Thomas, Sorry for the slow response, since I wasn't on the right mailing list yet.
1. I'm trying to figure out the best way possible to address this security breach. I think that the best way to fix this is to augment Bootswatch to only use the URL through a parameter, that can be easily configured. I have an Issue open on their code right now for this very feature. Until then, I think that we can easily address the issue from the point of view of Horizon, such that we: 1. Remove all instances of 'fonts.googleapis.com' from the SCSS during the preprocessor step. Therefore, no outside URLs that point to this location EVER get hit *or* 2. Until the issue that I created on Bootswatch can be addressed, we can include that file that is making the call in the tree and remove the @import entirely. *or* 3. Until the issue that I created on Bootswatch can be addressed, we can include the two files that we need from bootswatch 'paper' entirely, and remove Bootswatch as a requirement until we can get an updated package 2. Its not getting used at all ... anyways. I packaged up the font and make it also available via xstatic. I realized there was some questions about where the versioning came from, but it looks like you might have been looking at the wrong github repo: https://github.com/Templarian/MaterialDesign-Webfont/releases You can absolutely patch out the fonts. The result will not be ugly; each font should fall back to a nice system font. But, we are only using the 'Paper' theme out of Bootswatch right now and therefore only packaged up the specific font required for it. Ping me on IRC @hurgleburgler - Diana On Thu, Sep 3, 2015 at 9:55 AM, Thai Q Tran <[email protected]> wrote: > > > > ----- Original message ----- > From: Thomas Goirand <[email protected]> > To: "OpenStack Development Mailing List (not for usage questions)" < > [email protected]> > Cc: > Subject: [openstack-dev] [horizon] Concern about XStatic-bootswatch > imports from fonts.googleapis.com > Date: Thu, Sep 3, 2015 4:30 AM > > Hi, > > When doing: > grep -r fonts.googleapis.com * > > there's 56 lines of this kind of result: > xstatic/pkg/bootswatch/data/cyborg/bootstrap.css:@import > url("https://fonts.googleapis.com/css?family=Roboto:400,700";); > > This is wrong because: > > 1/ This is a privacy breach, and one may not agree on hitting any web > server which he doesn't control. It's a problem in itself for packaging > in Debian, which is currently stopping me from uploading. > > 2/ More importantly (and even if you don't care about this kind of > privacy breach), this requires Internet access, which isn't at all > granted in some installations. > > So I wonder if using bootswatch, which includes such a problem, is > really a good idea. Are these fonts import completely mandatory? Or can > I patch them out? Will the result be ugly if I patch it out? > > Your thoughts? > > Cheers, > > Thomas Goirand (zigo) > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
