Opened 7 weeks ago
Last modified 7 weeks ago
#62230 new enhancement
Enhanced Core, Plugin, Theme repository with GPG signature based authentication for packages
Reported by: | joellisenby | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | critical | Version: | |
Component: | Upgrade/Install | Keywords: | |
Focuses: | Cc: |
Description
Currently, WordPress.org seems to be the singular mirror for WordPress core, theme and plugins. My suggestion is to give users the open freedom to choose whichever core/theme/plugin repository mirrors they would like to use. The API is already standardized but currently WordPress.org is the sole mirror included in the project.
I propose we make it a General setting where you can enter a custom mirror address alongside a drop down with a curated list the same way it is done with Linux distros. E.g. https://www.debian.org/mirror/list
Standardizing it to use git repo based fetch system that pulls plugin or theme files from the mirrors. Checking package authenticity using GPG encryption, the same way apt does it for Debian packages. https://www.debian.org/doc/manuals/aptitude/ch02s02s05.en.html
With this, WordPress core would need
- GPG signature library, with ability to add/remove trusted signatures
- Mirror management settings panel with list of mirrors included, and ability to add/remove mirrors.
This will also help ensure that core, themes and plugins are authenticated once implemented. Is it possible? Any thoughts?
WordPress bundles a libsodium polyfill. Perhaps it's time to put it into some use.