Remove google fonts from themes #1161
Comments
Per the DocumentationThis is going to sound rather blunt, but stick with me here for a second. Frankly speaking I don't give a crap about GDPR in relation to the Skeleton documentation site. The reasons for this is as follows:
Unless someone well versed (and preferably a Lawyer) can step in provide reference to Skeleton Labs being in a position of vulnerability, then I really am not concerned with this. That said, I will bring it up to my business partner to see what our lawyers recommend for Skeleton Labs. If anything of note is discovered, we'll move on it asap. Per our End UsersAll that said, I certainly don't want our users to be negatively impacted by GDPR. So this an angle that is much more applicable to the project. Aside from a GDPR focus, I have been keen to decouple fonts from themes for performance reasons for a while. If a user decides not to opt into using the included fonts, the fonts are still being fetched remotely, which has a performance impact. We've already signaled our interest in moving to locally embedded fonts, which comes with a number of improvements: This would not only more GDPR friendly, but also provide optimal performance for end users. So I'll plan to reference this ticket in that thread. |
endigo9740
added
enhancement
|
Skeleton Docs There's obviously arguments that could be made of whether anything would realistically ever happen for this particular issue, but that's up to you/your partners/lawyers to decide on. End Users |
|
Yeah the core team and I were discussing this internally a bit. Essentially the plan will be to decouple the fonts and recommend users embed them locally, rather than a external reference. This should bring them into compliance. We're going to make this a priority, so expect movement on this before the next release in a couple weeks. |
|
Noting this for later: |
This is a misunderstanding of intellectual property law. The copyright in a particular fragment of code is owned by whoever wrote it, or their employer. The fact that that a fragment of code is licensed under an MIT license doesn't mean that nobody owns it anymore; it just means that the owner has agreed to let others do certain things with that code so long as they abide by the terms of the license. If you actually wanted to abandon ownership, you'd have to deed the code to the public domain. Very few software developers do that because it would leave them vulnerable to being sued by a user of the code. (The last section of the MIT license, the part in ALL CAPS, it the part that guards against this. All open source licenses have something similar.) |
|
@ttmc Thanks for the clarification. We did actually discuss this internally between the core team and this was brought to my attention. Hey I'm not a lawyer and I will never pretend to be one, so seriously thanks for expanding. Just so it's stated clearly here, we WILL be addressing the original issue at hand, which is making themes GDPR friend. This will be accomplished by the following:
I believe by doing this things should then be compliant. There's also some major performance benefits to doing this, so honestly there's very little reason not to make this to default recommendation. Though it does require a couple extra loops to jump through on setup. |
|
Preview URL for the new Theme doc: |
|
These updates are now ready to test, please provide feedback either here or in the PR thread. |
|
quick so to this: https://fonts.coollabs.io/ |
|
Very interesting @daanschenkel - I've never heard of this! I'm going to make a new ticket to review this in the near future. If it looks like a good fit we'll consider it for Skeleton. Thanks! |
Current Behavior
I'm not an expert on this, so this is my knowledge from some basic googling, but it looks like directly using google fonts is a breach in GDPR, meaning anyone who uses the pre-built themes and even the official Skeleton docs themselves are potentially at risk.
https://meetanshi.com/blog/google-fonts-gdpr-compliant/
https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/
There's two separate issues here:
The official skeleton docs
The workaround is pretty simple here because we can simply download the fonts and host them from the skeleton repo directly (assuming the fonts licenses permit that, afaik that's fine but worth double checking).
Users of Skeleton themes on their own sites
Those who use the skeleton themes, ideally you wouldn't want them to also be downloading the font files from skeletons hosting, that just puts additional cost/load on skeletonlabs + could bring in the original issue with google fonts, if skeleton decide to start tracking IPs etc (with appropriate GDPR consent) that's fine, but people building with Skeleton might not have acquired it for their website visitors so it could just repeat the original issue.
Solution
I think the best approach is to have two sets of themes, one set which is used by the docs which uses the fonts and references the font files hosted on the same infra as the rest of the skeleton docs (instead of google fonts).
The other set of theme files are what users of Skeleton import, these don't download custom fonts but there could be some commentary at the top of the theme file, or something added to the theme docs explaining how to use custom fonts?
I know you don't want Skeleton to be responsible for GDPR or legal issues, but I think the default setup looks like it could cause problems which we want to avoid where possible! If anyone is more knowledgeable on this subject knows I'm wrong here please chime in! I'd be very happy to be incorrect here.
Steps To Reproduce
N/A, this just didn't make sense as a feature request/docs update.
Anything else?
No response
The text was updated successfully, but these errors were encountered: