The WordPress ecosystem powers more than 40% of the web, yet its package management infrastructure has long been centralized, opaque, and fragile. A single point of control—WordPress.org—has left developers, hosts, and enterprises exposed to governance disputes and supply chain vulnerabilities. At the Open Source Summit, Karim Marucchi, CEO at Crowd Favorite & Joost de Valk, Partner at Emilia Capital, introduced the FAIR Package Manager, a project designed to address these issues with open governance and federated repositories.

From Friction to Federation
As de Valk explained, WordPress’ historic reliance on wordpress.org became a liability when large hosts were abruptly cut off, blocking customers from receiving updates. “We all began saying, ‘Hey, we need other solutions—this is an entirely unsafe ecosystem to invest in,’” he said. FAIR—short for Federated and Independent Repositories—creates a distributed network of mirrors that can route around failures, ensuring resilience while enabling a commercial ecosystem beyond wordpress.org.

For enterprises, the need is immediate. Marucchi recalled clients asking, “How can we trust an open source project that can just decide to replace code? It’s a supply chain security nightmare.” By embedding code signing, unique identifiers via the AT protocol, and moderation layers, FAIR addresses those very concerns.

Linux Foundation and Enterprise Readiness
The project is not going it alone. With governance under the Linux Foundation, FAIR is tapping into proven open source structures and inviting hosting providers, enterprises, and developers to participate. Already, major hosts are testing the MVP, and the roadmap includes a 1.0 release by the end of summer.

This governance-first approach is key, Marucchi emphasized: “Imagine five major hosting companies running nodes. If one goes offline or becomes untrusted, the others ensure continuity. That’s checks and balances.”

Beyond WordPress
While FAIR is born in the WordPress ecosystem, its implications are broader. De Valk noted that its federated protocol and DID-based code signing “could actually be used for more projects, because this is a technical advancement other CMSs or systems could adopt.”

Looking ahead, the FAIR team is positioning the project not just as a stopgap, but as a foundation for compliance with evolving global regulations like the EU’s Cyber Resilience Act. “Without FAIR, WordPress is an existential threat to itself,” de Valk said. “With FAIR, we fix that.”