I prefer removing the avatars. Having snapshots for existing ppl is half-solution, and trying to add some kind of sync mechanism on build would be a waste of energy.
Istvan On Mon, Feb 17, 2025 at 4:45 AM Francis Chuang <[email protected]> wrote: > There are numerous broken resources on our websites due to the > Content-Security-Policy HTTP header deployed by the ASF [1]. > > The CSP is quite restrictive: default-src 'self' data: blob: > 'unsafe-inline' https://www.apachecon.com/ > https://www.communityovercode.org/ https://analytics.apache.org/; > script-src 'self' 'unsafe-inline' 'unsafe-eval' > https://analytics.apache.org/; style-src 'self' 'unsafe-inline' data:; > frame-ancestors 'self'; frame-src 'self' data: blob:; img-src 'self' > data: https://*.apache.org/; worker-src 'self' data: blob:; > > I was able to fix the Lato font not loading on the Calcite and Avatica > sites by self-hosting it in CALCITE-6843 [2]. > > There are still quite a few resources broken on both the Calcite and > Avatica sites, mostly images. For most images, we can easily self-host > our own copy. However, we use GitHub avatars for the Community and News > pages on both sites. We can either self-host all the avatars (but they > won't be updated if the user changes them on GitHub) or we can get rid > of them. > > What do you guys think? > > Francis > > [1] https://infra.apache.org/csp.html > [2] https://issues.apache.org/jira/browse/CALCITE-6843 > -- *István Tóth* | Sr. Staff Software Engineer *Email*: [email protected] cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------ ------------------------------
