Publishing and distributing first-party packages for WordPress
Yesterday, the WordPress.org team started a long-term supply chain attack against Advanced Custom Fields. This involved effectively forking the project, repackaging it as Secure Custom Fields, and deploying it under the original slug which led to thousands of users updating to SCF without notification or the ability to select whether they wanted SCF.
This is an unfortunate abuse of authority and only continues to highlight the significant vulnerability that the community faces with WordPress.org being the single-point-of-failure for WordPress asset distribution.
Announcing first-party plugin distribution
Today, I’m announcing that we are prepared to accept applications for first-party package distribution in the AspireCloud mirror that we are currently building.
Theme and plugin developers will be able to apply for us to mirror their work as a first-party plugin, rather than having it updated from WordPress.org’s repository. Any plugin or theme developer who elects to be hosted first-party will need to supply us with new releases of their product, and we will update our database accordingly. We will no longer trust the WordPress.org repository as canonical for that theme or plugin.
Additional security safeguards
Additionally, we will be instituting safeguards to ensure that plugins that are closed or removed from WordPress.org’s repository are reviewed by a team member prior to us distributing the version to end users. This process is in development, but is necessary to ensure the safety and security of mirror users.
If you are a plugin or theme developer, you can apply for us to host your theme or plugin first-party here. We’ll need to verify your identity and ownership of the component before we can host it first-party, and methodologies are being developed. However, we can assure you that we will be happy to serve as a distribution point for your plugin or theme.
One more thing…
When AspireCloud launches, we will be launching with Advanced Custom Fields restored to its original, pre-takeover condition in our repository. We will continue to encourage collaboration with WP Engine and ACF to receive updates of the plugin, and we encourage users who depend on ACF to switch to AspireCloud when it becomes generally available to ensure they receive genuine software.
This action does not imply partnership with WP Engine, and does not mean that WP Engine endorses or supports the AspirePress project. Rather, it is a reflection that a) we can authenticate plugin ownership of ACF through the publicly available ACF channels and b) we are aware of the latest versions of ACF that were present in the repository prior to the takeover.
We encourage someone from WP Engine and ACF to reach out to us directly to learn more about first-party support on AspireCloud.
This is an excellent initiative, guys! And I’m super relieved and excited to see it come to life! Good luck!
As much as I admire your initiative, I fear Matts wrath will fall upon you and any plugins that choose to be distributed here. Please make sure you have permission, see https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/#3-a-stable-version-of-a-plugin-must-be-available-from-its-wordpress-plugin-directory-page
Anyone who does not want their plugin distributed through the mirror is entitled to say so. We don’t want to be a package repository for anyone that doesn’t want to be here.
The GPL nature of the code means we’re allowed to distribute these plugins, but we also understand some folks won’t want that, and we honor those preferences.