[WIP] Sanitize otf fonts with ots-sanitize (Closes: #22)

[norbusan]

Sanitize fonts with ots-sanitize

[norbusan]

Hi @fred-wang
here is an initial version about in what direction I would go. I have a
few questions:

• which fonts should we sanitize? Only .otf? What about .ttf?
• if woff/woff2 fonts are provided upstream, should we use them as is, or sanitize otf and create our own woff(2)?
• what if ots-sanitize is not available, should we fail (current state)?

Thanks!

[fred-wang]

@norbusan thanks a lot for working on this!

which fonts should we sanitize? Only .otf? What about .ttf?

I would say whatever format is provided by upstream developer: otf, ttf or woff2/woff. ots-sanitize support all these formats, right?

if woff/woff2 fonts are provided upstream, should we use them as is, or sanitize otf and create our own woff(2)?

I think we should always try and use the upstream versions when provided. If they fail, we should report the issue to the upstream developer so they can fix it.

what if ots-sanitize is not available, should we fail (current state)?

That sounds fine. I think the ./configure script would fail, right?

Maybe we can add options to skip some build steps like the one to generate the testcase and this ots check, so people could still compile the fonts without the full deps. But not sure it's super important right now.

[norbusan]

Thanks @fred-wang for the answers.

Two more questions:

• should we sanitize only the math fonts, or all fonts that we install ( I guess the later)?
• the sanitization changes the font file - should we install the sanitized font (if directly installed) or generated woff(2) from the sanitized font or the original and then sanitize? (i.e., is sanitizing and conversion commutative?)

[fred-wang]

should we sanitize only the math fonts, or all fonts that we install ( I guess the later)?

I think all fonts yes.

the sanitization changes the font file

OK I didn't realize that. Is it possible to just run ots thing to check whether the font is valid ?

I think we should really just use fonts provided by upstream. WOFF is just zlib compression and WOFF2 brotli conversion + minor tweak in glyph paths. I don't think we should do any bigger changes (e.g. dropping tables). Doing so could violate the OFL with reserved font names (see https://openfontlicense.org/webfonts-and-reserved-font-names/ ; woff and woff2 are explicitly mentioned as ok there).

[norbusan]

Is it possible to just run ots thing to check whether the font is valid ?

Yes, that is possible.

Ok, then I know what I need:

• don't change the fonts, but only test with ots tools and fail if not ok
• test all fonts that are either directly installed, or from which fonts that are installed are generated

Thanks, will look into it.

[norbusan]

Ah, there is one more thing: How to deal with files that can be sanitized but would change when running ots-sanitize?

Example:

$ ots-sanitize ./DejaVu/DejaVuSerif-BoldItalic.woff2 /dev/null ; echo $?
WARNING: glyf: Glyph bbox was incorrect; adjusting (glyph 422)
File sanitized successfully!
0

or

$ ots-sanitize ./XITS/XITSMath-Regular.woff2 /dev/null ; echo $?
WARNING: name: name records are not sorted.
File sanitized successfully!
0

The sanitization changed the .woff2 file and gave a warning, but the return values is 0 and it was sanitized successfully.

Also, even if there is NO warning output, the file is actually changes:

$ ots-sanitize Euler/Euler-Math.woff2 bla.woff2
File sanitized successfully!
$ cmp Euler/Euler-Math.woff2 bla.woff2 
Euler/Euler-Math.woff2 bla.woff2 differ: byte 1, line 1

I am not really sure now what we want, i.e., when do we want to ship out warnings/stop building?