Onwards, to the next era of the @fair.pm project: journal.rmccue.io/492/the-next...
26.02.2026 19:54
π 1
π 1
π¬ 0
π 0
Onwards, to the next era of the @fair.pm project: journal.rmccue.io/492/the-next...
For a handy UI to trigger it, Amphetamine works pretty well.
For those of you who are old enough to remember this was similar to how the Panama Papers were leaked (a free plugin with a compromised script).
Also @rmccue.io got it bang on the nose + www.altis-dxp.com/did-the-uk-b...
Compatibility with existing systems can be a concern - eg the OBR might still have had this problem due to the Download Manager plugin. Really wants to happen in core. (Compatibility not so much an issue for us.)
Yeah, although then you lose the ability to easily browse your files. A suffix on the filename would work too - I think we should definitely consider it in core, given thereβs been multiple big leaks this year from it.
This is also an issue that happens with other CMSes too, but usually theyβre slightly better protected. And of course, itβs possible to fix it for WordPress - we do on @altis.cloud :)
We could potentially build random IDs into uploaded files, which would be better than nothing.
Did the UK budget leak because of WordPressβ upload handling? I think so: www.altis-dxp.com/did-the-uk-b...
I found out more over the last year as we worked on FAIR, but I also found out more specifically this week, when I was building a Glossary plugin for WordPress we needed for the FAIR website.
progressplanner.com/catch-up-to-...
Photo of DrupalCamp Scotland stage, showing multiple presenters along with the DrupalCamp Scotland logo, a stylised highland cow superimposed on the Drupal drop logo.
Hello from DrupalCamp Scotland!
p.s. you can find my slides at speakerdeck.com/rmccue/whats...
My talk on @fair.pm from @loopconf.com is now online - find out why the project exists, and how we're solving the centralisation problem in WP (and making WP more secure too!) www.youtube.com/watch?v=zOtO...
There's a surprising number of niche WordPress events at the moment
- PressConf in Arizona
- LoopConf in London
- Enqueue in Sydney
- SomeConf in Minnesotta
- Checkout Summit in Palermo
I feel like I'm probably missing some more?
Screenshot of Patchstack's LinkedIn profile, where their header image is a screenshot of me promoting them and saying I need commission
Those sneaky @patchstack.com-ers have done it again with their LinkedIn header.
If you're at MSP Global this week, come say hi at their booth where I'll be fighting them irl about this π‘
We welcomed Than from @humanmade.com
and Zeshan from Green Street News on the PublishPress podcast.
They told us how they moved over 40,000 articles to their new WordPress site, using local LLMs to categorize all those new posts.
Your timing is impeccable, I just left one.
youtu.be/6kLGw3tbzmk?...
New FAIR 1.0 Release Brings Decentralized Package Management to WordPress
Don't sleep on this opportunity! Contact @rzen.net and join us on 25 Sept!
Specifically, it's is_utf8_charset() which reads the blog_charset option.
Something that's also fascinating is that the charset option in the Reading settings will only show up if it's not already set to UTF-8 - I guess it's legacy support?
Fun fact: esc_html() requires loading the WP database, since it's charset dependent.
Re multiple directories, I think getting the directory to a "neutral" (multi-stakeholder?) host solves that problem, in the same way we don't need third-party backups for the DNS roots.
The main thing there is performance, pulling the audit log data could require pagination and DID lookups are already relatively expensive in our flow (see also github.com/did-method-p...).
One option we talked about a little is that we could do validation in a labeler, making it opt-in.
(Also, the Bluesky client(s) you're using here use only the direct method fyi: github.com/bluesky-soci...)
Indeed, although what's the threat model? If the threat is the PLC directory server, then loading the audit log from the server is no safer than the single endpoint - only mirroring it elsewhere and checking for inconsistency allows that.
Might be a better question for @bnewbold.net & the Bluesky team on that, but I know there's tools to mirror the PLC directory, such as github.com/str4d/plc
(Note that we're using the single endpoint per spec, same as the official atproto identity package does.)
Your Bluesky account eg is plc.directory/did:plc:fd7x... :)
Each DID method defines its usage; the spec for PLC DIDs is to use the public endpoint. The audit log allows verifying it, but that's more of an offline process (and allows mirroring it).
We're also planning on supporting web DIDs, and potentially other methods beyond that - same as Bluesky.
eg for did:plc:afjf7gsjzsqmgc7dlhb553mv, the DID document is at plc.directory/did:plc:afjf... and the key is zQ3shsLDoduUAwJjcc93ktzeQPRMghThq7LPEcsauSjgHpKZT
You donβt need to parse the whole PLC audit log for operational usage, you can use the latest endpoint instead. The keys are encoded directly into the response in multibase. :)
Thanks for diving in though! Come join our slack at chat.fair.pm if you want :)
