Your message dated Thu, 29 Apr 2021 10:18:43 +0000
with message-id <e1lc3kp-000hxy...@fasolo.debian.org>
and subject line Bug#987654: fixed in hyperkitty 1.3.4-3
has caused the Debian Bug report #987654,
regarding python3-django-hyperkitty: Loads Google Fonts (fonts.gstatic.com),
causing privacy breach
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
987654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987654
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-django-hyperkitty
Version: 1.3.4-2
Severity: important
Hyperkitty's CSS attempts to loads fonts from Google Fonts, causing a privacy
breach:
@font-face {
font-family: 'Droid Sans';
font-style: normal;
font-weight: 400;
src: local('Droid Sans'), local('DroidSans'),
url(https://fonts.gstatic.com/s/droidsans/v6/s-BiyweUPV0v-yRb-cjciC3USBnSvpkopQaUR-2r7iU.ttf)
format('truetype'),
url(/mailman3/static/hyperkitty/libs/fonts/droid/DroidSans.ttf?9a88e405c18d)
format('truetype');
}
These fonts are already bundled in the package, so trying to load them from
Google
causes a privacy breach for no good reason.
This has already been fixed upstream:
<https://gitlab.com/mailman/hyperkitty/-/commit/b35d20f45aafbd152e059abe3d4052485ffae305>,
I hope we can include this fix for bullseye.
Let me know if I can help with fixing (NMU, etc.), I've already prepared a
fixed package
for our Mailman3 install at Wikimedia.
-- Kunal
-- System Information:
Debian Release: 10.9
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.98-1.fc25.qubes.x86_64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python3-django-hyperkitty depends on:
pn fonts-glewlwyd <none>
pn libjs-bootstrap <none>
ii python3 3.7.3-1
ii python3-dateutil 2.7.3-3
pn python3-django <none>
pn python3-django-compressor <none>
pn python3-django-extensions <none>
pn python3-django-gravatar2 <none>
pn python3-django-haystack <none>
pn python3-django-mailman3 <none>
pn python3-django-q <none>
pn python3-djangorestframework <none>
ii python3-lockfile 1:0.12.2-2
pn python3-mailmanclient <none>
pn python3-networkx <none>
pn python3-robot-detection <none>
ii python3-tz 2019.1-1
Versions of packages python3-django-hyperkitty recommends:
pn mailman3-web <none>
python3-django-hyperkitty suggests no packages.
--- End Message ---
--- Begin Message ---
Source: hyperkitty
Source-Version: 1.3.4-3
Done: Jonas Meurer <jo...@freesources.org>
We believe that the bug you reported is fixed in the latest version of
hyperkitty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 987...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Meurer <jo...@freesources.org> (supplier of updated hyperkitty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 29 Apr 2021 11:55:45 +0200
Source: hyperkitty
Architecture: source
Version: 1.3.4-3
Distribution: unstable
Urgency: high
Maintainer: Debian Mailman Team <pkg-mailman-hack...@lists.alioth.debian.org>
Changed-By: Jonas Meurer <jo...@freesources.org>
Closes: 987654
Changes:
hyperkitty (1.3.4-3) unstable; urgency=high
.
* d/p/0004_remove_link_to_google_fonts.patch: Don't load remote Google
fonts. Thanks to Kunal Mehta for bugreport and testing. (Closes: #987654)
Checksums-Sha1:
abf47b3f101a3859ff2d6683176f9d3ce1caacb8 2843 hyperkitty_1.3.4-3.dsc
44309cefb7ce4093ddc566dec20d1d15a77f1b15 134208
hyperkitty_1.3.4-3.debian.tar.xz
13fcbf7d5d39b4ffa9c96b5de02232f7c6039947 9296
hyperkitty_1.3.4-3_amd64.buildinfo
Checksums-Sha256:
71d59f09e4aca11c9d3bc909ae6a2be3166874081ad30ada37c02e0738d5f71c 2843
hyperkitty_1.3.4-3.dsc
4f270dc27083d3280f590dd97f60ab14d8a43fc225bee6e7448cc40442c1f27a 134208
hyperkitty_1.3.4-3.debian.tar.xz
35ff3f47c3843be22fc40f0b54e642ca7f92cfc6cd3c8f8ccc2b7e39997d92c6 9296
hyperkitty_1.3.4-3_amd64.buildinfo
Files:
8fe0f57734228c00a0f1d44725052089 2843 python optional hyperkitty_1.3.4-3.dsc
d303c935e65c3fc20a9ccf2d8baad0ef 134208 python optional
hyperkitty_1.3.4-3.debian.tar.xz
d8dcbe813fb0866ccdc87a5746579b19 9296 python optional
hyperkitty_1.3.4-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAmCKhHkACgkQUmLn/0kQ
Sf7VdQ/8CpIt48rYP+uCOHFXcubAa+0Poz7+PR57Lgk5IHIclgzZRtz2pP0cO8lO
j6vc0R1/YuMaj9tLCNDBlIBpsilTRdxKANbUHzhtsb7x0LNnBSVaopSDfOqflMso
hfH5dEpM+VvZjj3DraSzrod0aTsTesMdf0/olChl+KMOA7sGLWgycg5N1CQPkYkk
bBuR9zWslN8P6d1l9anQFLpTOdrqcPVPv3rN9+nIOgSyjQf2Y0MIJERrBboyH4bB
oHNdQvkkAy8dsqp64Zj6B8M9rQGVNOGCP6ouOp6pIFwvn6duG7JS/nITsMCnyTWG
r8Wss6KHAjRQUGO593O3Gx0yJxtQKBs4dIm2EYeWiCy7v9N0ma934bvJFWo/xsSU
yNXo8/03+zCs7iGuh55Pi1M8rc8Fm1bz9EdSzAWInTJ6FrC+N4yHwR97sxvuBwHK
qHSCEOgkba7ZHIHnIEUILe9E2a8bRkg6qENMEfoHHCu+kTVk1eJ03Ucpvxqahkyu
Sfr1nLu/9mUCZIO6W7OdSF4NbDUcUM1Oh5WSLP23mAUsrLnUwpbXU04SNUkLWs4l
jJQjR1zY/Ye/MmkTZn34O280H4jIwSkmlpAhH8GEoALj1Ez8zETNWn2ARkfcul0j
OHpjAKrKPoTelcaqMl7b1P0695Fs/eQZm4zjWPikbMaDiNoHgU8=
=T2cT
-----END PGP SIGNATURE-----
--- End Message ---
