Think about using (wordpress') FAIR for d.o

Problem/Motivation

Drupal.org (d.o) is a critical piece of infrastructure for the global Drupal ecosystem, providing code distribution, package metadata, and collaboration tooling. However, the current model raises several structural concerns:

• Geopolitical risk: reliance on centralized infrastructure and specific hosting regions or providers introduces dependencies that are increasingly sensitive in the context of digital sovereignty.
• Bandwidth and distribution: global delivery of releases, Composer metadata, and project assets creates significant bandwidth pressure and scaling challenges.
• Infrastructure cost: storage, CDN, compute, and especially egress costs continue to grow with ecosystem adoption.

In parallel, the WordPress ecosystem is exploring alternative distribution architectures through the FAIR (Federated and Independent Repositories) initiative, https://fair.pm/. FAIR introduces a federated model where multiple independent nodes participate in distributing packages and metadata, reducing central bottlenecks and enabling regional autonomy.

This raises the question whether similar principles could be explored for Drupal.org to:

• Reduce vendor and region dependency
• Distribute bandwidth across multiple trusted parties
• Lower operational costs
• Improve resilience and autonomy in different geopolitical contexts

Steps to reproduce

• Review the current Drupal.org architecture:
  • Package distribution (tarballs, Composer endpoints)
  • Git hosting and mirroring
  • CDN usage and traffic distribution
• Analyze the WordPress FAIR initiative:
  • Federated repository architecture
  • Synchronization and consistency mechanisms
  • Trust, signing, and verification model
• Compare both approaches in terms of:
  • Scalability
  • Cost structure
  • Governance and control
  • Security and supply chain implications
• Identify potential alignment and gaps

Proposed resolution

• Initiate a research spike to explore federated distribution models for Drupal.org
• Investigate the feasibility of a “Drupal FAIR”-like approach, including:
  • Active regional mirrors participating in distribution
  • Federated Composer metadata endpoints
  • Cryptographic signing and trust chains for packages
• Design a high-level architecture for a hybrid model:
  • Central coordination via Drupal.org
  • Distributed delivery via trusted community or partner nodes
• Validate the approach using real-world scenarios:
  • Government use cases (digital sovereignty requirements)
  • Enterprise environments (cost and performance optimization)
  • Community-operated mirrors

Remaining tasks

• Document current Drupal.org infrastructure and cost drivers
• Perform a deeper technical and governance analysis of FAIR
• Develop a proof-of-concept with a small set of federated nodes
• Conduct a security and supply chain risk assessment
• Engage stakeholders (Drupal Association, infrastructure team, community)

User interface changes

• No immediate UI changes required
• Potential future considerations:
  • Optional selection or indication of download source (regional node)
  • Visibility into package origin and signature status
  • Health or status indicators for federated nodes

Introduced terminology

• Federated Repository: a node participating in a distributed network for hosting and serving packages and metadata
• Active Mirror: a mirror that participates in synchronization and distribution logic, not just caching
• Trust Chain: a mechanism for verifying the integrity and origin of packages
• Regional Node: a geographically or jurisdictionally scoped distribution endpoint

API changes

• Potential future changes may include:
  • Extensions to Composer metadata endpoints to support multiple upstream sources
  • Federated metadata aggregation
  • APIs for package signing and verification
  • Node discovery and registry mechanisms for trusted federated nodes
• Not yet defined; subject to research outcomes

Data model changes

• Potential additions may include:
  • Metadata for package provenance (origin, signatures, trust level)
  • Registry of federated nodes and trust relationships
  • Synchronization state tracking between nodes
• Not yet defined; dependent on architectural direction

Release notes snippet

• This issue explores a federated distribution model for Drupal.org, inspired by the WordPress FAIR initiative, aiming to improve resilience, reduce infrastructure costs, and address emerging digital sovereignty considerations.