<ocdtr_web>
WOFFs can contain either TTFs or OTFs.
<ocdtr_web>
When I made the PR for sandstorm.io, I used TTF WOFFs. I just realized Sandstorm itself distributes with OTF WOFFs.
<ocdtr_web>
For Source Sans Pro, the TTF WOFFs (115 KB or so each) are slightly smaller than OTF WOFFs (125 KB or so each), which is why I went with them there.
<ocdtr_web>
I have been trying to discern whether or not there's any significant difference between the two, as many sites suggest there is not for most cases.
<ocdtr_web>
Also, Sandstorm should add WOFF2s, because they're better for browsers that have them. But I am wondering if there isn't a good reason to switch it to TTF-based WOFFs.
<ocdtr_web>
One of the few mentionned features that you can do with OTF is small caps, which of course, is only useful if the website/app intends to use them. I don't think Sandstorm (or it's website) does anything fancy with fonts, making this mostly irrelevant.
ocdtr_web has quit [Quit: Page closed]
<TimMc>
I confess I've still never used custom fonts on the web.
harish has joined #sandstorm
harish has quit [Ping timeout: 248 seconds]
ogres has quit [Quit: Connection closed for inactivity]
harish has joined #sandstorm
<ocdtrekkie_>
TimMc: I would prefer websites generally not use custom fonts, but most that had a designer touch them tend to. :P
ocdtrekkie_ is now known as ocdtrekkie
<ocdtrekkie>
Also, one thing I feel would be helpful, is browsers should install more fonts. Like common ones you're obviously going to see online.
<ocdtrekkie>
Every browser should install Google's fonts into your system when you install the browser. Because you're going to see those fonts, so why make you cache them later?
<ocdtrekkie>
Like Google Fonts CSS even will prefer a locally installed system font of the same name over downloading it. So the most common fonts should really just come with browsers... probably?
<ocdtrekkie>
But yeah, so Sandstorm has OTF-WOFFs, which, for example, "Regular" is 120 KB. The TTF-WOFF is 117 KB. But the real benefit comes in for WOFF2, where an OTF-WOFF2 is 101 KB, and a TTF-WOFF2 is only 85 KB.
<ocdtrekkie>
So by switching to TTF, and supporting WOFF2, it can drop the font payload down like 30%ish if you're on a browser that can do WOFF2s.
<ocdtrekkie>
And Sandstorm serves six different flavors of the Source Sans font, so that savings, times six.
<TimMc>
heh
<ocdtrekkie>
Oh look, docs.sandstorm.io uses three completely other fonts. >.<
<ocdtrekkie>
The real lesson here is I totally get why people just point their fonts at a Google server.
<kentonv>
so it looks like Google's CSS has a 1-day cache TTL and the fonts themselves have a 1-year TTL. The site they're served from does not serve any cookies AFAICT.
<kentonv>
this all says to me that Google can't be getting any useful tracking out of font serving
<kentonv>
OTOH it's likely that ~everyone already has the fonts cached which is nice for page load performance
<ocdtrekkie>
kentonv: I would say the top benefit to not having third party resources loading for your fonts is that you are drastically less likely to get a GDPR troll asking about it.
<ocdtrekkie>
Google Fonts does say it needs to be disclosed as a "data controller" if you use it in their opinion.
<kentonv>
huh
<ocdtrekkie>
That was in the GitHub issue I linked at the top.
<TimMc>
Well, they do see IP addresses, so they're probably playing it safe.
<ocdtrekkie>
In this case, mind you, I'm talking about Sandstorm itself, which has always packed in it's own fonts.
<ocdtrekkie>
https://github.com/google/fonts/issues/1495 <- "Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs"
<TimMc>
wait, controller?
<TimMc>
why not processor
<kentonv>
FWIW I don't think Sandstorm is subject to GDPR, on the basis that we do not explicitly market to the EU or any of its members. The GDPR apparently has a lot of (admittedly ambiguous) text about this.
<TimMc>
If you use subresource integrity and crossorigin=anonymous, Google Fonts should be even more defanged. :-)
<TimMc>
kentonv: Also it's not a multinational company with a physical presence in the EU, which certainly helps. :-)
<ocdtrekkie>
TimMc: There's a lot of questions people have about Google's desire to be a data controller for the purposes of GDPR, I don't know. But their official statement there is that Google Fonts is a data controller.
<digitalcircuit>
kentonv: Do you accept payments in Euro? I don't know much on it, but I recall that being one of the potential matters.
<kentonv>
digitalcircuit, we do not, no
<digitalcircuit>
Noted!
<ocdtrekkie>
My general impression after reading a lot of things was that Sandstorm's terms and behavior would fall well within what the EU is happy with anyways.
<TimMc>
indeed
<ocdtrekkie>
Time will tell, but they are looking for people doing bad things, not people doing the best they can to protect user privacy.
<kentonv>
TimMc, well, GDPR claims to apply to any company selling goods to EU citizens regardless of whether the company has a presence in the EU. It says basically that if the company does any action that suggests it is catering to EU customers in any way, then GDPR applies...
<TimMc>
yeah
<ocdtrekkie>
People have suggested "if you have one EU customer", that you're affected.
<kentonv>
ocdtrekkie, yeah, obviously we've always complied with the spirit of GDPR. The letter is a trickier question.
<TimMc>
but also there's the question of whether you fall under EU jurisdiction in the first place
<ocdtrekkie>
GDPR I think is written primarily as a spirit law, because when they tried hard technical demands, people just came up with loopholes.
<TimMc>
Like, I don't actually keep up to date with Ecuadorian law, even if I might have a visitor to my blog from Ecuador. Maybe I'm in violation! But it sort of doesn't matter 'cause I don't have anything to do with Ecuador.
<kentonv>
TimMc, the EU apparently very much believes and asserts that they can apply the GDPR to anyone who interacts with EU citizens. Whether they can enforce that will be an interesting question.
<TimMc>
sure
<TimMc>
Similarly, people outside the US get DMCA notices all the time and roll their eyes.
<kentonv>
but I agree, it seems unlikely that the EU will actually be able to enforce as broadly as they'd like
<TimMc>
It was hilarious watching all these companies scramble to comply at the last minute who didn't actually *have* to, as far as I can tell -- but *I* wasn't going to tell them. I'd rather they comply, after all!
<kentonv>
I read about a Canadian who was sued in Antigua, rolled their eyes, took the default judgment, and then suddenly the plantiff went to count in Canada and demanded that the judgment be enforced in Canada -- and it was scary
<TimMc>
yikes
<ocdtrekkie>
kentonv: Do you have any particular attachment to OTF format fonts over TTF?
<ocdtrekkie>
TimMc: The hysteria effect has been in full swing, but yeah, I'm just hoping a bunch more sites give me the benefits of GDPR while they're at it.
<ocdtrekkie>
Data portability is the big one that is very likely to be applied globally when someone puts in the effort to do it, for example.
<kentonv>
ocdtrekkie, the only reason I'd care is browser compatibility. If it's just as compatible then I don't care. (And I mostly only care about up-to-date browsers.)
<TimMc>
How up to date?
<TimMc>
People seem to use that phrase very diffierently these days.
<ocdtrekkie>
AFAICT everyone works with TTFs (1980s era) and OTFs (1990s era) pretty equally.
<ocdtrekkie>
Something about multi-decade old formats makes support pretty wide.
<kentonv>
whatever Google requires for gdocs is good enough for me.
<ocdtrekkie>
Some features of Google Docs only work on Google Chrome. :P
<kentonv>
well that's not what I mean, obviously. :P
<ocdtrekkie>
I did check though, and they say the two most recent versions of each of Chrome, Firefox, Safari, and then IE11 and Edge.
<ocdtrekkie>
Which mind you, means they're saying they only officially support browsers for like three months in the world of evergreen browsers.
<TimMc>
:-(
<TimMc>
IE11 is what, 5 years old now?
<ocdtrekkie>
IE11 gets updated every month though.
<kentonv>
it'll be great when IE finally dies
<TimMc>
oh?
<kentonv>
does it get updated with new features or just bugfixes?
<ocdtrekkie>
TimMc: Cumulative Windows updates update IE. And they've actually done a lot of fixes explicitly for IE in the last few months.
<TimMc>
I seriously hate all the sites that claim that Firefox ESR isn't supported.
<ocdtrekkie>
Lemme show you an example.
<ocdtrekkie>
Firefox ESR isn't supported by Google Docs. :P
<kentonv>
honest question: why would someone want to use Firefox ESR? I don't get it.
<TimMc>
"Oh no, we can't support a browser that old, it was *literally impossible* to do web development back when that browser was released!"
<TimMc>
kentonv: Speaking for myself: 1) not having my UI shuffled and extensions break every 6 weeks, and 2) getting security fixes but not new vulnerabilities except once a year is pretty great.
<kentonv>
ocdtrekkie, looks like bugfixes only, though... so doesn't help people who want to depend on latest web tech
<ocdtrekkie>
Actually, March and February weren't bad for IE users either. March had pinch to zoom tweaks.
<kentonv>
TimMc, extensions break regularly in Firefox? Disappointing that they don't prioritize compatibility...
<ocdtrekkie>
But yeah, IE11 is very much "don't break IE-dependent tools", so they don't change much feature-wise.
<ocdtrekkie>
kentonv: Firefox Quantum broke ALL the extensions.
<ocdtrekkie>
They essentially threw out their entire legacy extension system in favor of... basically Chrome's extension system.
<ocdtrekkie>
Which is one reason people stuck on ESR for a while, though ESR is now on Quantum as well.
<kentonv>
... well then, at least they're now using an API designed for backwards-compat
<ocdtrekkie>
Many people are upset. Even though Quantum makes Firefox not the slowest browser on the market anymore.
<ocdtrekkie>
I don't understand why people would choose a giant pile of extensions over a zippy browser. That's why Chrome took off in the first place: It was fast.
<TimMc>
kentonv: I don't think extensions break as much as they used to, but I'm still gunshy. And I think under Quantum it's very stable.
<ocdtrekkie>
The big thing for me right now is every version of Firefox is massively pushing privacy features.
<ocdtrekkie>
It'd suck to wait a full year for enhancements to tracking protection, IMHO.
<TimMc>
WebExtensions don't allow you to do the innovative new things that made Firefox so wonderful in the first place, you know.
<kentonv>
from my point of view, it's super-frustrating for web developers when they cannot use new web features for years after they've been introduced
<TimMc>
The fact that they can't hook into internals is great for forwards compatibility, but terrible for progress in user empowerment.
<ocdtrekkie>
TimMc: After experiencing the Chrome Web Store, I no longer trust extensions further than I can throw them anyways.
<kentonv>
or they use polyfills that mean everyone has to download a megabyte of redundant JavaScript on every pageview...
<ocdtrekkie>
If it's not a first party extension, I am probably not going to risk installing it.
<kentonv>
yeah I find extensions terrifying, even in the Chrome model where they are somewhat sandboxed
<TimMc>
And I did web development with Javascript over a decade ago, and it worked OK, so I don't see what everyone's complaining about. :-P
<ocdtrekkie>
The sandboxing doesn't do much when apps with "can view and modify all web content" permissions are allowed without any sort of scrutiny on their extension store.
<ocdtrekkie>
:P
<kentonv>
yeah I can't believe how many people will grant that permission to an extension just so that it can replace "cloud" with "butt"
<ocdtrekkie>
Chrome extensions are the primary malware I find when people report issues with their PCs.
<TimMc>
ocdtrekkie: Kind of like how you don't need sudo to delete all of a user's files...
<ocdtrekkie>
I love the existence of that extension, but yeah, will never actually use it.
ogres has joined #sandstorm
<ocdtrekkie>
Also, the comedy when someone using cloud-to-butt makes an official post somewhere.
<TimMc>
ocdtrekkie: I've seen it mess up Wikipedia edits. :-D
<ocdtrekkie>
Someone had a similar word-replacement one... that was a journalist.
<kentonv>
I mean I may even trust that the developer of the extension isn't malicious, but do I trust that they will never sell it to someone who offers them a buttload of money? Because that happens *all the time* with popular extensions...
<ocdtrekkie>
Made for a REALLY good apology edit.
<TimMc>
kentonv: Would be nice to turn off auto-updating of an extension, eh?
<kentonv>
TimMc, I dunno, because I also don't trust people to write secure code, so I'd like to get updates...
<ocdtrekkie>
TimMc: Firefox will let you turn off add-on updates.
<TimMc>
Globally, or per add-on?
<ocdtrekkie>
Globally, I think.
<TimMc>
I guess you can always just choose not to update that one.
<ocdtrekkie>
I use only three extensions.
<ocdtrekkie>
Facebook Container and Firefox Multi-Account Containers, which are both first party.
<ocdtrekkie>
And Privacy Badger
<TimMc>
No adblocker?
<ocdtrekkie>
I don't think ad blockers are ethical.
<ocdtrekkie>
As it is, Privacy Badger blocks a bunch of them.
<TimMc>
huge attack surface not using one, though
<ocdtrekkie>
Privacy Badger will block most that present an attack surface.
<ocdtrekkie>
A lot of ad blockers are hostile to the very concept of advertising, such that they'll block literally handwritten endorsement statements by the site developer.
<kentonv>
I've come to believe that ads are nothing but a blight on society that ought to be banned entirely so that we can finally move on to funding models that don't make everything awful...
<TimMc>
^
<ocdtrekkie>
I am getting there, but my main issue is third party scripts, not "ads". So I'd rather use something like Privacy Badger, which blocks third party tracking scripts and the like, over an ad blocker designed to prevent you from seeing any indication that someone was paid for something.
<kentonv>
... meanwhile one of the big use cases for the tech I'm building in my day job is ad blocker-blockers. Sigh.
<ocdtrekkie>
Hiding a text-only sponsorship ad, as in the case of Troy Hunt's, is IMHO, pretty terrible behavior for ad blockers to engage in.
<kentonv>
I agree many ad blockers go way too far
harish_ has joined #sandstorm
<kentonv>
but really I'd always rather pay directly whatever price they're getting for the impressions they'd otherwise serve me
<ocdtrekkie>
That's the one thing I feel was probably a miss with GDPR: I'm surprised they didn't allow "ads or equivalent value payment" as a model.
harish has quit [Read error: Connection reset by peer]
<ocdtrekkie>
GDPR as written is that you must provide the same service whether or not the user consents to tracking.
<TimMc>
ocdtrekkie: I suppose adblocker maintainers have the same incentive as antivirus authors: To detect as much as possible, and never fail to detect something the competition does not. Leads to problems.
<ocdtrekkie>
False positives in antivirus is arguably a bigger problem.
<ocdtrekkie>
It's one of the leading reasons we switched enterprise security software at work.
<ocdtrekkie>
Things kept coming up as false positives, exemptions didn't work well, etc.
<ocdtrekkie>
But yeah, to me, Privacy Badger meets my needs as an "ad blocker". It blocks malicious third party scripts, and gives me levers to block more of them if I need to.
<TimMc>
simpson: I've become something of a hardass NoScript user, and will just straight up hit the back button when someone's blog won't show me basic formatted text without a gigabyte of javascript.
<kentonv>
I'm pretty sure installing AV on a system where I'm the only user actually makes the system less secure. But the company mandates it... sigh.
harish_ has quit [Ping timeout: 245 seconds]
<TimMc>
kentonv: I'm one of the few Linux users at work, and they haven't figured out how to work me in to the mandatory software policy, so I get to manage my own security. \o/
<kentonv>
TimMc, unfortunately my work has lots of linux users and therefore has figured out how to make us install AV on Linux...
<TimMc>
heh :-)
<ocdtrekkie>
I use Windows, but mostly just threaten to switch everyone to Linux when Microsoft pushes out a trashy cumulative update every third month.
<ocdtrekkie>
Are their major antivirus vendors that make Linux AV scanners now?
<ocdtrekkie>
I honestly didn't know that was a thing.
<kentonv>
well, at least Sophos does
<TimMc>
Interesting. The only one I knew of was ClamAV.
<ocdtrekkie>
Well, Sophos is pretty decent at what it does, at least.
<TimMc>
Sophos screwed up everyone's CORS requests at work last year or so and cost us a week or so of developer time.
<TimMc>
people were almost in open revolt against IT
<kentonv>
sometimes it locks up my disk I/O for a good 60 seconds straight. Any program that tries to read something that isn't in cache locks up and can't be killed.
<ocdtrekkie>
TimMc: That kinda sounds fun.
<TimMc>
ocdtrekkie: I wish they *had* revolted.
<ocdtrekkie>
kentonv: It's locking up like... an SSD even? o_o
<TimMc>
"Developers go on strike against antivirus", what a trip that would have been.
<kentonv>
ocdtrekkie, yes. I think it basically blocks all disk I/O while it's scanning things, and if it gets sufficiently behind it can stay locked up for quite a while.
<kentonv>
it's certainly not the SSD's fault.
<ocdtrekkie>
Windows Defender has been known to be pretty abusive to traditional hard disks, to the point that I'm of the opinion that an SSD should be considered a minimum requirement for Windows 10, but I haven't seen an AV engine lock up an SSD. :/
<kentonv>
well, it happens when I'm building a bunch of Docker images which I suppose does a *lot* of disk I/O...
<kentonv>
probably not a typical workload on Windows... :)
<ocdtrekkie>
Not really, no. :P
<ocdtrekkie>
I feel like I should share: Someone sent me a certificate of completion today for some training.
<ocdtrekkie>
...As a single-slide PowerPoint file.
<TimMc>
I once got a certificate of completion in a file format I didn't even recognize.
<ocdtrekkie>
Like, Windows PCs come with a Print to PDF feature built-in now. There's no excuse for a single-side PowerPoint file to even exist at this point.
harish_ has joined #sandstorm
<TimMc>
kentonv: I don't know if I could actually agree to do that kind of work (thinking of the adblocker-blockers)
<TimMc>
although I guess what you're building is a more general mechanism, not a blocker
<kentonv>
yeah I'm not actually building ad-blocker-blockers, I'm building a general platform for arbitrary code
<kentonv>
and that's a thing you can write with it
<TimMc>
sucks to know what people are gonna use it for sometimes, I guess
<TimMc>
This is the code-at-edge thing?
<kentonv>
yeah
<TimMc>
That's pretty general.
<kentonv>
some people use it to inline ads, so that the ads are served off the same domain as the rest of the content, which makes them much harder to block
<ocdtrekkie>
The other one I thought was comical was the "block European users for one-click GDPR compliance" bit.
<kentonv>
Cloudflare is the ideal place to implement such inlining
<TimMc>
At work, I've done some stuff that supports server-side ad insertion into videos, which has some similarity to that.
<TimMc>
I don't really watch video on the web, but it sounds supremely annoying. :-P
<TimMc>
ocdtrekkie: Haha yeah, I just had to laugh at those.
<ocdtrekkie>
I am a little surprised more videos don't have server-side ad insertion yet.
<ocdtrekkie>
I assume it's a cost limitation.
<kentonv>
if you did the inlining on your regular server then it would add unacceptable latency and bandwidth costs to transfer all the ad data around, but since CF is close to the user it works fine there
<TimMc>
It's... *whispers* actually not as hard as you'd imagine.
<kentonv>
similar story for video, yeah
<TimMc>
You lose a lot of caching, basically.
<kentonv>
it's the cost of transferring from server A to server B that may be in totally different regions, just to be bounced back to the user
<kentonv>
but if you do it in CF workers then you can avoid that problem and you can utilize the CF cache
<TimMc>
so if you put the insertion in front of the caching, at the edge, you can do it
<TimMc>
that ^
<kentonv>
anyway, ad-blocker-blockers are not a big fraction of CF workers usage
<kentonv>
Meanwhile NPM registry uses CF workers as of a little over a week ago.
<kentonv>
much more proud of that one. :)
<TimMc>
What are they using it for?
<kentonv>
caching and routing logic at the edge. They push a lot of bits.
<TimMc>
How long 'til y'all have full VMs at the edge? :-)
<kentonv>
(I would love to tell you more precisely what they do and how many bits they push, but customer data is confidential.)
<kentonv>
probably never.
<TimMc>
Price points don't work out, I guess?
<kentonv>
the thing about edge compute is that everyone wants to be hosted in every location, so you have to use a super-lightweight environment
<ocdtrekkie>
So all my npm updates will be zippier now?
<kentonv>
ocdtrekkie, yes. :)
<ocdtrekkie>
:D
<kentonv>
also typical edge locations don't have very many computers in them
<kentonv>
so you have a orders of magnitude fewer machines that need to run orders of magnitude more applications at once
<kentonv>
even giving each customer their own process is too heavy.
<kentonv>
V8 isolates in a single process can scale much further
<kentonv>
and anyway, you only really want to put compute on the edge if it needs to be close to the user
<kentonv>
bulk data processing might as well stay in a megadatacenter
<kentonv>
I kind of wish Sandstorm was based on the Cloudflare Workers engine, actually.
<kentonv>
you'd be able to run a *lot* more grains with much lower RAM usage
<kentonv>
but of course apps would all need to be written in JavaScript, as Service Workers.
<kentonv>
but maybe if people start doing that anyway in order to target CF Workers, then Sandstorm 2 can plausibly be built that way?
<ocdtrekkie>
I am actually kinda curious about how many PWAs might be workable as Sandstorm apps and how to make that work.
<ocdtrekkie>
They're meant to work offline and Windows and Chrome are supporting representing PWAs as local apps.
<ocdtrekkie>
Can you throw Sandstorm's storage behind that instead of insert-random-Internet-server?
<ocdtrekkie>
Also, Sandstorm needs a 1.0 before it can get a 2.0. :P
<kentonv>
heh
<kentonv>
well my current project at CF is storage
<kentonv>
and the model we're thinking about is... basically the Sandstorm model. Lots of little sqlite databases that we can move around to be close to whoever is using them.
<kentonv>
if that becomes popular as a way to write "cloud" apps, those apps will be extremely easy to convert into Sandstorm-style apps.
<TimMc>
That would be interesting.
<kentonv>
like... so easy that maybe Cloudflare can just do it en masse without any work from the developers
<ocdtrekkie>
So new pet peeve: I now have to check a box on files to allow sh files to be run as an executable for vagrant-spk to work.
<ocdtrekkie>
I am not sure why.
<kentonv>
check a box where?
<ocdtrekkie>
Permissions tab of file properties.
<ocdtrekkie>
On the Ubuntu machine I am running vagrant-spk on.
harish_ has quit [Ping timeout: 268 seconds]
<ocdtrekkie>
I think I used to use a chmod'd /opt/ folder for all my working directories before though, and currently use a folder under my home folder.
<kentonv>
well, I mean, on unix systems, files have to be marked executable if you want to be able to execute them...
<kentonv>
personally I'd argue that the executable bit does not provide much actual value, but a lot of people would disagree with me on that
<kentonv>
but... in any case, it's a thing and we have to deal with it
<ocdtrekkie>
I don't recall ever experiencing that.
<ocdtrekkie>
I coulda sworn I used to be able to git clone something and then execute it.
<kentonv>
well, whether or not the file is executable is tracked by git
<kentonv>
are you running on real Linux, or WSL, or...?
<ocdtrekkie>
Real Linux.
<ocdtrekkie>
But I also did some unholy things to Git on this branch, so I might've confused it?
<kentonv>
are the files from the vagrant-spk repo, or app repos?
<ocdtrekkie>
App
<kentonv>
and that specific app worked before?
<ocdtrekkie>
I would think so.
<ocdtrekkie>
(I am playing with upstreaming and updating HLedger, specifically.)
<kentonv>
I guess either the app's git repo didn't have the script marked executable, or somehow you used git in a way that caused it to lose that information, or maybe your filesystem is not tracking it correctly
<ocdtrekkie>
hledger-sandstorm was a separate repo, and I wanted to bring it upstream without losing authorship of the previous commits.
<kentonv>
yeah it looks like the scripts in the hledger-sandstorm git repo are not marked executable
<kentonv>
this seems to be a problem with that repo. (You could submit a PR to fix it...)
<ocdtrekkie>
Weird
<ocdtrekkie>
I am replacing that repo, effectively.
<kentonv>
fair enough
<ocdtrekkie>
HLedger guy had it marked as an issue that Sandstorm reviews for it are bad, and I figured bringing it upstream actually enables him to address that. (Even if I am still helping do the final packaging/pushing step.)
ogres has quit [Quit: Connection closed for inactivity]
<ocdtrekkie>
Fun story: I am having an issue getting my Keybase key into GPG on this machine.
<ocdtrekkie>
I searched for a solution, and the resulting article's first paragraph specifies that they did this so they could package a Sandstorm app. :D