<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr"><div><div><div><div><div>Thomas,<br><br></div>Lots of movement on this today. I was able to get Bootswatch to roll a new package to accommodate our need to not pull in the URL by default any longer. This is now a configurable value that can be set by a variable. The variable's default value is still the google URL, but Horizon will reset that when we pull it it.<br><br></div>The bootswatch package isn't a stripped down version of upstream bootswatch, but it was created from the already existing bower package for Bootswatch. It is easier to maintain parity with the bower package, than trying to pull apart very specific themes out of it. Also, some upcoming features plan to take advantage of some of the other themes as well.<br><br></div>As for the MDI package, there are services out there that can convert the raw SVG that is available directly from google (<a href="https://github.com/google/material-design-icons" target="_blank">https://github.com/google/material-design-icons</a>) into a variety of Web Font Formats, BUT ... this is a not a direct mapping of Google's Material Design Icons. The Templarian repo is actually a bigger set of icons, it includes Google's Icons, but also a number of Community supports and contributed (under the same license) icons. See the full set here: <a href="https://materialdesignicons.com/" target="_blank">https://materialdesignicons.com/</a>. Templarian maintains the SVGs of these at <a href="https://github.com/Templarian/MaterialDesign" target="_blank">https://github.com/Templarian/MaterialDesign</a>, however, they also maintain the Bower package (that the xstatic inherits from) at <a href="https://github.com/Templarian/MaterialDesign-Webfont" target="_blank">https://github.com/Templarian/MaterialDesign-Webfont</a>.<br><br></div>Best,<br></div>Diana<br><div><div><br><br></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 3, 2015 at 3:06 PM, Thomas Goirand <span dir="ltr"><<a href="mailto:zigo@debian.org" target="_blank">zigo@debian.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 09/03/2015 07:58 PM, Diana Whitten wrote:<br>
> Thomas,<br>
><br>
> Sorry for the slow response, since I wasn't on the right mailing list yet.<br>
><br>
> 1. I'm trying to figure out the best way possible to address this<br>
> security breach. I think that the best way to fix this is to augment<br>
> Bootswatch to only use the URL through a parameter, that can be easily<br>
> configured. I have an Issue open on their code right now for this very<br>
> feature.<br>
><br>
> Until then, I think that we can easily address the issue from the point<br>
> of view of Horizon, such that we:<br>
> 1. Remove all instances of '<a href="http://fonts.googleapis.com" rel="noreferrer" target="_blank">fonts.googleapis.com</a><br>
</span>> <<a href="http://fonts.googleapis.com" rel="noreferrer" target="_blank">http://fonts.googleapis.com</a>>' from the SCSS during the preprocessor<br>
<span>> step. Therefore, no outside URLs that point to this location EVER get hit<br>
</span>> *or*<br>
<span>> 2. Until the issue that I created on Bootswatch can be addressed, we<br>
> can include that file that is making the call in the tree and remove the<br>
> @import entirely.<br>
</span>> *or*<br>
<span>> 3. Until the issue that I created on Bootswatch can be addressed, we<br>
> can include the two files that we need from bootswatch 'paper' entirely,<br>
> and remove Bootswatch as a requirement until we can get an updated package<br>
><br>
> 2. Its not getting used at all ... anyways. I packaged up the font and<br>
> make it also available via xstatic. I realized there was some questions<br>
> about where the versioning came from, but it looks like you might have<br>
> been looking at the wrong github repo:<br>
> <a href="https://github.com/Templarian/MaterialDesign-Webfont/releases" rel="noreferrer" target="_blank">https://github.com/Templarian/MaterialDesign-Webfont/releases</a><br>
><br>
> You can absolutely patch out the fonts. The result will not be ugly;<br>
> each font should fall back to a nice system font. But, we are only<br>
> using the 'Paper' theme out of Bootswatch right now and therefore only<br>
> packaged up the specific font required for it.<br>
><br>
> Ping me on IRC @hurgleburgler<br>
><br>
> - Diana<br>
<br>
</span>Diana,<br>
<br>
Thanks a lot for all of these answers. It's really helping!<br>
<br>
So if I understand well, xstatic-bootswatch is an already stripped down<br>
version of the upstream bootswatch. But Horizon only use a single theme<br>
out of the 16 available in the XStatic package. Then why aren't we using<br>
an xstatic package which would include only the paper theme? Or is there<br>
something that I didn't understand?<br>
<br>
Removing the <a href="http://fonts.googleapis.com" rel="noreferrer" target="_blank">fonts.googleapis.com</a> at runtime by Horizon isn't an option<br>
for distributions, as we don't want to ship a .css file including such<br>
an import anyway. So definitively, I'd be patching out the @import away.<br>
But will there be a mechanism to load the Roboto font, packaged as<br>
xstatic, then? Falling back to a system font could have surprising results.<br>
<br>
This was for the bootswatch issue. Now, about the mdi, which IMO isn't<br>
as much as a problem.<br>
<br>
The Git repository at:<br>
<a href="https://github.com/Templarian/MaterialDesign-Webfont/releases" rel="noreferrer" target="_blank">https://github.com/Templarian/MaterialDesign-Webfont/releases</a><br>
<br>
I wonder how it was created. Apparently, the font is made up of images<br>
that are coming from this repository:<br>
<a href="https://github.com/google/material-design-icons" rel="noreferrer" target="_blank">https://github.com/google/material-design-icons</a><br>
<br>
the question is then, how has this font been made? Was it done "by hand"<br>
by an artist? Or was there some kind of scripting involved? If it is the<br>
later, then I'd like to build the font out of the original sources if<br>
possible. If I can't find how it was done, then I'll probably end up<br>
just packaging the font as-is, but I'd very much prefer to understand<br>
what has been done.<br>
<br>
Cheers,<br>
<br>
Thomas Goirand (zigo)<br>
<br>
</blockquote></div><br></div>
</div></div></div><br></div>