Years later, sorry. But this is still broken and SECRET_KEY management is a
mess!
Even though you can now use bytes, this line here will blow up if you
attempt to use bytes as a secret key:
https://github.com/django/django/blob/3.2.14/django/core/checks/security/base.py#L202
Basically, we are
I’m happy with that.
--
Aymeric.
> On 27 Dec 2016, at 19:49, Tim Graham wrote:
>
> Thanks Aymeric. How about this documentation addition:
>
> Uses of the key shouldn't assume that it's text or bytes. Every use should go
> through
Thanks Aymeric. How about this documentation addition:
Uses of the key shouldn't assume that it's text or bytes. Every use should
go
through :func:`~django.utils.encoding.force_text` or
:func:`~django.utils.encoding.force_bytes` to convert it to the desired
type.
Hello Andres,
We both seem to agree with the status quo — supporting both text and bytes.
On 24 Dec 2016, at 00:36, 'Andres Mejia' via Django developers (Contributions
to Django itself) wrote:
> On 12/22/2016 05:15 PM, Aymeric Augustin wrote:
>> export
Hello,
I saw these emails today and am finally getting around to responding to
them now. I'm one of the people commenting to those issues about the
SECRET_KEY being bytes and how I think it should still be allowed. I
think there's a misunderstanding about what I said in those issues.
On 23 Dec 2016, at 16:48, Tim Graham wrote:
> also allow bytestrings (even non-ASCII bytestrings as reported in #19980?).
There are arguments both ways.
Allowing non-ASCII bytestring means every app that needs bytes must call
force_bytes(settings.SECRET_KEY) instead of
> On Dec 22, 2016, at 5:22 PM, Adam Johnson wrote:
>
> +1 to what Aymeric wrote. I was just drafting an email with a similar
> argument about how it's hard to manage pure bytes in config management
> systems that write to env vars, that's why ascii strings are so useful.
>
+1 to what Aymeric wrote. I was just drafting an email with a similar
argument about how it's hard to manage pure bytes in config management
systems that write to env vars, that's why ascii strings are so useful.
They're also easy to copy/paste and verify when adding them to your config
Hello,
In my opinion, recommending or enforcing that SECRET_KEY contain random bytes
would be a backwards incompatible change, bring no practical advantage, and
make it more difficult to manage SECRET_KEY securely. I’m -1 on that.
startproject always generated an ASCII str on Python 2 and
> On Dec 22, 2016, at 2:32 PM, Tim Graham wrote:
>
> Perhaps times have changed but I forgot to mention that 8 years ago Malcolm
> rejected the idea that more randomness is required in the secret key. From
> the reporter of #9687:
You're right, and I knew that, but
Perhaps times have changed but I forgot to mention that 8 years ago Malcolm
rejected the idea that more randomness is required in the secret key. From
the reporter of #9687:
"The generation of the SECRET_KEY setting for a new site uses an
artificially low number of characters due to a design
There's debate in #24994 about whether or not settings.SECRET_KEY should or
may be a bytestring. Some select quotes to summarize the discussion:
1. Aymeric Augustin, "Once Django drops support for Python 2 you'll have to
go out of your way to put bytes in the SECRET_KEY.
Currently, since the
12 matches
Mail list logo