Frequently Asked Questions
For both AspirePress and FAIR, a number of questions have been surfacing since the initial launch announcement, and some of the speculation about both has been incorrect and potentially damaging. In this FAQ, we’d like to set the record straight on a few points and address some of the common — and perfectly natural and prudent — questions about how federation works and how AspirePress and FAIR are implementing it.
Whether you’re a developer, host, or power user, this guide will help address some of your questions. If you’re a blogger, content creator, or journalist, we welcome and encourage your inquiries for fact-checking purposes, should you have any unaddressed questions. Bear in mind that some answers may not yet be complete, as much is still in draft form while both FAIR and AspirePress continue to welcome input to help shape our implementation of a federated model of package distribution and its moderation.
Further detailed FAQ responses are addressed by FAIR, and we also recommend consulting that list as well if your question has not been addressed here or if you would like additional information.
How do plugin reviews and ratings work in a decentralized system?
Currently, AspirePress displays reviews and ratings directly from WordPress.org. No comprehensive alternative review system is active at this time. We recognize that online reviews are inherently flawed and can be “gamed”. If a new system is to be imagined, we feel it should improve upon the reliability of its data, not simply duplicate the old one.
In addition, we are exploring possibilities like a federated review-sharing model between aggregators, tools and protocols to verify reviewer authenticity, and other iterative improvements that aim to go beyond what the centralized model offers.
In a federated package management system, reviews could actually be supplied by independent third parties. Users or aggregators may then choose which review sources to trust and subscribe directly to those.
What About Telemetry and Analytics? Will installation statistics be inaccurate now?
Telemetry is necessary to understand plugin usage, but it must respect user privacy. The exchange of some data is necessary to function — for example basic plugin update checks inherently send information to us (e.g. which plugins might need updating). This data is used for usage stats and other information helpful to the package maintainers. All telemetry collected in this manner is anonymized and aggregated, and no identifiable site data is stored, so cannot be used for tracking.
Since some large hosting companies already maintain mirrors of the WordPress plugin repository, we already have inaccuracies in the statistics available. Moreover, not all information collected is currently made public.
Within the FAIR network, we will be able to standardize data-sharing and aggregation of any collected telemetry between repositories and aggregators, leading to more accurate and trustworthy statistics. Freely available within the network, this information can all be shared transparently. Since the FAIR project falls under the Linux Foundation’s oversight, telemetry we collect must be in accordance with the Linux Foundation’s Telemetry Data Collection and Usage Policy.
How do I Report a bad actor?
FAIR’s moderation guidelines are currently in draft form and will be published soon for general review. These guidelines outline the responsibilities of repository and aggregator operators, and include mechanisms for reporting and labeling packages as well as an appeals process. FAIR will operate a labeling service, and within the federated network, others may also operate labeling services that users may optionally subscribe to. These services will be capable of tagging packages as being insecure, having verified authors, and other similar information to help users assess the trustworthiness of packages they may wish to install.
What are the standards for listing a plugin or theme?
Standards for listing a package may vary from one Repository or Aggregator to another. FAIR has created a “Mini-FAIR” plugin to help package authors serve their package repository to Aggregators. There is no guarantee that an Aggregator or Repository will list or host the package, as they are not required to index or host specific packages or Repositories or packages. The forthcoming FAIR Moderation Guidelines specify minimum standards that federated Aggregators and Repositories must meet for packages they index or host. Within those guidelines, either may set their own policies concerning packages they will host or repositories they will index.
How is AspirePress (or FAIR) infrastructure funded?
We have seen reports that our (or FAIR’s) infrastructure is funded by Bluehost or by Newfold Digital (which owns Bluehost), or perhaps other speculation. This is false — to date (June 2025), our infrastructure has been sponsored by various project participants, provided as in-kind contributions, or in the case of FAIR, made available through the Linux Foundation. Fastly provides CDN services at no cost to the project. As the need for more infrastructure ramps up, it is our intention to seek sponsorship to fund it.
Project motivation: why are you doing this, really?
We stand by the public statements we’ve made on this topic: the aim of federated repositories is to build a more secure and robust decentralized supply chain for WordPress. AspirePress and FAIR share this primary objective, but are building distribution infrastructure that could be used for any digital package distribution, not just WordPress plugins and themes.
Some have speculated that FAIR (or AspirePress) wants to divide the community, to make a profit, or to take control of the WordPress project or ecosystem. This is untrue. AspirePress and FAIR are providing the tools to achieve a federated distribution model, and releasing them as free software (typically under GPL or MIT Licenses) to enable anyone to create federated repositories or aggregators. As such, the network can be fully decentralized, without centralized control. In this context, FAIR will take an advisory rather than regulatory role, providing guidelines on how participants can establish and maintain trust between them.
By submitting itself to the governance structure of the Linux Foundation, FAIR is limited in what it can and cannot do, and how. This is done intentionally to invite third-party oversight, including application of Linux Foundation’s policies specifically including their Antitrust Policy.
As an aside, we note that the motivations of others are impossible to know with any degree of certainty, unless explicitly stated. Alternate assertions are largely speculative, and in all cases, we would caution against engaging in this type of speculation or accepting anyone else’s conclusions.
Final Note
Many valid questions and concerns about decentralized federated models are being raised, and the vast majority of those have been considered and either addressed or have discussions, policy drafts, or software in active development to address them. Naturally, not all of these are covered here.
If your question or concern has not been adequately addressed, please reach out. Similarly, if you’ve seen conflicting information or wish to fact-check anything, please get in touch with us.