fix: Self-host all external website dependencies#1197
Conversation
|
Thanks for the PR. While we do want to host these files on our website (which we do when we deploy the built site to https://github.com/apache/lucenenet-site, which backs our hosting), we ideally wouldn't be committing the binary files to this repository. Rather, we should have the build scripts download them prior to deploying. Ideally, we would set up some sort of package manager such as npm, bower, etc. to download the versioned packages such as font-awesome to make this process simpler. The build scripts are named Let us know if you need any assistance with any of this (for example if you are unfamiliar with package managers or powershell), and we will do our best to assist. |
|
@NightOwl888 I initially assumed that binary files should be committed to the repository, as the issue description didn’t clearly specify otherwise. I’ll investigate the correct approach and work on implementing it. If I encounter any blockers or am unable to proceed, I’ll reach out for guidance. |
|
I understand your frustration. Often when we scope issues, we don't have all of the requirements (or don't consider all of them) at the time the issue is created. #1185 focused on the Apache policy requirements, not on the technical or legal concerns of our setup. I reviewed this and it seems there is a precedent for how to deal with binary files without committing them to this repo. We host those directly on https://github.com/apache/lucenenet-site and then use absolute URLs to link to them (so they will always appear when building locally).
So, the simplest solution is to open a PR on that repository so we can move the files there. Once the files are there, they will be available at the https://lucenenet.apache.org/ URL (in the same directory structure as the repo). This means you will get credit for 2 separate PRs just for fixing this one issue.
Legal ConcernsAFAIK, we don't have legal permission to host the book images on our website. So, for now, let's leave this out of this fix and continue linking to the broken images until we get that worked out. Unfortunately, there are sometimes conflicting requirements like these that require more time to get through than what should be a "simple" fix, but there is no reason to penalize you for that. If you wish to help us navigate this, then please do by all means. However, it doesn't seem fair to add this as a requirement for this task after you have already submitted a PR. So, when this PR is completed, either we should keep #1185 open to deal with the book images separately, or we should tag this PR with ConclusionSo, to finish up this task:
Please keep any .js and .css files in this repository, as it will make deployment simpler if we do it manually.
|
|
@NightOwl888 Is the https://github.com/apache/lucenenet-site repository intentionally unlicensed? |
Good point. You are right, it should have a If you are so inclined, you may submit a PR. Use the license file from here: https://github.com/apache/lucenenet-codeanalysis-dev/blob/main/LICENSE.txt, but change the beginning of the date range to 2020. |
NightOwl888
added
the
notes:website-or-documentation
NightOwl888
added
the
hacktoberfest-accepted
@NightOwl888 Here is the link: apache/lucenenet-site#57 |
* fix: Self-host all external website dependencies * fix: Resolve CSP violations by self-hosting fonts * fix: Revert images and update fonts to refer lucenenet-site
* fix: Self-host all external website dependencies * fix: Resolve CSP violations by self-hosting fonts * fix: Revert images and update fonts to refer lucenenet-site
2 participants
Fix CSP violations by self-hosting external resources
See #1185 (this only does the fonts, we still have the book images to do, but require permission to host them).
Description
External stylesheets and images from domains like cdnjs.cloudflare.com, fonts.googleapis.com, and images-na.ssl-images-amazon.com were blocked due to restrictive Content Security Policy (CSP). All dependencies are now self-hosted to comply with the site's CSP configuration.