Comment by chuckadams

Package advisories are seen as a content moderation issue: repositories and clients will be able to subscribe to one or more streams of digitally signed "labels" that can be interpreted by a policy mechanism that can render a verdict anywhere from "show this warning" to "do not install" to "remove immediately". The architecture is based on the system used by BlueSky: https://docs.bsky.app/blog/blueskys-moderation-architecture.

It's also not implemented yet: the initial release of the FAIR package manager is aimed at the package distribution parts, both mirroring the themes/plugins on wordpress.org and using W3C DIDs on BlueSky's PLC server as an indirection in front of raw URLs for hand-curated packages not hosted on .org, such as the FAIR client and server plugins themselves.

My own role in FAIR is a lot simpler, and it's maintaining AspireCloud, the project from AspirePress (now a working group of FAIR) that implements enough of api.wordpress.org to enable a searchable mirror of all its downloadable assets. AC is usable on its own without the FAIR ecosystem, but also makes up a good chunk of it while things are getting bootstrapped. So while I have a pretty good grasp of the planned architecture, I'm still not the best person to give the details. There's a public Slack server on https://chat.fair.pm which is still the best place to go for answers, and discussion boards on Github for less synchronous discussion (though the problem with GH is there's so many repos it's hard to find the right one).