[03:04:55] <legoktm>	 Toolforge is merely a proxy in front of Google Fonts, but we can't do that for production because it requires passing the user's user-agent (which is considered private info) to Google.
[03:05:17] <legoktm>	 Google Fonts does some neat stuff by looking up a users' browser and serving them the smallest/best font option based on that
[03:05:36] <legoktm>	 So we'd have to reimplement that locally if we wanted Google Font-like behavior
[03:07:34] <legoktm>	 I don't actually think that's all necessary, if people want fonts we could just serve them from MediaWiki (e.g. ULS or https://www.mediawiki.org/wiki/Extension:MontserratFont)
[03:08:14] <legoktm>	 But then you have to convince the powers that be that your special font is worth the performance hit it costs everyone, and I think that's a pretty hard case to make
[03:12:27] <wm-bb>	 [telegram] <Thecladis> you mean on toolforge it is passed to google too? (re @wmtelegram_bot: [irc] <legoktm> Toolforge is merely a proxy in front of Google Fonts, but we can't do that for production because it requires pa...)
[03:12:38] <legoktm>	 Yes
[03:13:20] <wm-bb>	 [telegram] <Thecladis> hm, so it is fine per toolforge's ToUs? I thought they are relatively the same in this regard
[03:13:57] <wm-bb>	 [telegram] <Thecladis> or privacy policy, whatever regulates that
[03:14:26] <wm-bb>	 [telegram] <jeremy_b> I had similar thoughts but it makes sense that toolforge is willing to accept the hit on end user performance that wouldn't be ok for wikis proper (re @Thecladis: hm, so it is fine per toolforge's ToUs? I thought they are relatively the same in this regard)
[03:14:46] <wm-bb>	 [telegram] <mahir256> yeah, it seems strange that such a service wouldn't get more attention from the folks who anaylze automatic CSP reports from toolforge
[03:15:07] <legoktm>	 https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use#What_can_and_can%E2%80%99t_be_done_with_user_information? <-- note that on Toolforge/Cloud Services, "User-agent" is not mentioned as part of private information
[03:15:30] <legoktm>	 This is because every Toolforge tool can also see your user-agent in webserver logs or via JavaScript
[03:15:45] <legoktm>	 While we (try to) redact things like IP addresses 
[03:16:19] <wm-bb>	 [telegram] <jeremy_b> seems like something that could be implemented in varnish. do we still use varnish? :)
[03:16:19] <wm-bb>	 [telegram] <jeremy_b> I see a lot of Google fonts GitHub repos. didn't get through them all. have they published anything about how they make UA string decisions? (re @wmtelegram_bot: [irc] <legoktm> So we'd have to reimplement that locally if we wanted Google Font-like behavior)
[03:16:21] <wm-bb>	 [telegram] <Thecladis> but is the list exhaustive? it also does not mention social security number explicitly, but that does not mean that it is fine to share it (re @wmtelegram_bot: [irc] <legoktm> https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use#What_can_and_can%E2%80%99t_be_done_with...)
[03:17:16] <wm-bb>	 [telegram] <jeremy_b> but we also don't ask for it? (re @Thecladis: but is the list exhaustive? it also does not mention social security number explicitly, but that does not mean that it is fine t...)
[03:17:20] <AntiComposite>	 "Toolforge is merely a proxy in front of Google Fonts" are you sure? fontcdn runs off tools-static URLs
[03:17:23] <wm-bb>	 [telegram] <Thecladis> well, this is different, because tool owners agree to ToU not to share it, but Google does not. (re @wmtelegram_bot: [irc] <legoktm> This is because every Toolforge tool can also see your user-agent in webserver logs or via JavaScript)
[03:19:12] <legoktm>	 @AntiComposite: https://gerrit.wikimedia.org/g/operations/puppet/+/f1662d744916f8e69d5e773e3771f50537fc646d/modules/profile/templates/toolforge/static-server.conf.erb#106
[03:19:28] * AntiComposite grumbles about non-standard usage
[03:21:16] <wm-bb>	 [telegram] <mahir256> disable lines 33-36, and force a blank/generic user agent, when fontcdn is involved, then? (re @wmtelegram_bot: [irc] <legoktm> @AntiComposite: https://gerrit.wikimedia.org/g/operations/puppet/+/f1662d744916f8e69d5e773e3771f50537fc646d/modu...)
[03:21:35] <AntiComposite>	 https://phabricator.wikimedia.org/T210959
[03:21:39] <legoktm>	 @Thecladis: My understanding/interpretation as a Toolforge admin is that user-agent isn't considered private info, I feel like it's something we discussed before but would have to search a bit.
[03:21:47] <wm-bb>	 [telegram] <Thecladis> we likely don't. but I am still not convinced that the list is exhaustive. Rather it is falls into "Only collect information if the purpose of the Cloud Services Project unavoidably requires such collection." (SSN very likely doesn't indeed, unless the tool does something very niche) and then there is
[03:21:48] <wm-bb>	 [telegram] <Thecladis> > Not share any Private Information outside of your Cloud Services Project; and (re @jeremy_b: but we also don't ask for it? (SSN))
[03:22:00] <AntiComposite>	 https://phabricator.wikimedia.org/T140486
[03:22:13] <legoktm>	 hrmp, I have a draft comment I never posted on that task
[03:22:44] <legoktm>	 @jeremy_b: *waves*, I searched a bit and can't find any specific spec on what Google Fonts does, just various people trying to reverse engineer it
[03:23:10] <wm-bb>	 [telegram] <Thecladis> well then why is it one per the general privacy policy? unless it also isn't and thus we do can use the same approach for prod (re @wmtelegram_bot: [irc] <legoktm> @Thecladis: My understanding/interpretation as a Toolforge admin is that user-agent isn't considered private inf...)
[03:23:37] <legoktm>	 The on-wiki privacy policy explicitly includes user-agent as private information
[03:23:44] <AntiComposite>	 user-agent is a tricky one
[03:23:55] <wm-bb>	 [telegram] <jeremy_b> I could poke a Googler (re @wmtelegram_bot: [irc] <legoktm> @jeremy_b: *waves*, I searched a bit and can't find any specific spec on what Google Fonts does, just various pe...)
[03:24:06] <AntiComposite>	 in most cases, a generic user-agent is not going to be sufficiently identifiable
[03:24:57] <AntiComposite>	 however, user agents *can* absolutely be sufficiently unique to be identifiable/just plain contain PII
[03:25:50] <AntiComposite>	 which is why the analytics pages only contain parsed UA fragments, not full UAs
[03:25:51] <legoktm>	 that's a good way of putting it
[03:26:23] <wm-bb>	 [telegram] <jeremy_b> https://www.eff.org/deeplinks/2017/11/panopticlick-30 (re @wmtelegram_bot: [irc] <AntiComposite> however, user agents *can* absolutely be sufficiently unique to be identifiable/just plain contain PII)
[03:26:24] <wm-bb>	 [telegram] <Thecladis> well in some edge cases, like UA indicating latest iPhone in a country that only has smuggled in iPhones might be identifiable
[03:26:57] <AntiComposite>	 right, which is why UA + basically any other data is always treated as PII
[03:29:02] <AntiComposite>	 in theory, if a page used a rare font, you could de-anon someone by knowing their UA and the font they loaded through the toolforge proxy
[03:30:58] <AntiComposite>	 the only way to counter that would be heavy caching on the proxy, ideally to the point of caching basically every request and occasionally async updating the cached files
[03:31:58] <legoktm>	 I'm sure you could deanonymize a decent amount of people by just putting an OAuth login form on your tool ;-)
[03:36:56] <wm-bb>	 [telegram] <Thecladis> yeah but again, that is by someone who has agreed to tou, rather than by an evil third party :)
[03:37:35] <wm-bb>	 [telegram] <Thecladis> can be done by I mean
[14:03:28] <wm-bb>	 [telegram] <Fran947> SANTA-FE INVEST SERVICES LTD 
[14:03:28] <wm-bb>	 [telegram] <Fran947> Économiser votre argent à la banque ne vous rendra pas riche. Investissez votre argent aujourd'hui et faites d'énormes profits demain.  Un million de dollars en banque aujourd'hui sera encore un million de dollars demain en banque, pas de changement .....💯💯💯💯💯
[14:03:30] <wm-bb>	 [telegram] <Fran947>  Mais si vous pouvez commencer à investir à partir d'aujourd'hui avec la plate-forme d'investissement qui n'échoue jamais dans Bitcoin Investments, vous ferez d'énormes bénéfices demain, c'est de là que vient le succès...⤵️⤵️⤵️⤵️
[14:03:31] <wm-bb>	 [telegram] <Fran947>  
[14:03:33] <wm-bb>	 [telegram] <Fran947> http://santafeinvest-services.ltd/?ref=Valentine76
[14:03:34] <wm-bb>	 [telegram] <Fran947> http://santafeinvest-services.ltd/?ref=Valentine76
[15:48:46] <wm-bb>	 [telegram] <Knife83> SANTA-FE INVEST SERVICES LTD 
[15:48:46] <wm-bb>	 [telegram] <Knife83> Investing ensures present and future financial security. It allows you to grow your wealth and at the same time generate inflation-beating returns. You also benefit from the power of compounding.
[15:48:48] <wm-bb>	 [telegram] <Knife83> Furthermore, investments have the potential to meet your financial goals, such as purchasing a house, accumulating retirement corpus, and building an emergency fund, among others.
[15:48:49] <wm-bb>	 [telegram] <Knife83> Investing instils a sense of financial discipline as you develop a habit of setting aside a particular amount every month or every year towards your investments. 
[15:48:51] <wm-bb>	 [telegram] <Knife83> SANTA-FE INVEST SERVICES LTD IS THE BEST JOIN AND START EARNING
[15:48:52] <wm-bb>	 [telegram] <Knife83> http://santafeinvest-services.ltd/?ref=Wilkins
[15:48:54] <wm-bb>	 [telegram] <Knife83> http://santafeinvest-services.ltd/?ref=Wilkins