Re: Should SECRET_KEY be allowed to be bytes?

Years later, sorry. But this is still broken and SECRET_KEY management is a mess! Even though you can now use bytes, this line here will blow up if you attempt to use bytes as a secret key: https://github.com/django/django/blob/3.2.14/django/core/checks/security/base.py#L202 Basically, we are

Re: Should SECRET_KEY be allowed to be bytes?

I’m happy with that. -- Aymeric. > On 27 Dec 2016, at 19:49, Tim Graham wrote: > > Thanks Aymeric. How about this documentation addition: > > Uses of the key shouldn't assume that it's text or bytes. Every use should go > through

Re: Should SECRET_KEY be allowed to be bytes?

Thanks Aymeric. How about this documentation addition: Uses of the key shouldn't assume that it's text or bytes. Every use should go through :func:`~django.utils.encoding.force_text` or :func:`~django.utils.encoding.force_bytes` to convert it to the desired type.

Re: Should SECRET_KEY be allowed to be bytes?

Hello Andres, We both seem to agree with the status quo — supporting both text and bytes. On 24 Dec 2016, at 00:36, 'Andres Mejia' via Django developers (Contributions to Django itself) wrote: > On 12/22/2016 05:15 PM, Aymeric Augustin wrote: >> export

Re: Should SECRET_KEY be allowed to be bytes?

Hello, I saw these emails today and am finally getting around to responding to them now. I'm one of the people commenting to those issues about the SECRET_KEY being bytes and how I think it should still be allowed. I think there's a misunderstanding about what I said in those issues.

Re: Should SECRET_KEY be allowed to be bytes?

On 23 Dec 2016, at 16:48, Tim Graham wrote: > also allow bytestrings (even non-ASCII bytestrings as reported in #19980?). There are arguments both ways. Allowing non-ASCII bytestring means every app that needs bytes must call force_bytes(settings.SECRET_KEY) instead of

Re: Should SECRET_KEY be allowed to be bytes?

> On Dec 22, 2016, at 5:22 PM, Adam Johnson wrote: > > +1 to what Aymeric wrote. I was just drafting an email with a similar > argument about how it's hard to manage pure bytes in config management > systems that write to env vars, that's why ascii strings are so useful. >

Re: Should SECRET_KEY be allowed to be bytes?

+1 to what Aymeric wrote. I was just drafting an email with a similar argument about how it's hard to manage pure bytes in config management systems that write to env vars, that's why ascii strings are so useful. They're also easy to copy/paste and verify when adding them to your config

Re: Should SECRET_KEY be allowed to be bytes?

Hello, In my opinion, recommending or enforcing that SECRET_KEY contain random bytes would be a backwards incompatible change, bring no practical advantage, and make it more difficult to manage SECRET_KEY securely. I’m -1 on that. startproject always generated an ASCII str on Python 2 and

Re: Should SECRET_KEY be allowed to be bytes?

> On Dec 22, 2016, at 2:32 PM, Tim Graham wrote: > > Perhaps times have changed but I forgot to mention that 8 years ago Malcolm > rejected the idea that more randomness is required in the secret key. From > the reporter of #9687: You're right, and I knew that, but

Re: Should SECRET_KEY be allowed to be bytes?

Perhaps times have changed but I forgot to mention that 8 years ago Malcolm rejected the idea that more randomness is required in the secret key. From the reporter of #9687: "The generation of the SECRET_KEY setting for a new site uses an artificially low number of characters due to a design

Should SECRET_KEY be allowed to be bytes?

There's debate in #24994 about whether or not settings.SECRET_KEY should or may be a bytestring. Some select quotes to summarize the discussion: 1. Aymeric Augustin, "Once Django drops support for Python 2 you'll have to go out of your way to put bytes in the SECRET_KEY. Currently, since the