Make WordPress Core

Opened 7 weeks ago

Last modified 7 weeks ago

#62230 new enhancement

Enhanced Core, Plugin, Theme repository with GPG signature based authentication for packages

Reported by: joellisenby's profile joellisenby Owned by:
Milestone: Awaiting Review Priority: normal
Severity: critical Version:
Component: Upgrade/Install Keywords:
Focuses: Cc:

Description

Currently, WordPress.org seems to be the singular mirror for WordPress core, theme and plugins. My suggestion is to give users the open freedom to choose whichever core/theme/plugin repository mirrors they would like to use. The API is already standardized but currently WordPress.org is the sole mirror included in the project.

I propose we make it a General setting where you can enter a custom mirror address alongside a drop down with a curated list the same way it is done with Linux distros. E.g. https://www.debian.org/mirror/list

Standardizing it to use git repo based fetch system that pulls plugin or theme files from the mirrors. Checking package authenticity using GPG encryption, the same way apt does it for Debian packages. https://www.debian.org/doc/manuals/aptitude/ch02s02s05.en.html

With this, WordPress core would need

  • GPG signature library, with ability to add/remove trusted signatures
  • Mirror management settings panel with list of mirrors included, and ability to add/remove mirrors.

This will also help ensure that core, themes and plugins are authenticated once implemented. Is it possible? Any thoughts?

Change History (1)

#1 @ayeshrajans
7 weeks ago

WordPress bundles a libsodium polyfill. Perhaps it's time to put it into some use.

Note: See TracTickets for help on using tickets.