I just realized that with distributed WordPress packages and signing, all vendor code must be isolated to avoid one trusted vendor from publishing an update with another vendor's package content which would overwrite it.

Responded to @kasparsd:

5. While this proposal addresses signing and trust, it does not solve directory name isolation for plugins and themes — that would require a separate solution entirely.

What do you think? Is this simple enough to encourage adoption? What could be improved?

Responded to @kasparsd:

3. For the first install of any plugin or theme, users would need to explicitly specify the trusted key for the vendor. Each download page would prominently display the public key for users to specify.

4. Key rotation could be automated via custom HTTP headers with signed payloads. A single valid public key would ensure that revoked or invalid keys stop working immediately.

Here is a proposal for distributed WordPress package signing:

1. The system relies on users adding the public keys of trusted vendors to their site settings. The update API then includes Ed25519 signatures of SHA256 ZIP hashes in the HTTP headers of the updates.

2. This approach could work seamlessly with a Composer for automated CI/CD installs through a custom plugin.

Does anyone know the history behind the choice of SHA384 hash and X-Content-Signature HTTP header for WP core update signatures? Why not SHA256?

Responded to @kasparsd:

Here is where it's used: https://github.com/WordPress/wordpress-develop/blob/88796678fd838ab0e790d22558f258c906262400/tests/phpunit/includes/bootstrap.php#L288-L299

Did you know that the WordPress PHPUnit testing library supports a magic global $wp_tests_options variable to pre-configure any option values such as the enabled plugins or custom plugin options?

If you're using the Dell P2723QE monitor, there is a new firmware version M3F102 that fixed the terrible flickering and memory issue for macOS users. https://www.dell.com/support/home/en-lv/drivers/driversdetails?driverid=8xnm7

Version 0.11.0 of the Two-Factor plugin for WordPress has been released with a fix to an issue introduced in the previous version related to filtering the available methods, along with some other usability improvements.

Here is the changelog: https://github.com/WordPress/two-factor/releases/tag/0.11.0

Here’s a one-click deploy workflow I use with a #WordPress #monorepo to quickly iterate and release plugin updates. Since there’s not much out there on doing this right, I’m sharing to hear your thoughts and ideas. How do you handle this? https://www.youtube.com/watch?v=MYZRSpEDUB0

Looking to get more out of your power tool batteries? Check out this handy adapter – it supports 65W USB-C PD output and charging! 🔋 https://kaspars.net/blog/usb-c-pd65w-adapter-charger-18v-20v-batteries

Responded to @p:

@normis Es joprojām meklēju kādu torni vai jumtu Cēsīs, kur uzlikt repeater vai router nodi. Atrodu vietas, kur varētu dabūt 140m virs jūras līmeņa. Tehniski vajadzētu aizniegt Rīgu.

Responded to @p:

@normis Nope, diemžēl nav.

How are you handling IoT device isolation in your home network to ensure that mDNS still works? Do you do separate APs and VLANs?

Responded to @cincura_net:

@cincura_net got it! Makes sense in less crowded areas.

Is there a self-hosted option for watching YouTube videos without the ads? Ideally, something distributed where peers can seed the videos and potentially auto-download everything from my subscriptions?

Responded to @cincura_net:

@cincura_net Do you let the APs self-select the channels? Wondering if there are better ways to do it?

Time for some end-of-year homelab work — config backups for Mikrotik routers, HomeAssistant and related Docker container config backups and upgrades.

Responded to @p:

@normis @ojars Es tikai tagad pamanīju šo saraksti 🤦‍♂️

Vakar beidzot noskaidroju, ka vainīgs ir hAP ac2 (LTE passthrough klients), kas savā ugunsmūra savienojumu sarakstā neizdzēš ubuntu WG savienojumu, kas norāda uz veco LTE passthrough DHCP IP adresi.

Responded to @kasparsd:

The hardest thing was to merge the form submissions with existing data as fields could be added and removed from the form. It also adds the form headers automatically. I enjoy fun array math 😅