DSGVO-proofing mkdocs? #4855
Replies: 2 comments 1 reply
-
Thanks for asking. We are very aware of the situation. This is exactly the raison d'être for the built-in privacy plugin, which will not only inline all external assets used by the theme (i.e. those that we manage), but also those that the author might add (i.e. you manage). It's essentially a safety net for the situation you stated.
Our documentation precisely explains why this is not possible without losing convenience and flexibility. See the section on external assets, scroll down and find the admonition which says "Why can't Material for MkDocs bundle all assets by design?": |
Beta Was this translation helpful? Give feedback.
-
After checking the plugin you mentioned and learning that this involves a monthly fee, I decided to go another way. I do not earn money with this, at least currently, so I'd prefer to keep my investment in time rather than money. I still think what you do is a good idea and for companies some peanuts for big benefit. My mileage regrettably varies. So for my own part I will now create a script to scan the resulting site and replace the links with downloads at build-time. I can weave this into a separate stage in the pipeline and it will work with "any" SSG, .i.e. for me with mkdocs and hugo. During development, I would not care. Consider the matter closed. ;-) |
Beta Was this translation helpful? Give feedback.
-
One thing, that bothers me with many static site generators like hugo and mkdocs is the legal traps they place.
Background: following European law like DSGVO / Datenschutzgrundverordnung (GDPR in the english namespace), it is somewhere between highly problematic and illegal to remotely include resources like WebFonts or Javascript. Now mkdocs/material appears to include Google Fonts, while these might also just be included to the image and referenced locally. Locally they pose no threat, remotely they are literally "mating calls" for greedy lawyers to sue you, if you publish an mkdocs site on the internet.
I can virtually hear you: "this is why we include DSGVO statement". Regrettably these won't save you, because you literally employ Google, rsp. cloudflare as IT-subcontractors (for free, but legally relevant). According to German law, I believe (I am not a lawyer, just reflecting some press reports), there is the right for deleting. Now if I publish an mkdocs site, any user has the right to have their IP addresses deleted from my logs (sounds idiotic, but is just like that) and even worse, that user also has the right to demand ME to get his IP address deleted from cloudflare's logs, rsp. Google's logs, which usually I will not be able to do.
I would propose to try to identify the places in the theme, that call up for remote resources and make them local. For a usual SSG, I'd say "hey guy, hack your theme yourself and get into a safe state", but mkdocs in contrast should be like "no servicable parts inside", so here I would expect the thing to be legally uncritical in the first place.
I am open for comments.
Beta Was this translation helpful? Give feedback.
All reactions