[wp-trac] [WordPress Trac] #62230: Enhanced Core, Plugin, Theme repository with GPG signature based authentication for packages
WordPress Trac
noreply at wordpress.org
Tue Oct 15 17:31:05 UTC 2024
#62230: Enhanced Core, Plugin, Theme repository with GPG signature based
authentication for packages
-----------------------------+-----------------------------
Reporter: joellisenby | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version:
Severity: critical | Keywords:
Focuses: |
-----------------------------+-----------------------------
Currently, WordPress.org seems to be the singular mirror for WordPress
core, theme and plugins. My suggestion is to give users the open freedom
to choose whichever core/theme/plugin repository mirrors they would like
to use. The API is already standardized but currently WordPress.org is the
sole mirror included in the project.
I propose we make it a General setting where you can enter a custom mirror
address alongside a drop down with a curated list the same way it is done
with Linux distros. E.g. https://www.debian.org/mirror/list
Standardizing it to use git repo based fetch system that pulls plugin or
theme files from the mirrors. Checking package authenticity using GPG
encryption, the same way apt does it for Debian packages.
https://www.debian.org/doc/manuals/aptitude/ch02s02s05.en.html
With this, WordPress core would need
- GPG signature library, with ability to add/remove trusted signatures
- Mirror management settings panel with list of mirrors included, and
ability to add/remove mirrors.
This will also help ensure that core, themes and plugins are authenticated
once implemented. Is it possible? Any thoughts?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62230>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list