Download Slides & Notes from my Talk at WordCamp Canada 2025

Managing Risk in the Software Supply Chain: Why the Future will be Federated

PDF Slides & Full Text Notes (1.3MB)

Alternate Versions:

PDF Slide Deck (4MB)

Point-Form Slide Notes (PDF)

Point-Form Slide Notes (Markdown)

I was invited to present this talk at WordCamp Canada 2025. The talk outline is roughly as follows:

• Risk management concepts, including single-vendor risk and risk mitigation concepts, including spread of risk.
• The software supply chain: typical diagram with attack vectors and example types of attack.
• Uncertainty in the WordPress supply chain & other centralized supply chain risks.
• Securing the supply chain: differences in the WordPress supply chain, with added risk.
• Where the WordPress supply chain model came from: a product of the early 2000s.
• Time for change: the approach of the AspirePress & FAIR Projects toward independence, decentralization, and federation.
• Securing the WordPress supply chain: closer to the typical model, updated with changes for increased security in a federated model.
• How the FAIR protocol and architecture works.
• Package labelling, decentralized digital trust, and the (draft) FAIR trust model.
• Four reasons why the future will be federated.

Unfortunately at the event, the talk before me ran overtime and we started late. I used the allotted time, but was rushed to cut it short at the end as a result, and we weren’t able to do a Q&A session. If anyone has questions, please do reach out to me via social media channels, email, or at chat.fair.pm, and I’ll be happy to talk.