fontforge-20200314

[ken@…]

I just noticed gentoo have issued a security alert for fontforge,

CVE-2019-15785 ​https://nvd.nist.gov/vuln/detail/CVE-2019-15785

CVE-2020-5395 ​https://nvd.nist.gov/vuln/detail/CVE-2020-5395

CVE-2020-5496 ​https://nvd.nist.gov/vuln/detail/CVE-2020-5496

and report that all are fixed in 20200314.

The first is rated as Critical, the other two as High. Gentoo describe the impact as:

A remote attacker could entice a user to open a specially crafted font using FontForge, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

But perhaps more significant for us, we seem to be stuck on 20170731.

[ken@…]

Release notes for realses since 2017:

20190317 :

This release, the first since 2017, includes countless small bug fixes and a few significant features.

Complete GDK support, enabled by default on Windows and Macintosh, from @jtanx.

Enhanced UFO 3 support, with separate import/export paths for UFO 2 and UFO 3, from @frank-trampe. See the technical bulletin here for more information.

Improved feature file support, from @skef and @khaledhosny.

WOFF2 support, from @jtanx.

Unicode 12.1.0 support, from @JoesCat.

Extended Python interfaces, from @skef.

20190413:

This is a bugfix focused release.

Most notably, it fixes a crash on MacOS when browsing files.

Plugin support and direct http/ftp browsing support has also been removed.

20190801:

Along with the usual bugfixes, there have been a couple of new features worth calling out:

Added Croatian translation

Added user decompositions

New graphic for the splash/about screen

Images embedded in SFDs are now serialised as PNGs This is enabled by default, but may be turned off with the 'WritePNGInSFD' option. A new tag is used to identify this mode; 'Image2', instead of 'Image'. This requires FontForge to be compiled with libpng support. If not compiled with libpng, FontForge will revert to the old method of serialising RLE encoded raw images.

As part of an ongoing effort to clean up the code base, there have additionally been multiple build system changes:

Python 2 support is deprecated. It is strongly recommended to build with Python 3 support. Python 2 support will be removed in a future release.

Both the Windows and Mac builds are now built with Python 3 instead of Python 2.

The minimum supported version for the Mac build is now MacOS Sierra (10.12)

FontForge no longer uses gnulib

collab support has been removed

The build system now expects libuninameslist to be present, and will fail if it is not found. Building without libuninameslist must be explcititly specified using --without-libuninameslist

20200314:

Significant changes include the following.

FontForge now has much improved stroke expansion functionality. The main change is that it actually works most of the time. New features include support for arbitrary convex nibs and the miter-clip and arc join styles from SVG 2. All functionality is accessible from the Python and native APIs. (By @skef.)

Remove overlap handles certain important edge cases better. (By @skef and @frank-trampe.)

The Python API now has a function called genericGlyphChange that matches the "Change Glyph" command in the GUI. See #4133 for more details. (By @skef.)

The Python API now has functions for getting Unicode script and for interrogating glyph boundaries. (By @ctrlcctrlv.)

One can now use text flags (rather than just numerical flags) when opening a font file via the Python API. (By @skef.)

UFO import now outputs the note field properly. (By @skef.)

SVG import is much more robust. (By @skef.)

We have dropped most gnulib and autotools logic in favor of CMake, which dramatically simplifies the build system and just as dramatically improves build time. (By @jtanx.)

As part of the switch to CMake, per the deprecation of Python 2, and per the lack of objections to the proposal on the mailing list, we have dropped support for building FontForge with Python 2 support. The non-build-system Python 2 code remains, but it is neither tested nor maintained nor supported and is likely to follow a trajectory of decay and then removal.

Documentation is now rendered in Sphinx, which makes maintenance and improvement easier. (By @jtanx.)

Translations now happen on crowdin, which makes contributions easier. (By @jtanx.)

We got such a contribution for Croatian. (By @milotype.)

Character view point coloring is more consistent, and preview fills support transparency. (By @skef.)

The user can now move and close tabs in the character view. (By @ctrlcctrlv.)

The metrics view now allows for entry of negative kerning values and runs a bit more smoothly. (By @ctrlcctrlv.)

There is now a warning when a user is about to discard an unsaved script. (By @ctrlcctrlv.)

We fixed bugs all over, as always, with particular attention given to the metrics view,

Python, Spiro, and high-resolution displays.

Notes on build system changes:

libgutils and libgunicode have been combined into libfontforge

libgdraw and libfontforgeexe have been combined into the fontforge executable itself

No development files are installed (headers, or pkg-config). This is because we do not provide a stable API or ABI to work against, nor are the headers actually well configured to be used externally. We are also not aware of any maintained product that compiles against FontForge itself.

[Bruce Dubbs]

I'll fix the currency script. They changed the filename. I was looking for fontforge-dist-20*, but they've dropped the dist part.

[Bruce Dubbs]

Replying to bdubbs:

I'll fix the currency script. They changed the filename. I was looking for fontforge-dist-20*, but they've dropped the dist part.

Currency should be fixed now at revision 23063.

[ken@…]

Thanks. It will take me a while to get on to this - updating my scripts for a fresh build, upcoming firefox, and ... revising my details of fonts, particularly the fallout from Cantarell no-longer providing cyrillic (and breaking xelatex if all the supplied OTFs are installed) and more generally kde's apparent preference for noto.

[ken@…]

libuninameslist seems to be a separated part of fontforge, ​https://github.com/fontforge/libuninameslist/releases - looks as if we will want the -dist version (pre-generated configure script).

[ken@…]

Replying to ken@…:

Thanks. It will take me a while to get on to this - updating my scripts for a fresh build, upcoming firefox, and ... revising my details of fonts, particularly the fallout from Cantarell no-longer providing cyrillic (and breaking xelatex if all the supplied OTFs are installed) and more generally kde's apparent preference for noto.

Hmm, at some point I seem to have lost a few marbles! Cantarell DOES still provide Cyrillic glyphs. Memo to self: it is *other* writing systems where the Cantarell developer recommended NotoSans*UI variants (arabic and indic or S.E. Asian scripts).

[ken@…]

Replying to bdubbs:

Replying to bdubbs:

I'll fix the currency script. They changed the filename. I was looking for fontforge-dist-20*, but they've dropped the dist part.

Currency should be fixed now at revision 23063.

I'm starting to look at this now: the dist variant did not need autoreconf. So it ceased to be created when they moved to cmake.

Two new deps of libspiro and libuninameslist are both from fontforge's github and both have -dist versions to save needing to run autoreconf.

I suggest that when these get added to the book's php scripts it would be better to not test for the -dist part, if possible

[ken@…]

Still looking at options/dependencies, but I tried a build with cmake ; make -j4 and then with cmake ; ninja using the smae settings : make took 55 seconds, ninja took 1m09 - not what I had expected.

[ken@…]

My use-case for fontforge is very limited (generate a font from one of the components in a ttc, if I want to look at which glyphs if contains) I can do that, and also look at details of an installed font (font info etc). This version seems to work like previous versions.

It doesn't like the Variable Font otf from current Cantarell, but that is no surprise at all.

[ken@…]

libspiro and libuninames list added at r23102.

[ken@…]

Fontforge updated at r23105.

Errata added.

[Bruce Dubbs]

Milestone renamed

[Bruce Dubbs]

Milestone renamed