templates/hyperkitty/base.html embeds remote query from googleapis.com (privacy breach)
For some non-obvious reason, templates/hyperkitty/base.html
embeds jquery-1.10.1.min.js
from googleapis.com just before embedding the locally shipped version of the same file:
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.1/jquery.min.js"></script>
<script>window.jQuery || document.write('<script src="{% static 'hyperkitty/libs/jquery/jquery-1.10.1.min.js' %}"><\/script>')</script>
What's the reason for doing that? I'm no JS expert, but to me it looks like it's redundant. First the version from Google is embedded and then a jquery function is executed and the local version of jquery is embedded just in case that fails? Why not simply embed the local jquery copy just like all other JS scripts?:
<script src="{% static 'hyperkitty/libs/jquery/jquery-1.10.1.min.js' %}"><\/script>
I consider linking JS/CSS files from commercial CDNs a severe privacy breach and strongly suggest to not do so per default in open source web applications, especially if they're developed under the umbrella of GNU, an organization highly appreciated for campaining for digital user rights.
Besides, it would be awesome if hyperkitty could ship the actual source files of shipped third-party JS scripts. In some cases (d3, jQuery), only the minimized versions are shipped with the hyperkitty tarball. This would emphasize the open source character of those third-party JS files and it would make it easier to package hyperkitty for Debian - which demands to ship the source files (the preferred form of modification) by policy.