[openstack-dev] [horizon] Concern about XStatic-bootswatch imports from fonts.googleapis.com

Diana Whitten hurgleburgler at gmail.com
Thu Sep 3 23:11:48 UTC 2015


Thomas,

Lots of movement on this today.  I was able to get Bootswatch to roll a new
package to accommodate our need to not pull in the URL by default any
longer.  This is now a configurable value that can be set by a variable.
The variable's default value is still the google URL, but Horizon will
reset that when we pull it it.

The bootswatch package isn't a stripped down version of upstream
bootswatch, but it was created from the already existing bower package for
Bootswatch.  It is easier to maintain parity with the bower package, than
trying to pull apart very specific themes out of it.  Also, some upcoming
features plan to take advantage of some of the other themes as well.

As for the MDI package, there are services out there that can convert the
raw SVG that is available directly from google (
https://github.com/google/material-design-icons) into a variety of Web Font
Formats, BUT ... this is a not a direct mapping of Google's Material Design
Icons.  The Templarian repo is actually a bigger set of icons, it includes
Google's Icons, but also a number of Community supports and contributed
(under the same license) icons.  See the full set here:
https://materialdesignicons.com/.  Templarian maintains the SVGs of these
at https://github.com/Templarian/MaterialDesign, however, they also
maintain the Bower package (that the xstatic inherits from) at
https://github.com/Templarian/MaterialDesign-Webfont.

Best,
Diana



On Thu, Sep 3, 2015 at 3:06 PM, Thomas Goirand <zigo at debian.org> wrote:

> On 09/03/2015 07:58 PM, Diana Whitten wrote:
> > Thomas,
> >
> > Sorry for the slow response, since I wasn't on the right mailing list
> yet.
> >
> > 1. I'm trying to figure out the best way possible to address this
> > security breach.  I think that the best way to fix this is to augment
> > Bootswatch to only use the URL through a parameter, that can be easily
> > configured.  I have an Issue open on their code right now for this very
> > feature.
> >
> > Until then, I think that we can easily address the issue from the point
> > of view of Horizon, such that we:
> > 1. Remove all instances of 'fonts.googleapis.com
> > <http://fonts.googleapis.com>' from the SCSS during the preprocessor
> > step. Therefore, no outside URLs that point to this location EVER get hit
> > *or*
> > 2. Until the issue that I created on Bootswatch can be addressed,  we
> > can include that file that is making the call in the tree and remove the
> > @import entirely.
> > *or*
> > 3. Until the issue that I created on Bootswatch can be addressed,  we
> > can include the two files that we need from bootswatch 'paper' entirely,
> > and remove Bootswatch as a requirement until we can get an updated
> package
> >
> > 2. Its not getting used at all ... anyways.  I packaged up the font and
> > make it also available via xstatic.  I realized there was some questions
> > about where the versioning came from, but it looks like you might have
> > been looking at the wrong github repo:
> > https://github.com/Templarian/MaterialDesign-Webfont/releases
> >
> > You can absolutely patch out the fonts.  The result will not be ugly;
> > each font should fall back to a nice system font.  But, we are only
> > using the 'Paper' theme out of Bootswatch right now and therefore only
> > packaged up the specific font required for it.
> >
> > Ping me on IRC @hurgleburgler
> >
> > - Diana
>
> Diana,
>
> Thanks a lot for all of these answers. It's really helping!
>
> So if I understand well, xstatic-bootswatch is an already stripped down
> version of the upstream bootswatch. But Horizon only use a single theme
> out of the 16 available in the XStatic package. Then why aren't we using
> an xstatic package which would include only the paper theme? Or is there
> something that I didn't understand?
>
> Removing the fonts.googleapis.com at runtime by Horizon isn't an option
> for distributions, as we don't want to ship a .css file including such
> an import anyway. So definitively, I'd be patching out the @import away.
> But will there be a mechanism to load the Roboto font, packaged as
> xstatic, then? Falling back to a system font could have surprising results.
>
> This was for the bootswatch issue. Now, about the mdi, which IMO isn't
> as much as a problem.
>
> The Git repository at:
> https://github.com/Templarian/MaterialDesign-Webfont/releases
>
> I wonder how it was created. Apparently, the font is made up of images
> that are coming from this repository:
> https://github.com/google/material-design-icons
>
> the question is then, how has this font been made? Was it done "by hand"
> by an artist? Or was there some kind of scripting involved? If it is the
> later, then I'd like to build the font out of the original sources if
> possible. If I can't find how it was done, then I'll probably end up
> just packaging the font as-is, but I'd very much prefer to understand
> what has been done.
>
> Cheers,
>
> Thomas Goirand (zigo)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150903/1be665a8/attachment.html>


More information about the OpenStack-dev mailing list