Comment by spankalee
15 hours ago
I really wish that the FAIR package manager project had been successful, but they recently gave up after the WordPress drama died down.
FAIR has a very interesting architecture, inspired by atproto, that I think has the potential to mitigate some of the supply-chain attacks we've seen recently.
In FAIR, there's no central package repository. Anyone can run one, like an atproto PDS. Packages have DIDs, routable across all repositories. There are aggregators that provide search, front-ends, etc. And like Bluesky, there are "labelers", separate from repositories and front-ends. So organizations like Socket, etc can label packages with their analysis in a first class way, visible to the whole ecosystem.
So you could set up your installer to ban packages flagged by Socket, or ones that recently published by a new DID, etc. You could run your own labeler with AI security analysis on the packages you care about. A specific community could build their own lint rules and label based on that (like e18e in the npm ecosystem.
Not perfect, but far better than centralized package managers that only get the features their owner decides to pay for.
We didn’t give up! We’ve pivoted efforts - focussing more on the technical part of the project, and expanding into other ecosystems. We’re currently working with the Typo3 community to bring FAIR there, as well as expanding further.
(AMA, I’m a co-chair and wrote much of the core protocol.)
For wordpress plugin and chrome/firefox extension, the most common channel of attack is -- the developer just sold the plugin for money.
They sold the developer key, the domain name, the organization or whatever needed to publish that plugin as updates.
That would be a really interesting platform for an npm alternative. I think the incentives are a little better aligned than in the WordPress ecosystem, but maybe not enough.
Assuming that the majority of repositories will be malware with SEO hooks, how would one locate a safe directory using only a search engine (as opposed to whispered tips from coworkers, etc)? I don’t see how proliferation of repositories improves things for users. (Certainly, it does serve up the usual freedom-from-regulation dreams on a silver platter, but that’s value-neutral from a usability perspective.)
The aggregators can choose who to index, and we operate one at fair.pm - the idea being that you only federate repositories that meet requirements, and can defederate those which are bad actors. (End users can install directly from repositories though, and can always switch the aggregator if they find the rules too restrictive - no lock-in.)
What aggregators? How would I locate fair.fm? Is there a Whole Earth Guide to Repositories that’s human-curated? What is the published malware incidences and non-responses rate for each repository?
Is FAIR wordpress-only?
Currently the reference implementation is for WordPress, but we’re working to bring it to Typo3 and other software at the moment too. The protocol is comprised of a core plus per-software extensions when needed.
I see. Are there other similar projects for other ecosystems? I guess more broadly I'm intrigued by the idea of the decentralized supply chain concept, the way you described it sounds like it was more broadly applicable.