Re: Request: Using Rubik Webfont from Google Fonts Directory in debian.org

[Carsten Schoenert]

Am 16.06.19 um 01:02 schrieb Bagas Sanjaya:
> So we have two options:
> 
>   * Use the font from Google Fonts, but with risks of fingerprinting

This wont ever happen (the usage of external resources this way).

>   * Host the font on debian.org infrastructure, and use it as webfont.
> This way, when accessing debian.org, they can get consistent
> typography look across all devices (PC, smartphones, etc) without
> having to use external resource.

As written earlier, using a own webfont isn't a difficult thing. But you
need to take care of QA if you want to modify environments. If you want
to go down this road you will need to prepare something, do a basic
check of things and come up with an visible outcome ideally. If the last
thing is not possible than please provide a git branch which could be
checked out and build all locally.

> Am 14.06.19 um 06:58 schrieb Paul Wise:>> On Fri, Jun 14, 2019 at 12:51 PM 
> anon notmyfault64 wrote:
>
>> One of good font candidates is Rubik.
>
> This font doesn't appear to have support for all the languages
> supported by the Debian website.

This criteria from Paul is a serious requirement. Have a look at the git
tree of the webwml repository to see which languages are currently used
within the Debian websites on www.d.o

https://salsa.debian.org/webmaster-team/webwml

If we want to use a dedicated typeface *all* existing and used languages
need to be supported and functional! This is an k.o. criteria of course.

Note that all I've written above is my opinion and doesn't necessary is
the same POV of other webteam members. I'm open to use a webfont for
providing some symbols which otherwise need to made by a graphics. But
I'm a bit pessimistic if we really need a new font for websites of
Debian. The existing fonts which are included within the browsers in
most cases are really providing enough visible differences between where
we can pick one. And we have more important issues we should work on first.
But please don't hesitate to do some work on the webfont thing if you
want to work on it anyway. Even if you can figure out how to compile a
own webfont would be something useful in the long run.

-- 
Regards
Carsten Schoenert

Re: Using Cloudflare as CDN for debian.org website

[Bagas Sanjaya]

On 16/06/19 06.26, Steve McIntyre wrote:

On Sun, Jun 16, 2019 at 05:50:33AM +0700, Bagas Sanjaya wrote:

What is your position regarding Cloudflare's reCAPTCHA challenge feature I
mentioned earlier? Here are pros and cons of the feature:

Why on earth would we want to make it harder for people to read the
website?


Pros:

  • You can assure that (almost) all visitors are legitimate (human), since
they must pass the challenge.

Why do you think that's a feature we care about?

In fact, several websites (such as Capezio , ProMods Map 
, and WHEELS.ca ) have reCAPTCHA challenge 
enabled. Those sites just want to make sure that all visitors are 
humans. Feel free to visit those sites above for your consideration.



Why on earth would we want to make it harder for people to read the
website?


Because the website with reCAPTCHA challenge feature may violate "secure 
it without overdoing it" principle, that is, their webmasters tighten 
website security so much as to make their website harder to access.

Re: Using Cloudflare as CDN for debian.org website

[Steve McIntyre]

On Sun, Jun 16, 2019 at 05:50:33AM +0700, Bagas Sanjaya wrote:
>
>What is your position regarding Cloudflare's reCAPTCHA challenge feature I
>mentioned earlier? Here are pros and cons of the feature:

Why on earth would we want to make it harder for people to read the
website?

>Pros:
>
>  • You can assure that (almost) all visitors are legitimate (human), since
>they must pass the challenge.

Why do you think that's a feature we care about?

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
< Aardvark> I dislike C++ to start with. C++11 just seems to be
handing rope-creating factories for users to hang multiple
instances of themselves.

Re: Re: Request: Using Rubik Webfont from Google Fonts Directory in debian.org

[Bagas Sanjaya]

So we have two options:

 * Use the font from Google Fonts, but with risks of fingerprinting
 * Host the font on debian.org infrastructure, and use it as webfont.
   This way, when accessing debian.org, they can get consistent
   typography look across all devices (PC, smartphones, etc) without
   having to use external resource.

Re: Using Cloudflare as CDN for debian.org website

[Bagas Sanjaya]

On 15/06/19 23.03, Wouter Verhelst wrote:

On Sat, Jun 15, 2019 at 07:14:58PM +0700, Bagas Sanjaya wrote:

Dear debian.org webmasters,

CDN (Content Delivery Network) is a service that distribute website's content
into different servers across the world. This way, when a visitor in Singapore
(for example) visit a website which hosted in Europe, the website assets will
be served from CDN server in Singapore or nearby instead.

The Debian.org website is already mirrored to several machines, which in fact
implements a CDN avant la lettre.

[...]

One of interesting feature of Cloudflare is reCAPTCHA challenge every time
visitor access website which have this feature enabled.

Please let's not go there...

The Debian.org website is already mirrored to several machines, which in fact
implements a CDN avant la lettre.


Do debian.org website's CDN have DDOS protection like what Cloudflare have?


Please let's not go there...

What is your position regarding Cloudflare's reCAPTCHA challenge feature 
I mentioned earlier? Here are pros and cons of the feature:


Pros:

 * You can assure that (almost) all visitors are legitimate (human),
   since they must pass the challenge.

Cons:

 * The reCAPTCHA itself is trickier to pass.
 * Cloudflare's recommendation to prevent the Challenge can be
   difficult or impossible to implement. In case of office/shared
   networks, they have to contact network administrator in order to do
   scan across their network for infected/misconfigured devices, which
   can take long time.
 * Also, Cloudflare endorse Firefox by the statement "Another way to
   prevent getting this page in the future is to use Privacy Pass
   browser extension
   ".
   This can force users of Chrome and other browsers to switch to
   Firefox only to get passed the challenge.
 * Displaying visitor's IP address in the challenge page is
   disrespectful to their privacy and can cause data leakage.

Re: Using Cloudflare as CDN for debian.org website

[Wouter Verhelst]

On Sat, Jun 15, 2019 at 07:14:58PM +0700, Bagas Sanjaya wrote:
> Dear debian.org webmasters,
> 
> CDN (Content Delivery Network) is a service that distribute website's content
> into different servers across the world. This way, when a visitor in Singapore
> (for example) visit a website which hosted in Europe, the website assets will
> be served from CDN server in Singapore or nearby instead.

The Debian.org website is already mirrored to several machines, which in fact
implements a CDN avant la lettre.

[...]
> One of interesting feature of Cloudflare is reCAPTCHA challenge every time
> visitor access website which have this feature enabled.

Please let's not go there...

-- 
To the thief who stole my anti-depressants: I hope you're happy

  -- seen somewhere on the Internet on a photo of a billboard

Re: Request: Using Rubik Webfont from Google Fonts Directory in debian.org

[Carsten Schoenert]

Am 15.06.19 um 12:39 schrieb Bagas Sanjaya:
> So the best solution for this request is to install Rubik font to 
> debian.org server (preferably via package), and update CSS code to use 
> the font, with fallback to Helvetica, Arial, and system-default font 
> respectively, as I stated multiple times earlier.

This will not work (safely) as you can't ensure the users have installed
that Rubik font.

-- 
Regards
Carsten Schoenert

Using Cloudflare as CDN for debian.org website

[Bagas Sanjaya]

Dear debian.org webmasters,

CDN (Content Delivery Network) is a service that distribute website's 
content into different servers across the world. This way, when a 
visitor in Singapore (for example) visit a website which hosted in 
Europe, the website assets will be served from CDN server in Singapore 
or nearby instead.


The benefits of using CDN are (quoting from wpbeginner.com):

 * speed
 * crash resistence
 * UX (user experience) and SEO improvements

Cloudflare is one of leading CDN provider in the world. Beside providing 
CDN service, it have DDOS protection which can be handy regarding security.


Is debian.org website currently use CDN? Either answer, is Cloudflare 
CDN suitable for debian.org website?


One of interesting feature of Cloudflare is reCAPTCHA challenge every 
time visitor access website which have this feature enabled. Before a 
visitor can reach website, there will be reCAPTCHA challenge which 
visitor must answer in order to get access to website's web property. 
Usually, visitor must click "I'm not a robot" checkbox and must select 
squares which contain a particular object (in most cases related to road 
infrastructure in USA). In order prevent the challenge, Cloudflare says 
in the challenge page:


If you are on a personal connection, like at home, you can run an 
anti-virus scan on your device to make sure it is not infected with 
malware.


If you are at an office or shared network, you can ask the network 
administrator to run a scan across the network looking for 
misconfigured or infected devices.


Another way to prevent getting this page in the future is to use 
Privacy Pass browser extension 



However, in the challenge page the visitor's IP address is also 
displayed. Is it OK for debian.org website to use reCAPTCHA challenge 
feature (which is available in Pro plan and higher) when using 
Cloudflare as CDN?


Regards, Bagas

Re: Request: Using Rubik Webfont from Google Fonts Directory in debian.org

[Bagas Sanjaya]

On 15/06/19 13.55, Yao Wei wrote:

Hi,


Paul, the code snippet above is under assumption that Rubik font is
installed on debian.org server (via yet to be created package).

There are several reasons we don't want to use external fonts:

* We want to make our websites use resources from Debian
   infrastructure.

By using webfonts from external sources, we can make other companies
possible to sniff our visitor statistics.  Some people here do want to
migrate away from Google as well.

* Not all people have unlimited network access.

For example, my mobile internet access do have a data cap at 1.7 GiB,
and I intended to have the data cap because I want to warn myself about
phone addiction.  Some people using satellite internet access could
suffer from extra payments just by a webpage embedding webfonts.

The web nowadays contains mostly meaningless data, especially tracking
code, unwantingly large images, unnecessary javascript and webfonts,
etc.  And I hope we can withstand against the trand.

Yao Wei
So the best solution for this request is to install Rubik font to 
debian.org server (preferably via package), and update CSS code to use 
the font, with fallback to Helvetica, Arial, and system-default font 
respectively, as I stated multiple times earlier.

Re: Request: Using Rubik Webfont from Google Fonts Directory in debian.org

[Carsten Schoenert]

Hi,

Am 15.06.19 um 08:55 schrieb Yao Wei:
> Hi,
> 
>> Paul, the code snippet above is under assumption that Rubik font is
>> installed on debian.org server (via yet to be created package).

for the given snippet there is it still required that the font is
available on the user side.

> There are several reasons we don't want to use external fonts:
> 
> * We want to make our websites use resources from Debian
>   infrastructure.
> 
> By using webfonts from external sources, we can make other companies
> possible to sniff our visitor statistics.  Some people here do want to
> migrate away from Google as well.

Yes, this is exactly what Paul has mentioned as fingerprinting method.
That is of course something what Debian does not want nor will support.

Webfonts itself are not a bad thing, but as always use such things
correctly to improve things.

> * Not all people have unlimited network access.
> 
> For example, my mobile internet access do have a data cap at 1.7 GiB,
> and I intended to have the data cap because I want to warn myself about
> phone addiction.  Some people using satellite internet access could
> suffer from extra payments just by a webpage embedding webfonts.
> 
> The web nowadays contains mostly meaningless data, especially tracking
> code, unwantingly large images, unnecessary javascript and webfonts,
> etc.  And I hope we can withstand against the trand.

This isn't a real problem in the case for the Debian website(s) as we
completely control how they are designed and intend to work.

It's a know fact that the websites we presenting are a bit 'boring' due
they are really mostly text only based. But the main issue in my eyes is
simply the Debian websites still lacking a responsive design. And to
work on a better CSS styling would bring more than to work on a own self
made webfont, it's simply a thing of priorities.

But if there are people and contributors that will come up with a usable
concept and a real will to work on this also in the future I see no
special reason to not include such improvements to the Debian websites.

Unfortunately right now no one of the webteam members has really a
deeper knowledge about building good CSS stylesheets nor has the time to
work primarily on the HTML specific parts and useful changes. We really
appreciate if people would like to take this challenge and would step
in. The Debian website on www.d.o is some kind of beast, there are over
50.000 site in there in various languages. And there will get about 100
new sites added a month.

> $ find -type f -name "*.wml" | wc -l
> 55854

At one day we will need to look at webfonts as they can make some things
really easier.
But as Debian is building every thing from source we also need to build
a toolchain for creating such an own webfont while building the whole
website. The content of the webfont is just a question of selecting
things, but it need to get sorted out what is needed to build one ore
more webfonts by our own. If someone wants to add the Rubik font by
using a own webfonts feel free to do it. The technical side is probably
not that difficult, the legal thing is mostly a bit trickier as pabs
also did mentioned.

-- 
Regards
Carsten Schoenert