On Mon, Jun 29, 2026 at 01:57:28PM +0200, Thomas Goirand wrote:
> On 6/24/26 3:38 PM, Julian Gilbey wrote:
> > Source: fonts-materialdesignicons-webfont
> > Version: 7.4.47-1
> > Severity: serious
> > 
> > Hi Thomas,
> > 
> > I'm looking at 7.4.47-1, and see that it is built using the
> > pre-compiled fonts.  This has two serious issues:
> > 
> > (1) Some of the icons have a problematic license: the LICENSE file
> > reads:
> > 
> > # Icons: Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0)
> > Some of the icons are redistributed under the Apache 2.0 license. All other
> > icons are either redistributed under their respective licenses or are
> > distributed under the Apache 2.0 license.
> > 
> > The brand icons are not included in the Apache 2.0 license, so cannot
> > be included in this package.  They were going to be removed in version
> > 8.0.0 of the icon font, but it looks like all development on this
> > package has stopped.
> > 
> > (2) The package is not built "from source", which are the SVG icons in
> > the MaterialDesign-SVG repository.
> > 
> > I would be happy to fix both of these issues, but I don't want to mess
> > up your repository.  To do the fix, I would switch to the
> > MaterialDesign-SVG repository as the primary source and add the
> > MaterialDesign-Font-Build repository as an additional component.  You
> > can see what I have done with the new fonts-materialdesignicons-legacy
> > package to fix these issues; I would use an (almost) identical
> > structure with the version 7 package
> > (fonts-materialdesignicons-webfont).  However, I don't know how to do
> > this within the OpenStack build structure as specified here:
> > https://wiki.debian.org/OpenStack/PackageUpdate#Import_upstream_changes_to_the_debian.2FOSRELEASE_branch
> > 
> > Some possible options (some of which overlap):
> > 
> > (a) We don't continue to follow the OpenStack setup for this specific
> > repository.  I'm guessing that this is unlikely to be much of a
> > problem, as it looks like the package is abandoned upstream, but I
> > don't fully understand how the OpenStack team works, so I am not at
> > all certain about this.
> > 
> > (b) You set it up with the new source and additional component in a
> > way which is compatible with OpenStack, and then I do the rest of the
> > work.  Note, though, that you cannot simply clone the upstream
> > MaterialDesign-SVG repository, because a whole bunch of files have to
> > be excluded; the upstream version number will become 7.4.47+dfsg.
> > 
> > (c) You find an alternative way of addressing this bug, and I'm
> > totally open to that possibility too!
> > 
> > (d) We take this package out of the OpenStack team and migrate it to
> > the Fonts team, so it does not need to follow the OpenStack protocol.
> > 
> > Best wishes,
> > 
> >     Julian
> 
> Hi Julian,
> 
> Thanks for this bug report.
> 
> The way it works for Horizon, to find its webfont, is through the
> python-xstatic-font-awesome package. This is a Python module that is
> supposed to contain the webfonts. It's made in a way so that it is easy to
> patch to make it use the system's font package instead.

Hi Thomas,

I hadn't even looked at the python-xstatic-font-awesome package!  Does
that have a similar problem?  (I got a "serious" bug report slapped on
one of my packages which shipped the Font Awesome binary fonts.)

> Currently, what's being done, is a simple "debianize.patch" that does:
> 
> -#BASE_DIR = '/usr/share/javascript/d3'
> +BASE_DIR = '/usr/share/fonts-font-awesome'
> 
> so that assets are read from /usr/share/fonts-font-awesome.

That sounds totally fine for python-xstatic-font-awesome; if it works,
why break it?!  But the fonts should be stripped from the source
package, and I don't know how to do that within the Debian OpenStack
paradigm.

> If we remove the patch, and let the Python module install its assets, we
> could replaced the installed assets by corresponding symlinks to the system
> font package: that's another very valid way to fix the problem.
> 
> At this time, I very much lack time to address it. Best would be if you
> could take over the current fonts-materialdesignicons-webfont, or work on
> the python-xstatic-font-awesome package, to solve the issue, and make it so
> that it would point to the current package you're maintaining. It'd be
> really awesome if you could work on that. Please let me know.

I'm happy to do both of these; they should be pretty straightforward.
The only question is where and how to maintain them.  I'm happy to
leave them in the OpenStack Salsa repository, but I don't know how to
handle the change to a tarball source rather than linking to an
upstream repository in a "compliant" way.  If you can let me know
that, I can make the changes and upload a new version.

> In the mean time, I do not think this bug deserves the current severity that
> you've set. I really would love to see this bug fixed, but I do not think
> it's serious enough to grant the removal of Horizon, especially considering
> that the affected icons aren't probably the ones that Horizon is using.
> Removing both packages from testing will not help.

I was copying what I had from someone else... (see #1025000).

But the fix is now straightforward.  (And if there is a big to-do in
Debian about whether Font Awesome should be removed completely, it'll
be a major issue, as so many fonts in Debian have equally problematic
sources.)

Best wishes,

   Julian

Reply via email to