If you want to review this PR, the new version is there. Admins should now approve remote blog themes, but they may contain anything. Once a theme is approved, it is also available for use on this instance. Admins can also upload themes if they have SSH acces to their instance: they just need to create a folder called “blog-SOMETHING” in static/css, and add the theme files inside.
Does it really make sense to have admins approve remote blog themes? Using remote resources on the local site seems fragile and prone to many more errors in the future. I think it makes more sense to limit themes to site-wide and local-user.
More generally, this is an issue that has to do with the way articles federate in Plume -- the HTML is delivered and cached to many different sites that may have varying CSS. Federating CSS as well is, I think, out-of-scope of ActivityPub (although there is nothing preventing this). In any case, it is much simpler to say that users should view the original URL if they wish to read the article with the original CSS.
I think they are cached, but not evicted when modified, so client might think the file was not updated when it was. Adding a timestamp, a hash, a random string or anything to the name (myfile-DEADBEEF1312.css) would fix it
I think it is going to be quite difficult, because in the current implementation, the main theme file should be named theme.css, and it may load other files of the theme, so we would have to find a way to detect the main theme file even if it has a hash in its name, and to edit all url()/@import inside of it to make sure other files are correctly loaded too… Maybe we can just set a default cache duration of one week or something like that, with a HTTP header? Or is it a problem not to have the latest theme update for a few days?