see more of the private information that isn't publicly available. But those will be governed under the rules of the Lennox Foundation instead of one particular company that does. With it, what you please. So the Lennox Foundation has anti-monopoly rules. They have transparency rules. They have GDPR rules, all of those things in place. So that I can honestly say to you in your hosting your personal website, Matt, that the code that's coming across here has followed all of these rules and regulations and is as transparent as you can make it without doxing somebody.

MATT: Okay. I do wanna start to talk more about like, I guess, the politics side of it and the more human side of this stuff in a moment. But is there anything else on the  table right now, on the technical side that folks should know? Package management. We get that plugin. You don't see anything change as of right now. Anything else on the technical side you'd like to address? 

KARIM: Absolutely. I'll say  again Carrie can probably go into more detail than I can, but what's being developed is a C-level change in how we're managing plugins over time. Right now in the WordPress world, trying to manage a free plugin and an upgrade to a premium plugin is a very disjointed process. Or if our friends at Gravity Forms have only a premium product, there's no way to really have it all in one centralized location. Replacing slugs with VIDs replacing the way this system is put together, we are going to be able to really enhance this ecosystem and bring it to be an open market for folks to be able to do things. It won't be a walled garden like Apple or Google Play. It will be actually an open market where people can put products out there. And while we're working on, how will reviews work and how will scoring work and all these fun things, we are already getting questions right now from hosts who are actively working and playing with our first versions of code. Even though this is an MVP asking things like for our more performance servers, we want to limit the plugins to PHP 8. Can we filter for PHP 8 letting our customers know if you want this performance side of the hosting, we can do that. And the answer is yes. We will be able to have all these different types of filters that users, hosts, and others can apply.  That is a dramatic change from what we have today. 

MATT: Yeah. Carrie, anything else that you want, you wanted to add on that?  

CARRIE: I'll just add for the record that it's 97 points of presence with Fastly. 

MATT: Oh, nice. Nice. 

CARRIE: So we're almost three times Karim’s guess.Good job.

MATT: Yeah. And one would say probably 96 times what we have now.

CARRIE: Well, Automatic has 27 if you wanna get..

MATT: Oh, okay. All right. Okay. I, alright. Okay. The big question, and I don't want to just just go blow right past the obvious. But why FAIR now? Why have you come together now to launch this? 

KARIM: Well, If you live outside the WordPress world, there's been a little bit of an upset in the WordPress world since last fall, and, everybody's coming together for slightly different reasons, but the bottom line is this is one of the most vibrant ecosystems that's been created at Open Source. We need to keep it evolving. We need to keep it fresh. We need to keep a future for the next 20 years of the code that we've come to love that we're calling WordPress today.

MATT: The one of the first things that I. Criticized on the launch was, the headline that I read at the top of the episode from the Linux Foundation says, and lemme just repeat it one more time. Linux Foundation announces the Fair Package Manager project for open source content management system stability.

And then the opening paragraph, I won't read the entire opening paragraph. But it says commercial plugin and tool developers in the WordPress ecosystem and end users. I'm curious. And then and then I want to like, understand the Linux Foundation more. 'cause I certainly don't understand it because I've never had to research it up until now. The framing of it is content management systems. Does this mean that it's. WordPress now, but maybe other content management systems in the future. 

KARIM: Funny you mentioned that because we've actually had a few  conversations with some folks in different aspects of the Drupal community. Won't say who that have said this might be a good idea also for Drupal, a package manager and the technology behind it is agnostic. The architecture could be applied to any other content management system as well. But to be fair, sorry, couldn't, it's gonna get, 

MATT: Listen, this is gonna get used for years to come. 

KARIM: This was created because we have a unique problem in the Word press ecosystem around the fact that there is one choke point that could make a decision that could affect every single instance of WordPress out there. And we needed to make sure, as a community, we needed to make sure that we can get a level of trust from the end users. The reason why a lot of people, there's been a few articles that says I installed the plugin and I didn't notice a difference. Thank goodness. The whole point is to keep this as easy as possible for the end users. This is a tool that's created for hosts. This is a tool that's created for large organizations and universities to be able to say to their end users, you can trust where this is coming from.  And then it adds those other layers of a new way of creating the plugin ecosystem and a new way of dealing with some of the security issues and the regulation problems that we've had in the past.

MATT: There's how do you frame it? Is it fair right now? Have you, Carrie and who are the other two that are helping? Is it the governing body? Is that how you phrase that?

CARRIE:  There are three elected co-chairs, myself, Mika Epstein and Ryan McCue. And then in terms of governing beyond that.

MATT:  Okay. Yeah. So how does that umbrella work? We're under the umbrella of the Linux Foundation. My curiosity is, okay, we have the three of you, we all know you, we all love you. But then who are these people up here? Are they gonna start saying Well Carrie, your idea about  managing these plugins? That's not how we want it. Are we entering into a corporate ladder system all over again? How does that all break down? 

KARIM: I would love to take that question and Carrie, add any color commentary I don't understand or I don't get across. We are modeling this like every other single of the 900 plus Lennox projects and the way they work is this, there is a technical steering committee and that technical steering committee they've allowed us to keep a few people's names quiet, who still have a little bit of fear about their jobs and positions, or their employers have said they couldn't publicly say they're working on this yet. That technical steering committee, let's say it's about 60 people, for the sake of conversation, that technical steering committee democratically, elects three co-chairs. In this case, Ryan, Mika, and Carrie. They democratically have working groups, and those working groups are about 300 people today and growing quite literally every day. In those working groups, they are also making democratic decisions and they are making proposals and they're voting on those things. Those things get chaired by the three co-chairs and they're creating a roadmap, a long-term and a short-term roadmap. Now the way it works is right now it's completely just a technical project. So whatever's voted on, whatever is ratified by the three co-chairs just happens by the time this airs Joost  and I will be, will have been on stage in Denver on Monday  morning and at the Lennox Foundation Yearly Summit, we'll be announcing the directed fund and the foundation that's being correct erected around fair. And the way that works, like every single other Lennox Project, Lennox Foundation project, is that there will be a governing board. That governing board is not made by people. That governing board is made by companies that join the project and fund the project.

That governing board does not get to say, I'd like to see X on the roadmap. That governing board is quite literally like any other true nonprofit foundation out there. Their major job is to go get funds and to unblock the roadblocks that the TSC comes across. That funding board will also create a technical advisory council. That technical advisory council. Let's say major company, major hosting, company X joins that board. They might have an executive on the board that's helping us fundraise. Yet they also have a tech, we create a technical advisory council, that technical advisory council. That hosting company might take their CTO or somebody who really knows WordPress and put that person on the Technical Advisor Council.

That Technical Advisor Council is supposed to be decades and decades of open source and engineering experience that's there as a resource for the TSC and there to help the TSC when they need it. But let's be clear, they cannot tell the TSC what to put into the roadmap. They cannot tell them what is the next feature. What will eventually happen is that this TAC will work with the TSC and in the TSC creating a roadmap. The TAC will ratify it. The only thing they, the only power they have to do is say, Hey, we see your long-term roadmap and we see that nine outta 10 of these features that you have in your roadmap look good. But why are you putting a Mario Kart emulator in WordPress? That doesn't seem congruous, right? Could you please go back to the drawing board and at least explain how this moves the project forward? They do not have any say on what goes into the project. Just to be clear.

MATT:  You mentioned the 300, you said 300. Was that just the number? That you just threw out there, 300 working people in this group. Is that like active for fair or is that the greater of Linux Foundation? 

KARIM:  No, that is active within the fair project. Okay. There are, there is a core group of people who are writing code and then there's a larger group, for instance. I don't write code. Even though I did a pull request last week,  that was all for documentation. 

MATT: It was just a, yeah, it was just a read me file. Karim  don't.. 

CARRIE: Hey, every PR counts. 

KARIM:  There, there are about 300 people working on it behind the scenes and that includes some of the engineering teams from hosting companies.

MATT: Funding is, has always been an issue, right? Sponsoring contributors five for the future, like all this stuff it always falls back to who's paying me to do this? And if I don't just love open source, then what am I doing here? Is FAIR going to have the same, I'll just call it financial problems. Is FAIR going to have the same financial problems that we see in. WordPress as we know it today, or is the, does this structure invite better cash flow, for lack of a better phrase? Or will you be fundraising with a donate page, et cetera, to get people to contribute? 

KARIM:  So I'm glad you asked that because honestly we do have a much better model. It was funny, one of the things that we had to really help educate the Lennox Foundation on the particulars of the WordPress ecosystem is that a majority of the work is always done without getting paid. The Lennox Foundation is used to fundraising so that way they can pay for time to be committed to these projects.

So they're coming from literally the opposite direction that the WordPress community is used to. So we're hoping to change that. And we're trying to partner with organizations like the WPCC. We're bringing on other partners. We're working through the Lennox Foundation, and we'll always be open to anybody joining the project, you don't have to be a major corporation to join the project. Yeah. Plugin companies, small theme companies could all join the fair project and become members of the Lennox Foundation. It's actually very reasonable depending on the size of your company.

MATT:  Right. One of the another challenge and this is great, like this, I think what.At least for me anyway, you're illustrating some more clarity around especially the Linux Foundation and maybe some of the operations that, that you have so far with FAIR But there's a, but there's a big, but because one of the, one of the great things about open source, or excuse me, one of the great things about, open source WordPress is it's a double-edged sword. It is great because somebody like me. Can say, Hey, I'd love a feature inside WordPress and I will never stop telling this story because you can open up command, you can open up the command palette and get to template parts. Because of me, because I said we gotta get to template parts through command palette. I can get to templates. Why can't I get to template parts? So I open up the issue. Another skilled develop, a skilled developer saw at Brian Cords and he said, let me write this code. He wrote the code. Other people checked it and it co committed. And it doesn't happen all the time, and it certainly doesn't happen with all the features that people want.

But one of the great things is for open source, it's very loose. You could just walk in and say, gimme this feature, and it gets made. Or you could say, gimme this feature. And it sits in track for 15 years literally. And it never comes. And you're like, why the hell aren't people doing this? Because there's not a, there's, it doesn't have that same infrastructure. You outline a bunch of infrastructure that FAIR is going to have. And it seems like that governing body is like my local government where I walk in and they go, you got three minutes. Go. In, like in, in the public forum, you got three minutes for community input. Go. 

What's the give and take honestly that you see with having all of this structure versus the no structure that we have now? 'Cause I see positives and negatives. Oh, I gotta go to the committee and the committee has to say yes or no, and then that gets passed to somebody else. Like I feel like we got a lot of government there, right? Your take.

KARIM: Carrie, you wanna start? I'm happy to jump in or 

CARRIE: No, I'm curious to hear what you say.

MATT: Jump on that grenade. Carrie would.

KARIM:  No, I'm happy. I'm happy to take this one honestly. I'm a Monty Python fan and for those of us who, who love the holy grail, there is the constitutional peasant scene about how everything has to go through 12 committees and then it's voted on. That's one of the reasons it's always been used against. Not having a benevolent dictator for life. The problem is that it's a giant pendulum swing in everybody's mind. So what I'd like to say is that the way this is evolving, the way FAIR is coming together under the Lennox Foundation.

These working groups can all work on different things, including GDPR, including sustainability, including the CRA act, and then. When they have these commits, we can go through a process of saying, Hey, these commits need to go to core, and these commits should be an economical plugin. Maybe someday there's gonna be an economical plugin for regulatory things in Europe, and another one for what will surely become regulatory things in the US or any other country.

Other things should be committed to core but at least now there's a process where if Matt comes up with something that he says, this should really be in there, he can go to the correct working group, which are like the make groups in current WordPress. He can go to a working group and say, Hey, we'd like this to be part of it and it's not just on somebody's whim that it doesn't get put in there. And there is a give and take there. It's gonna take a  little bit longer, but at the same time that a little bit longer, we're talking about weeks, possibly months, gives you a certainty of going through a process that's open, transparent, and there's a good reason for, there was no good reason that the browser checking was calling home and sending all that telemetry home. 

That ticket had been closed for a very long time. There had been code committed a long time ago, and it just wasn't put in. There are other tickets that have been closed quite literally over a decade that should have been put in there. And now we have an avenue to make those available. 

MATT:  What we're saying on that particular topic, just for the listener is WordPress you're running an instance of WordPress from wordpress.org. It's sending back some data that might fingerprint your website. This website has x amount of plugins, X amount of themes. I don't know, maybe traffic. I don't know if that's a thing that it was capturing, but all of this is getting fed back to  .Org and that was a discovery that. It was probably made, what quite we, we discovered it quite recently or we knew, we've known about it for a while, but we just didn't know what .Org was up until recently. Can you just illustrate that real quick? 

KARIM: Go ahead.

CARRIE:  Oh, something that Karim mentioned,  I don't know how long that track ticket has been open, but that's something that's been surfaced for quite some time.  I think to your point, Matt, the, we've all trusted. That good is happening with our data. But we never have really had transparency as to what data is collected. Unless you're really digging in the code, you didn't even know that was happening, that you were sending data. You're not consenting to share that at any point. And that's the problem. 

KARIM: There has never been any independent, third body complete code audit of WordPress. 

MATT: This allows us to do that or at least have an alternative. Is the best way to have?

CARRIE: Yeah. So in the case of fair, it's it. It interrupts that call. So that call never happens back home. And instead it replaces it with a browser list, which is a more current technology where the browser version check happens locally on your site. It doesn't go off to any server. So it's reducing an external call altogether and replacing it with something that's more performant and obviously more private 'cause it's never leaving your site. 

MATT:  Is that the inspiration for somebody to say, I want this now.

CARRIE: I think it certainly it could be, I think there is 

MATT: What I'm thinking of is like switch from Chrome to Brave because Brave doesn't track you allegedly. Right. Is it that kind of call to action that you're hoping to instill with something like that?

CARRIE: Karim may have a different opinion. Personally, it's for me, it's less about the fact that it's sending telemetry. I don't like that. But I'm also, I know that probably a lot of things collect my data without my consent, and I just am not aware of it. For me it's more about the stability of knowing that if, for instance, I've, I'm running plugin X or well, Plug in ACF on my site that if I've got auto updates turned on, then the next time I log into my dashboard, it doesn't say secure custom fields, it still says ACF. That's my concern as a, as someone who's creating a lot of sites for clients and also managing my own sites, more so than the privacy, but it is both. Again, people have different priorities. I don't know if you wanted to add to that, Karim. 

KARIM: No, that's exactly the reason why most of us got involved was being able to certify where something is coming from and having a transparent process if there is a bad actor, right? Let's say there was a bad actor happening and a plugin did need to be replaced or taken down. Would you like to know? Why? Would you like to know the reasons? Would you like to know? What it's being replaced with. Would you like to know where your information is going? The difference between the existing infrastructure today and FAIR  is there is an open repository for FAIR. You can see every line of code.

MATT: One of the things I have a few more questions on the FAIR  stuff and then I have one question I really wanna wrap, wrap up with. But one of the things I have written down here and something that I had said in one of my monologue episodes a few weeks ago,  is that I'll just a ask the question directly. How ready are you all personally for the scrutiny moving forward for that divisive Twitter algorithm of you either go with FAIR  or you go with .Org, because I think this is a reality unfortunately, of humans that we all have to deal with and until FAIR  is proven, it's that turbulent ride up where it's just oh yeah, package manager, we, we don't need that or, oh, they say security, but actually it's more exposed to, to bad actors. All of the fodder that's going to happen. Both from the other camp air quotes for those of you not watching and from fools like me who have real questions about Linux Foundation and other concerns of, yes, we want better government, but do we want more government, that kind of thing.

How ready are you all feeling  for that level of scrutiny? That I think probably has already started, but we'll start, we'll continue as you progress. 

CARRIE:  I'll start, Karim, and then get your take part of, since the announcement on June 6th, of course there's been a lot of discussion and a lot of people are writing blog posts and tweeting or posting on LinkedIn, wherever. And even Matt himself has brought up some questions during during the fireside chat at WordCamp Europe and all of these questions that have surfaced and some criticisms they're helpful because that's gives us the opportunity to do a better job of communicating and answering questions that we might just take for granted that people know and obviously they don't. So, I think from that standpoint, welcoming, constructive feedback and even criticism is helpful for us to know how we can communicate better in terms of the rest, I'll let you take it from there, Karim.

KARIM: No. We are, we feel very ready for it. Why? Because that's why we chose the Lennox Foundation. They wouldn't allow us to do anything by the backboard room, in a quiet way. Everything's documented, everything's transparent, and out in the open. The first few months we worked in secret, because there was fear and uncertainty and doubt. There were people being blocked. There were people being threatened with their jobs, saying that, if you speak out, you're gonna lose your job. That pressure was real. That pressure was coming from one direction.

MATT:  Not the band. Not the band. 

CARRIE: Careful. I do have a microphone. 

KARIM:  But we feel very ready for that because the first questions that came up, not only with Matt's first questions on stage about DDoS attacks or regressive rollouts of plugins and all those things.

There's answers for that in our documentation. First of all. Second of all, for the questions that you put out in your quick, here's what I don't understand about Fair Post. We have answers for all of that and, or. We can look into that and get you an answer. We're very proud of the fact that we have hosting companies now coming to us and saying I see where you're going and I think X, Y, and Z is gonna be a problem.

And instead of just saying that and walking away, they're starting to provide resources. 

MATT:  Yeah, I think one of the concerns I had as well is not to get stuck in the camp, and I think maybe people will join and contribute. I'm trying to think of a way to phrase this. So I think people will join and contribute, based on, whatever emotions or motives that they have.  But I, and I think you both recognize this, but I think it should be clear  that this isn't just  an alternative to wordpress.org. I don't think it should be framed. This is the best choice. It should be framed as this extends in my opinion. Because if it just comes off as us versus one person or one company, then I think we just get that infighting that just never stops, yeah. And that's a big challenge. In my opinion. 

KARIM:  And I know you know this, but some of your listeners might not. We have publicly and privately asked wordpress.org to join us as part of the federation to become part of this so that it's not just a concept even in somebody's mind of either or. This is an evolution. This is where the project needs to go. To be able to extend itself, to be able to compete with all those other  SaaS-based content management systems that are out there. So we don't see this as an either or. We see this as a please come and join us. 

MATT:  You mentioned something earlier, and I just wanna make sure I clarify before I move on to this final question. Could when somebody's running FAIR  could they have a different core WordPress running? Like, they could have a different version of WordPress running if they're in FAIR. If you wanted to modify core WordPress. Could you, if you're running fair or is it just the package management plugins and themes? 

KARIM:  It's just for WordPress. It’s a tool for WordPress. 

MATT: Okay. But just the plugins and themes. 

CARRIE: Correct. 

KARIM:  Yeah. And up translations and a whole bunch of other little things, right Carrie? 

CARRIE: Yes. So some of those additional services, like we talked about, the browser check but WordPress core is still, WordPress core is still coming from .Org, but right mirrored perhaps off of a different server.

MATT: Okay, just wanted to make sure. Alright. So the biggest concern that I have for WordPress, and this goes beyond FAIR, but the biggest issue I have is innovation. In innovating WordPress so that people want to continue to use WordPress, right? And love to use WordPress and want to use it in projects, whether you're a developer or an end user. And, if you look at Automattic and core WordPress if you look at FAIR like I, I think we're still looking at this in the bubble of. Where we're at today with WordPress. I wanted FAIR, and I don't mean this as a negative slight, but FAIR to me definitely made sense in 2018, 2019, 2020, 2021, like those are the years, man, where this kind of thing. Yes. Now I'm worried that, will themes and plugins even come in zip files? Is the need for distribution servers even a thing with AI in the future? I don't have the answers. I'm just looking at what I'm doing with AI and seeing everything happen going, oh my God, How much does WordPress change in package management where maybe it's not even packages anymore, you're just saying, hey, WordPress, install a contact form plugin for me and WordPress in three years ships with an LLM and it just makes HTML puts me out of a job, right? But also, like, changes the landscape of package management. Innovation, I throw that question over to see who wants to tackle that one first.

KARIM:   I'll grab at the risk of sounding like I'm repeating myself right now, if we wanna innovate the existing infrastructure. We can't. It's a closed SaaS system, with FAIR, there's a repository. You can commit code, you can see how it works. You can say, Hey, I have an idea FAIR, and create an AI extension of it that you can literally speak what you want your theme or plugin or what have you to do, and I can actually submit requests directly to, I'm making something up, to the plugin creator.

All these things are possible because it's an open infrastructure, and as long as we maintain this open, transparent governance that's maintaining security and a transparent way of making decisions. We can innovate. Right now, you want to add something to wordpress.org, whether it's the website, the enterprise page, that we've been trying to, some of my folks have been trying to help create for years, or you want to change the way the plugin or or theme directory works.

There's no way to contribute to that. There's no way to be part of that decision. If we could, and before this ever started, when Joost and I first published our blog posts in December, we went to Matt and said, Matt, this is a great way to move this project forward. And we still invite WordPress.org and Matt and Automattic to join us in truly making this accessible to everybody for the sake of innovation. 

MATT: And I just, I do wanna push back just a bit Yeah. Because I, I think that I agree with it, it fosters innovation for having a, another place to go to distribute where you might not get through on .Org, you might get through with FAIR, or maybe you just don't wanna go to .Org and you just want to go to FAIR.

Totally makes sense,  It's almost like picking two different marketplaces. I get that side of it. But on the enterprise side, we saw a pretty good presentation from Jake at 10up from at PressConf and talking about  the competitive landscape of  enterprise. Something that you know really well.

I think, package distribution, package management is almost like a line item that says, are you SOC compliant? Yes or no? And it helps them make that decision tree in the enterprise, I think. So here's the question; Is WordPress still competing to be attractive in enterprise even after FAIR launches?

KARIM: You know what, I was starting to have this conversation with Jake and we got interrupted. One of the reasons why one of the largest entertainment companies in the world is actively going to be putting up a FAIR node is specifically because with that company we use Kubernetes and everything is containerized, including updating plugins. Do you know how resource intensive that is in the hours of developers in the hours of approvals? It actually brings down the total cost of ownership dramatically to be able to put up a node behind the firewall that says, here's the only 40 or 400 plugins that are available to my,  inside the firewall, and whenever the plugin producer comes out with an update, delay it 10 days on my node so that my security team has time to look at it, and instead of then having to have every single developer that maintains the hundreds or thousands of WordPress sites we have, create packages to update those websites.

It's just part of the automatic update, the total cost of ownership calculated by hours could be hundreds of thousands of dollars of saved time a year easily. So yes, this helps the enterprise. 

MATT:  Fair enough. Carrie. I promise I wasn't gonna do it too much.

CARRIE: Oh, I think that was, I dunno that I have anything to add there.

MATT: Anything, just any, anything on your outlook of innovating WordPress, anything that you see as a hurdle for innovating WordPress, maybe in the face of AI or anything else? 

CARRIE:  I'm excited from the innovation standpoint of, and we already talked about this, but the discoverability of premium plugins alongside the free versions. And I think ultimately, that benefits the end user of being able to go to a single source and see all of the possible solutions versus a more fragmented experience that it is today. And the opportunity for, I know you have had your own software shop selling premium products, as have I. I love the idea that if I did want to pursue that again, which I don't know that I personally will, but that  my product could be surfaced to millions of users versus just the handful that I have the power to outreach to as an individual. All right.

MATT:  Last bonus question before we wrap. We know this is gonna take distribution. We know this is gonna take adoption. We probably need some web hosts to jump on board with this. It's gonna take, it's gonna take a community to get this thing going here. Any positive outlook, anything you can hint to with any major host announcements coming soon that's gonna start using FAIR?

KARIM:  Again, we're at version 0.3 at the moment. 1.0 is our goal for really getting it widely distributed. We just decided it was time to come out from being behind the scenes and work openly and directly with the hosting companies. I'm very  proud to say that more than a few of the larger hosting companies have already put their hands on code, have their engineers working on it and now maybe by the time the airs, I'll be able to say who, but we'll have at least one or two that will be literally saying that we might not have it installed yet, but we are contributing code and helping it get to a point where we would. 

MATT:  Fantastic stuff. Karim, Carrie, thanks for hanging out today. Thanks for sharing more about FAIR. Folks want to get started with it? They wanna start trying it out. What's the best place to go to start checking out FAIR?

CARRIE: FAIR.PM and currently that redirects to our GitHub repositories. In the future, there will be a website, which there's a working group for that if anybody wants to come, participate in standing that up. Technically. But that's the best place to go for now. 

MATT:  Will there be an open Slack channel soon where folks can jump in or…

CARRIE: That is on the horizon? Yes. Right now we're using GitHub discussions, which is a little bit higher barrier to entry for those that don't love using GitHub. So a Slack community is forthcoming. 

KARIM:  Awesome. Awesome stuff. Thanks. Thanks so much. Thanks so much for sharing folks. Go check out the website links and will be in the show notes. Thanks everybody. Thank you.