[openstack-dev] [horizon] Concern about XStatic-bootswatch imports from fonts.googleapis.com

Thomas Goirand zigo at debian.org
Thu Sep 3 22:06:26 UTC 2015


On 09/03/2015 07:58 PM, Diana Whitten wrote:
> Thomas,
> 
> Sorry for the slow response, since I wasn't on the right mailing list yet.
> 
> 1. I'm trying to figure out the best way possible to address this
> security breach.  I think that the best way to fix this is to augment
> Bootswatch to only use the URL through a parameter, that can be easily
> configured.  I have an Issue open on their code right now for this very
> feature.
> 
> Until then, I think that we can easily address the issue from the point
> of view of Horizon, such that we:
> 1. Remove all instances of 'fonts.googleapis.com
> <http://fonts.googleapis.com>' from the SCSS during the preprocessor
> step. Therefore, no outside URLs that point to this location EVER get hit
> *or*
> 2. Until the issue that I created on Bootswatch can be addressed,  we
> can include that file that is making the call in the tree and remove the
> @import entirely. 
> *or*
> 3. Until the issue that I created on Bootswatch can be addressed,  we
> can include the two files that we need from bootswatch 'paper' entirely,
> and remove Bootswatch as a requirement until we can get an updated package
> 
> 2. Its not getting used at all ... anyways.  I packaged up the font and
> make it also available via xstatic.  I realized there was some questions
> about where the versioning came from, but it looks like you might have
> been looking at the wrong github repo:
> https://github.com/Templarian/MaterialDesign-Webfont/releases
> 
> You can absolutely patch out the fonts.  The result will not be ugly;
> each font should fall back to a nice system font.  But, we are only
> using the 'Paper' theme out of Bootswatch right now and therefore only
> packaged up the specific font required for it.
> 
> Ping me on IRC @hurgleburgler
> 
> - Diana

Diana,

Thanks a lot for all of these answers. It's really helping!

So if I understand well, xstatic-bootswatch is an already stripped down
version of the upstream bootswatch. But Horizon only use a single theme
out of the 16 available in the XStatic package. Then why aren't we using
an xstatic package which would include only the paper theme? Or is there
something that I didn't understand?

Removing the fonts.googleapis.com at runtime by Horizon isn't an option
for distributions, as we don't want to ship a .css file including such
an import anyway. So definitively, I'd be patching out the @import away.
But will there be a mechanism to load the Roboto font, packaged as
xstatic, then? Falling back to a system font could have surprising results.

This was for the bootswatch issue. Now, about the mdi, which IMO isn't
as much as a problem.

The Git repository at:
https://github.com/Templarian/MaterialDesign-Webfont/releases

I wonder how it was created. Apparently, the font is made up of images
that are coming from this repository:
https://github.com/google/material-design-icons

the question is then, how has this font been made? Was it done "by hand"
by an artist? Or was there some kind of scripting involved? If it is the
later, then I'd like to build the font out of the original sources if
possible. If I can't find how it was done, then I'll probably end up
just packaging the font as-is, but I'd very much prefer to understand
what has been done.

Cheers,

Thomas Goirand (zigo)




More information about the OpenStack-dev mailing list