Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove Google surveillance #847

Open
aral opened this issue Dec 11, 2018 · 31 comments · May be fixed by #848
Open

Remove Google surveillance #847

aral opened this issue Dec 11, 2018 · 31 comments · May be fixed by #848
Labels

Comments

@aral
Copy link

@aral aral commented Dec 11, 2018

By default, mdbook includes tracking code from Google. See: https://github.com/rust-lang-nursery/mdBook/search?utf8=%E2%9C%93&q=google&type=

Can we please remove this so that books generated by mdbook do not expose the people who read them to surveillance by Google/Alphabet, Inc.

The toot that brought it to my attention: https://mastodon.host/@BartG95/101222458295737848 (after I hosted a render of The DAT Protocol book on my own site. (Thereby unknowingly exposing people to tracking from my personal site.)

Related issue on The DAT Protocol book’s issue tracker: datprotocol/book#20

@seanlynch

This comment has been minimized.

Copy link

@seanlynch seanlynch commented Dec 11, 2018

This seems like it could potentially cause people to violate GDPR, possibly even the authors themselves.

@BartG95

This comment has been minimized.

Copy link

@BartG95 BartG95 commented Dec 11, 2018

It seems to be caused by the inclusion of some fonts from G👀gle (fonts.googleapis.com, fonts.gstatic.com)

@joepie91

This comment has been minimized.

Copy link

@joepie91 joepie91 commented Dec 11, 2018

The analytics tag exists directly in the templates, not as a result of Google Fonts usage.

@BartG95

This comment has been minimized.

Copy link

@BartG95 BartG95 commented Dec 11, 2018

Well, this is what I mean:
2018-12-11_13-44-35

@BartG95

This comment has been minimized.

@BartG95

This comment has been minimized.

Copy link

@BartG95 BartG95 commented Dec 11, 2018

Everything seems to render fine without this loaded. I suggest to either:

  • Remove these lines; or
  • Include the fonts directly in the repository.
@aral

This comment has been minimized.

Copy link
Author

@aral aral commented Dec 11, 2018

Related existing pull request that should resolve this issue if merged: #716

Please advise whether it would be preferable to serve Open Sans and Source Code Pro as first-party instead of via Google or whether the above pull request is the way to go.

@aral aral linked a pull request that will close this issue Dec 11, 2018
@TerminusBot

This comment has been minimized.

Copy link

@TerminusBot TerminusBot commented Jan 17, 2019

Google fonts is not available in China.
mkdocs/mkdocs#1138

Please don't use google fonts default.

@kpp kpp mentioned this issue Mar 20, 2019
@ddevault

This comment has been minimized.

Copy link

@ddevault ddevault commented Apr 27, 2019

Hey guys, this is a serious problem. I'd apprecaite it if the maintainers took a moment to address it, rather than letting this issue continue to grow stale.

@Dylan-DPC

This comment has been minimized.

Copy link
Member

@Dylan-DPC Dylan-DPC commented Apr 27, 2019

@ddevault sure will try and prioritise this and resolve it ASAP. Thanks

@ddevault

This comment has been minimized.

Copy link

@ddevault ddevault commented Apr 27, 2019

Thanks @Dylan-DPC, I appreciate it.

@ehuss

This comment has been minimized.

Copy link
Collaborator

@ehuss ehuss commented Apr 28, 2019

@Dylan-DPC I spent some time looking at #848 and it seems surprisingly complex. I'm also not sure how important non-latin fonts are, that PR does not include them. I think there would also be some licensing requirements for redistributing the fonts. I would also think there should be some consideration for theming. As-is, it unconditionally copies the fonts into the output, even if you don't use them.

Also of interest, rustdoc just updated its fonts in rust-lang/rust#60146. Would be curious to hear your opinion about which direction you would prefer to go. Just grabbing Open Sans locally seems like it would be the least disruptive. But I think there should be better control for changing which fonts are used. I'm willing to help, the delays caused by loading remote fonts while working locally can be a little frustrating.

@ddevault

This comment has been minimized.

Copy link

@ddevault ddevault commented Apr 28, 2019

I think there would also be some licensing requirements for redistributing the fonts.

Google fonts use the Open Font License, which is a free (as in freedom) license that permits redistribution.

I'd suggest just using the system fonts and living with it if the user doesn't have them. It's not the end of the world.

@ehuss

This comment has been minimized.

Copy link
Collaborator

@ehuss ehuss commented Apr 28, 2019

Google fonts use the Open Font License, which is a free (as in freedom) license that permits redistribution.

I'm pretty sure Open Sans is Apache 2.0. I just meant the license needs to be included with the fonts.

@Dylan-DPC

This comment has been minimized.

Copy link
Member

@Dylan-DPC Dylan-DPC commented Apr 29, 2019

@aral or @ddevault are you open to sending a PR that makes this change? Thanks

@ddevault

This comment has been minimized.

Copy link

@ddevault ddevault commented Apr 29, 2019

@ddevault

This comment has been minimized.

Copy link

@ddevault ddevault commented Apr 30, 2019

Started looking at this, but it seems like #848 is on point. The only change would be adding the license. Right?

@ehuss

This comment has been minimized.

Copy link
Collaborator

@ehuss ehuss commented Apr 30, 2019

I see two other minor issues with the PR:

  • It doesn't support non-latin scripts. All other scripts will fall back to the system sans-serif.
  • It forces all books to include a copy of open-sans, even if they use a theme that modifies the font.

I'm not sure if either of those issues matters much.

@ddevault

This comment has been minimized.

Copy link

@ddevault ddevault commented Apr 30, 2019

@aral thoughts?

@ehuss ehuss added the A-CDN label May 17, 2019
@krisradio

This comment has been minimized.

Copy link

@krisradio krisradio commented Jun 1, 2019

With this issue having survived from #20 to #847 to now, why hasn't this serious security flaw been fixed?

I just removed the google font dependence from my book.js. There's no font issue on mobile or desktop. Any web browser has fall-back fonts suitable for their users these days.

@evitalis

This comment has been minimized.

Copy link

@evitalis evitalis commented Jun 11, 2019

I am also curious as to this rationale or any maintainer feedback. Seems to be important to many people.

@ehuss

This comment has been minimized.

Copy link
Collaborator

@ehuss ehuss commented Jun 12, 2019

@evitalis Someone just needs to do the work. I would like to see a solution that is relatively easy to maintain, retains the default use of Open Sans and Source Code Pro, properly deals with licensing, doesn't force the inclusion of a lot of heavy-weight font files for books that have custom themes, maintains broad browser compatibility, and generally avoids too much disruption. I'd be willing to drop support of extended unicode blocks if it is easy to specify ones own fonts. This also bumps against some of the problems with the current theme system which makes it difficult to customize or make incremental changes. This will all take some design work. Can you help with that?

@evitalis

This comment has been minimized.

Copy link

@evitalis evitalis commented Jul 2, 2019

@ehuss see #848 someone seems to have done this work already but is pending a merge or more feedback/additional help.

@ehuss

This comment has been minimized.

Copy link
Collaborator

@ehuss ehuss commented Jul 5, 2019

@evitalis the feedback is listed above. The PR author is the same as this issue.

@evitalis

This comment has been minimized.

Copy link

@evitalis evitalis commented Jul 22, 2019

Noticed this was linked over in the mkdocs repo for a similar issue. Perhaps both projects could resolve the problems in a similar way or help brainstorm a reasonable solution?

@t1anchen

This comment has been minimized.

Copy link

@t1anchen t1anchen commented Aug 8, 2019

Is it viable to consider removing Google Font online dependencies first? Every time when the book is generated by mdbook build, opening page will cause the browser to raise an attamption to connect to Google services, which might be extremely painful (it has to wait until the connection timeout) under the restricted network circumstances. Can we make content visible first and then consider decorations/styles?

Anyway, if the online dependencies are removed, it might come up the consequent possibilities such as packing into epub or other portable ways to pack HTMLs ...

IMHO Open Sans and Source Code Pro can never cover all cases (i.e. non-latin characters, symbols). It would be better to handle the compatibilities to HTML reader (i.e. browsers, ebook readers or etc.)

@evitalis

This comment has been minimized.

Copy link

@evitalis evitalis commented Sep 11, 2019

Been looking to revisit this application but this is still a blocker for me. Just curious, what is everyone else in the thread doing to avoid the Google fonts pending an official fix?

@ddevault

This comment has been minimized.

Copy link

@ddevault ddevault commented Sep 11, 2019

I've been porting my book to a custom software which is not maintained by people who care more about aesthetics than the confidentiality of their reader's personal information.

@krisradio

This comment has been minimized.

Copy link

@krisradio krisradio commented Sep 12, 2019

I just deleted the google font imports from my index.hbs file.

Every browser ships with default fonts. No need to go to google. Or to rag on mdbook's team for their valid motivations (that I disagree with) to keep the google reference in.

@blastur

This comment has been minimized.

Copy link

@blastur blastur commented Oct 18, 2019

+1 for getting this fixed; Google surveillance is one thing, but for me the book is completely broken because I'm in a special network environment where domains resolve but all network access is permitted. So the book just won't load as long as these Google references are in the file.

I did what krisradio did, edited index.hbs and recompiled mdBook, but this is not a good solution longterm.

@rendeko

This comment has been minimized.

Copy link

@rendeko rendeko commented Dec 14, 2019

Is there something I can add to my additional-js in the meantime until this is added as an option? Without an option to not call Google API's, I'd prefer to use other software.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.