A few months ago, I was invited to present a talk at WordCamp Canada 2025. The organizing committee was particularly interested in a project I’ve been working on with AspirePress and FAIR (Federated And Independent Repositories) to establish a new supply chain for WordPress software extensions. The current system is dated and needs a lower-risk, more secure approach that will be ready for the Cyber Resilience Act (CRA) coming into phased effect in the EU. The CRA will have global implications, and needs special attention to be prepared. The work we’re doing in the open source AspirePress and FAIR project works toward all of these goals with a federated model that decentralizes the hosting of software packages.

WordCamp Canada abbreviates itself as WCEH: “WC, eh?” Held in Ottawa in mid-October, the conference featured a town hall session with WordPress co-founder Matt Mullenweg as well as keynote speakers Evan Prodromou, who has done extensive work on federation for the open web, including work with the W3C on ActivityPub and advocating for open standards for the social web, and Dave Winer, who essentially invented both blogging and podcasting along with many other contributions to Internet culture and technology, including RSS and XML-RPC. (See Wikipedia: Dave Winer and Scripting News, where he’s been blogging since 1994.)

I was fortunate to be able to have a number of good conversations not only with Dave, but with many people in the WordPress community from around the world (Europe, Australia, Brazil, and USA as well as across most of Canada). Some of these are people whose work and reputations I’ve known for a long time, others were new to me, and still others are people I’ve been working with or have known online but not met in person before.

My Talk on Managing Software Supply Chain Risk

My talk was the last of the day, and unfortunately the talk before me ran overtime, giving us a late start with a tightly-managed stop time. I used my allotted time, but was rushed to cut it short at the end, so I wasn’t feeling great about the talk until I started getting feedback from others who convinced me that I’d gotten my message across effectively.

The talk outline was roughly as follows:

(Intro)
Risk management concepts, including single-vendor risk and risk mitigation concepts, including spread of risk.
The software supply chain: typical diagram with attack vectors and example types of attack.
Uncertainty in the WordPress supply chain & other centralized supply chain risks.
Securing the supply chain: differences in the WordPress supply chain, with added risk.
Where the WordPress supply chain model came from: a product of the early 2000s.
Time for change: the approach of the AspirePress & FAIR Projects toward independence, decentralization, and federation.
Securing the WordPress supply chain: closer to the typical model, updated with changes for increased security in a federated model.
How the FAIR protocol and architecture works.
Package labelling, decentralized digital trust, and the (draft) FAIR trust model.
Four reasons why the future will be federated.

I’ve made PDF versions of my slide deck available so you can get a more detailed overview of the talk, as I believe its topic is an extremely important one for the future of WordPress.

Slides with Full Text Notes (1.3MB)

Slides Only (4MB)