• mkdocs and tracking

    From Salvo Tomaselli@21:1/5 to All on Sun Jul 14 00:19:43 2024
    Sorry for the OT, but should we consider patching mkdocs themes to stop linking to external websites (mostly cloudflare) for static assets?

    This has been used to create security vulnerabilities recently (see for the polyfill situation).

    I use mkdocs and I have code to automatically download with wget and then use sed to replace those. But I think it would be saner if it was the norm instead. Also because adblockers complain about their presence.

    In data sabato 13 luglio 2024 18:40:14 CEST, Otto Kekäläinen ha scritto:
    Hi Brian, Nick and Carsten!

    Are you OK that I upload a new python-mkdocs version together with Ahmed (CCd)?

    Asking to avoid duplicate work with you who are marked as maintainer/uploader/recent committed.

    We will do the work at https://salsa.debian.org/python-team/packages/python-mkdocs following
    Python team conventions.

    - Otto


    --
    Salvo Tomaselli

    "Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
    -- Galileo Galilei

    https://ltworf.codeberg.page/
    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmaS/X8ACgkQs6fPDIAY hs8QcBAAlGRYTxu+g9ssKXLxbH5+9lVzy7e91BUCQ40WusrzFPcrT/a1uzkiY0AW Tu/w/g1ZG8rIg9lR6Qf3yWLexu4gBOqELotEp1dygkVGAKxZ5Ec1JLZjXQHXZZDl XIPKQ8xzBRhTbtX16DnCIEC3MqvIOreDK5g2OAoTrsmnFiWEsdtRVK8Czgtjhc4S M+v6YHmzNSemSEze7yGKDknh9mREUT6Bfaqv4gzV5I98eG6KukPsUPXn8DsT8mMh jp3zhThPyUyMgQbAxabJwOuEQEydaF5MQEMpLe5XdMG7zivFSJd7p8lJ2ylIzkbb T7/e+yHCJzxK+tiuiOxuYOWkJd1gLMdeM3O1Yfx91VlCDD5uZoOrtlIFGI/vPtIK 52ej21Wi7tQIv5bTNEVLPjixx05xgv5frY3e9gdqT5UGZPLB5qKYwaRVESO9ErED wDOas2umYYrt0HhfOhdCbp4JFLKLR8C9yYPOSGQtkpgTWnGrz7O7+S+tP2NonhGs +PKWiIftHgUemyMVikCcQgnp5qaf2vuqIPZgfDgbIu570mHk9ILoCapIQyuINkQe 7amdZthwWu6vkiVIfoTB75C9vyoxxck5yfzSNJyS/pPPr9m+RCHjkFQeBP2ZXdcB uNZkhB/YMAZo6McPObw6EaOS1
  • From weepingclown@21:1/5 to weepingclown on Sun Jul 14 04:40:01 2024
    ------6D10LO7KGXKUD5K3AFSBDBDF2JZ99E
    Content-Type: text/plain;
    charset=utf-8
    Content-Transfer-Encoding: quoted-printable

    err, privacy breach*

    On 14 July 2024 2:29:46 am UTC, weepingclown <weepingclown@disroot.org> wrote: >That'd be a nice thing to do. I believe there will already be privacy-beach-generic complaints by lintian. The worst part is that they end up appearing in all rdeps IIRC.

    Best,
    Ananthu

    On 13 July 2024 10:19:43 pm UTC, Salvo Tomaselli <tiposchi@tiscali.it> wrote: >>Sorry for the OT, but should we consider patching mkdocs themes to stop >>linking to external websites (mostly cloudflare) for static assets?

    This has been used to create security vulnerabilities recently (see for the >>polyfill situation).

    ------6D10LO7KGXKUD5K3AFSBDBDF2JZ99E
    Content-Type: text/html;
    charset=utf-8
    Content-Transfer-Encoding: quoted-printable

    <html><head></head><body><div dir="auto">err, privacy breach*</div><br><br><div class="gmail_quote"><div dir="auto">On 14 July 2024 2:29:46 am UTC, weepingclown &lt;weepingclown@disroot.org&gt; wrote:</div><blockquote class="gmail_quote" style="margin:
    0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
    <pre class="k9mail"><div dir="auto">That'd be a nice thing to do. I believe there will already be privacy-beach-generic complaints by lintian. The worst part is that they end up appearing in all rdeps IIRC.<br><br>Best,<br>Ananthu<br><br>On 13 July 2024
    10:19:43 pm UTC, Salvo Tomaselli &lt;tiposchi@tiscali.it&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"><div dir="auto">Sorry for the OT, but should we consider
    patching mkdocs themes to stop <br>linking to external websites (mostly cloudflare) for static assets?<br><br>This has been used to create security vulnerabilities recently (see for the <br>polyfill situation).<br></div></blockquote></pre></blockquote></
    </body></html>
    ------6D10LO7KGXKUD5K3AFSBDBDF2JZ99E--

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From weepingclown@21:1/5 to Salvo Tomaselli on Sun Jul 14 04:40:01 2024
    That'd be a nice thing to do. I believe there will already be privacy-beach-generic complaints by lintian. The worst part is that they end up appearing in all rdeps IIRC.

    Best,
    Ananthu

    On 13 July 2024 10:19:43 pm UTC, Salvo Tomaselli <tiposchi@tiscali.it> wrote: >Sorry for the OT, but should we consider patching mkdocs themes to stop >linking to external websites (mostly cloudflare) for static assets?

    This has been used to create security vulnerabilities recently (see for the >polyfill situation).


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrey Rakhmatullin@21:1/5 to Salvo Tomaselli on Sun Jul 14 11:40:02 2024
    On Sun, Jul 14, 2024 at 12:19:43AM +0200, Salvo Tomaselli wrote:
    Sorry for the OT, but should we consider patching mkdocs themes to stop linking to external websites (mostly cloudflare) for static assets?

    This has been used to create security vulnerabilities recently (see for the polyfill situation).

    Do mkdocs themes also download code to execute or just images?
    If the former then yes it should be patched out.

    --
    WBR, wRAR

    -----BEGIN PGP SIGNATURE-----

    iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmaTmqAtFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh 2YQQAIMyrm1liPOBRuOO1M9b4a0/WL6VeG8SBZreT5Ca+xBNHyc42ykAm4XUExzG NjARng6KdizCXF4YA0K4Wt0VzDx+5uKRpWUytvjSxt/TWqlUQNpuGiEHIbTI2Hnd bier6ozhc785vWaUrUCZmUXC7sMSKZhIG5oa5psmQHyvcpmdA8bDP6Gciu+97fAq /YvqyRqCgjFLtblLjP0w+GkRd3AyTEy5mN0WTRqC5krqPHSxBX12rE/uvVnGZ1KE JqMDhy7vaJ7jyk9HWXb1WQeD9bJ3ZFFOyGdfjwaENUgWD3DypRNyi/i8M1Pj96Q7 l+qpMqkeqRt+xU1J4JDi3EFHpWy0Jg1Al5otNEstyOqr+NQ7jNkKso4Ryc6+mwVV AzFWr8LcPqDRrMRO+nAkOtcAHUgFxYeU6swWovUCUHeSk+M/34j0Q7JSCRg2Irup JB1GdlEVFZHDh9NK0VJ8h5EC6Sn1yGPCx7ibnHUM8lH0/LZxTgcfMT8V+OTES4KB DMKu/BXTKdi6pIQs7EJyDDVaGWyi9TUZv4ePrYBZQisHUMmj8wpxCdPwU/MbbiqN J26ioJ4vhEGKA+rrVrnKFS0WqE7suNrbeaxejcvyIsWVRwderzVpT6Gw+BzjQORK /vlDpxxYrtfoiU6Ede0lu38j6+fYzJ1xBEvGYh7i4l740o0C
    =RbvJ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dmitry Shachnev@21:1/5 to Salvo Tomaselli on Sun Jul 14 12:50:01 2024
    Hi Salvo!

    On Sun, Jul 14, 2024 at 12:19:43AM +0200, Salvo Tomaselli wrote:
    Sorry for the OT, but should we consider patching mkdocs themes to stop linking to external websites (mostly cloudflare) for static assets?

    dh_mkdocs supports replacing highlight.js from cloudflare with the packaged version [1]. Perhaps you can make it replace more libraries the same way.

    [1]: https://salsa.debian.org/python-team/packages/python-mkdocs/-/blob/debian/master/debian/scripts/dh_mkdocs?ref_type=heads#L148-L149

    --
    Dmitry Shachnev

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmaTq68ACgkQsmYUtFL0 RrZhcQ//T+f1BOHop2jBW9Y3pbDQF1Az7GR6tvsEY2jeTYY3YDwL9EoXIsLHPiE9 HhKue4haIqnzwbBeByUKr3TMyPendxCsxcFfdhZ42alAC/nTdWIoLk8jVp4/1yv0 3qVhSMMkudTTngdxUQBjqd9pbQH3HTUpu4ctGu1b/WbqW3nXdZVdUeiEWDNdR6WZ mn7iFdNHmEk6lotFP8Emh302JMez6f509tGKx4bviaFW3cTbZB6bB0hZGddSOyRa 5Se+zaMnvuc9aI9u/hWGGBJQRbPULtNMY2PnXRPJTaEVYT55b3dLs+BW9lemLdTO d/EtYhNb22rtc4cL3gk8DZL538xZcSGfM1ZQquHlkYjbLxCC96j1RxSRf6ckZmtf rtWImRUgdQ4Cc0s2vVyOfzJdwblJfLun1LWEZjyu6vGo5OWQzSWBal0wR35SFPzi Kud4j92oQmqKuhBrLUAe3BrwXutc+kv1/Q/MDZKpjIYkXHUIQLDf2/l6LueWFM9Q Yd5jYjVeQb3n487H0DYLQijjaciwIRsjky/LCR6W8GvWQgUOi5q6JRFHEpGomoQJ iMp5PC0eagqW3qtf5sLIpy+r3lfovkW0cLHzM3SstooVuOt86m+C9YISgtzyRA00 g31CxDZcX5hi+oa9fe1Y0D1wC2THM/OZyNmXVLnPEDusPLaSGkQ=
    =3z3p
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvo Tomaselli@21:1/5 to All on Sun Jul 14 13:06:34 2024
    Copy: wrar@debian.org (Andrey Rakhmatullin)

    Do mkdocs themes also download code to execute or just images?
    If the former then yes it should be patched out.

    css and js it seems.

    $ cat *html | grep cloudflare
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/ highlight.js/11.8.0/styles/github.min.css" />
    <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/ highlight.min.js"></script>

    I'm using the "readthedocs" theme, which is part of the mkdocs package.


    --
    Salvo Tomaselli

    "Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
    -- Galileo Galilei

    https://ltworf.codeberg.page/
    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmaTsToACgkQs6fPDIAY hs/4RQ//Q7H+1oA/2Do81mnFRVDt9cADpaPVjRFMJwAFl0QpxwMmO2Nzm2RUeMS2 T5/mG3e+SI3o+HYDaudhFY4DPUCjIus6g1WtumegMwPxx0w34u6YCwve8u28ncJU DWKAJcY2rLp2uv1C0JDGsfIqmXd4vx0VDkgy5c1MM24oExESW9VXkuogZZDpnRr0 V+bLeGsdW/cJPJxLV59r7tWM3deo8U7ff2l72ZPINgBjqKkCvn9K3ITi6swEm8fi 6dUr40dKcdAdvLbC2UXnp1tKBMtFYFRB0xAjJVpQOaOIpY5ucsXGvtjfilun5i7K 8o2tCuM/jmYCUxkaA8B/iwf2IQynPmMs+9AgFChiJjSK1TVatWxy0ugCuTnzSSU/ R10PywCAbP+zkrIHDLxgGT22TdpqbWF1JfI9Imz2J7gI1+O/nXo80qBecSAASyG8 OxDKD3YdnCEAqxKc77xa5tmnfsHuDJk+2sbpJLdGVz4pWAo/gdHLaXVZFVqoIdEB QFYrhY6A3wF3JpUTIfytIWCk33oAGLdZwFs1aZbnv5uS5lYzc4QeIVniYPsyLFzY B1QKF0hnjZWIerK8DE4+J5Qi8F+/gpDT9YlVdL/eb69141JITWy4RrVNn/ni+fzR cgxVqlP+sFpXUn0D7w3jNAFDQP0w/2k/wPxvpVO7i7471cP31RQ=
    =VH/s
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvo Tomaselli@21:1/5 to Dmitry Shachnev on Sun Jul 14 14:07:59 2024
    dh_mkdocs supports replacing highlight.js from cloudflare with the packaged version [1]. Perhaps you can make it replace more libraries the same way.

    I was aware of it but it doesn't really help me if I'm generating html and publishing it using mkdocs.

    That's only for generating -doc packages

    --
    Salvo Tomaselli

    "Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
    -- Galileo Galilei

    https://ltworf.codeberg.page/
    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmaTv58ACgkQs6fPDIAY hs/MFw/+JWMJU36CmkBJAVHPHWKqHU72jD75HLtPdQnlDl8Nx1FL4hCYfsBQSoaj b2TFr7cpPtmq/rDBgzPdSGXfxOP8GUd3MgqTt/QpPaOW09c4sMp4cFUHW3XRwayX Nnrr/v5i96ZVkYw9nI8hWvinXA9eKj10SwfNp29DgiR5/HGWKvGPVnxTWEEuC1wc kE6RTR0XREoBzw+gkk8fyEEa5oBxO1vMrDnsrLgnLGu3/VoS1P8zGgarGWQXzcrN 473ALdtZjDK9wSFOc00cg4hi5lLLbdUM5TLSE+xQ912rks9JCdkoawUnC3mo2yP4 9horYoACrO90lHM15Y3vk6CL8yPAXD6TL4gH4om2qGh/FlnDuhsu59WrCZlr2dQW QpWWa4MQDm+YRCPPU7N01UauxkNDi8BVMy/o0ChOmfTtK9Ft45z7CEuVf2MaqcLA Ro2kQqqoKnB60Yx0ubJUyhIsSk+7Cd55z2wZ5XEG378G27zRbAjEjp8lbHs6Ashi 4/EWWRJfdj9MQvmCSEMDMCqN9KQ6y1NRqotbxg+3BPR0gxJ09/2YHJjW3L1RhD5/ celUoaHOm7PaIw1vQM0lJq3a59V10gCGwTl2N60eEADOX21Cq/u8/LH8ZMAOL7E7 pJv0rtR7AQJGYmZEwbwwMvNMPehAozAgzCJJusSZuC3lebKMGEg=
    =Jy72
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrey Rakhmatullin@21:1/5 to Salvo Tomaselli on Sun Jul 14 14:30:01 2024
    On Sun, Jul 14, 2024 at 02:07:59PM +0200, Salvo Tomaselli wrote:
    dh_mkdocs supports replacing highlight.js from cloudflare with the packaged version [1]. Perhaps you can make it replace more libraries the same way.

    I was aware of it but it doesn't really help me if I'm generating html and publishing it using mkdocs.

    That's something for the upstream to change.


    --
    WBR, wRAR

    -----BEGIN PGP SIGNATURE-----

    iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmaTxG4tFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh b0oP/0kQW8qIZlMTnnea0puseH1S/+kMvPM0iOfkC5fx3ouvuwdssh6b6fY5uFNy HSdH+UZKq/7GCW7DyX7sp180y/+wqqw2vBftFlEF6OFeO+CW0BrPEYDQhu9eUylC 90elciH9U5gvRmLIRMJSB/PR6mN0+R8vQXUPffFtQqGOkst1PZ4L4AlCRW8DhORd Hm9eondYdAKadLSSnFtE0IFnwPvoX7GrGc1jEY/fsCP/Wbhs+kd7OfCI9+4p3/nh /BmFSADHSayQ3bMc1OnXfROH0biHGsoEoESWJXSkKHzIBBm/8zghhkPS6iz6Uhrb dHJoV37U4VfHQYgoWU3V/CwjOb4mbxTjzUbq4DnPWl41tBVZvqrqeMHcD410dh/M KOEig3vkMc6I7Ar5g/mfeonhNlgYz0JKVofFYBNawSQz1qqEeYMdZEPv/MRfepxT cHk/9Cl/XpoUhDB+0XeMUH2yyrhnDJDUKHAA7YSNyzfRYw0yfXRYkEJbw6LEWCr4 Hn2C0jUlS25X2QkL7iLVa3X/aRbxCgzJS+u9tV273F+LQahTzjgizGyhkV8kqPxA 2+r142oO/7KjJITD6Ij2aBXt0gkwlRpJ8RZQKHaGhgMON5uAnFmoy45r35quuWjs id83TniIsN+xQwndqSyFJv2TjtVdiQYMzQSRrHlf11VGXHuD
    =Pyby
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvo Tomaselli@21:1/5 to All on Sun Jul 14 14:44:24 2024
    Copy: wrar@debian.org (Andrey Rakhmatullin)

    That's something for the upstream to change.

    I think it'd be completely fair to patch it.

    They are aware of the issue for years but it's still open https://github.com/mkdocs/mkdocs/issues/2171

    --
    Salvo Tomaselli

    "Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
    -- Galileo Galilei

    https://ltworf.codeberg.page/
    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmaTyCgACgkQs6fPDIAY hs8lXg/9F48WR8738/G6vrrgW1NRCI0v8rNsNVQAHE8eAzvsqR6lroNLLK/+F5rR 5WkZ31bzHx3R8RalxkbuIrSEVf83xcqFUtLLkDSPLlHOeu4XPACVNrMW4b0yHTyT 4nSgkL46u5ZqoMMbXwQDBjyw6X5fs08dxQ0uitpu+tiTJT8g2vN7rysGY+CBix/+ 1WDTBCsTmSGUYti9fTWG15sstW5EzkHp0K59PjZmTNpbOqAppX33xXVO5X9MvwRr uusY21ptMZCw5FP15E3m3DyZmCavbmJSfaokmYwVg1pM0dat6Sr2+SiX9W+hMXJs gvjnVBy//G64Mlje0PBApWstfyftvaRDu6P9mFsrWOAAwlQuaYH9SY7W3h49McIN K1Mo3r/VA5NSpLU6x3PMFZsT1XwtzAFF+vkVSScl1pFadSaBdbxOYEPNPiYAIe5r uWXSFoA85mZ7bWSti8O4WTey3kXSicu2v27Gl5QONABkDXFF/piZGPIrEb/V6ICF kbxT0IlrcD8eXuSD/8oH02tec3V29pZex14TlaOVfIM0xjLn827ETt4T6LMJX6at jwbaJ9lPFJbDLvRglawUWKgu73JSYi62tSUw80HA2oIOy6JMV/5BImUFH1Ddi3xJ ewyIjQ5gw/8OleBOz3c0JeiQY8UiZtluFaQq7HsgqpiFqH9oLa0=
    =JCth
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?B?T3R0byBLZWvDpGzDpGluZW4=?@21:1/5 to All on Sat Jul 20 18:50:02 2024
    Hi Salvo!

    Can you please file this request as a Debian bug?

    I am planning to update the package with Ahmed, and we can look into
    patching the external asset loading, and I can teach Ahmed how to close
    bugs via changelog etc

    Thanks!

    <div dir="auto">Hi Salvo!<div dir="auto"><br></div><div dir="auto">Can you please file this request as a Debian bug?</div><div dir="auto"><br></div><div dir="auto">I am planning to update the package with Ahmed, and we can look into patching the external
    asset loading, and I can teach Ahmed how to close bugs via changelog etc</div><div dir="auto"><br></div><div dir="auto">Thanks!</div><div dir="auto"><br></div><div dir="auto"><br></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)