Re: Trimming in the settings file (Was: Re: Follow-up to #28307: Possible app_template improvements)

Mon, 26 Jun 2017 22:56:08 -0700 

Hello Melvyn,

> On 26 Jun 2017, at 12:21, Melvyn Sopacua <m.r.sopa...@gmail.com> wrote:
> 
> keep STATIC_URL (which I rarely change) but remove STATIC_ROOT (which is 
> different per project and sometimes even per install) is beyond me.

Back when Apache + mod_wsgi was the standard deployment stack, collecting 
staticfiles inside the project tree was a bad security practice. For that 
reason it couldn't be the default. A safer default value such as 
`/var/www/{project_name}/static` would require additional setup and wouldn't 
work well as a default.

(It's a bad security practice because developers just trying to make it work 
tend to `chmod -R www-data:www-data /home/{project_name}`, making their whole 
source tree world-readable, because they're having trouble getting static files 
to work.)

Nowadays it's more common to serve static files from a third-party system such 
as CloudFront + S3 which doesn't require STATIC_ROOT or with a middleware like 
whitenoise which doesn't suffer from this concern. Only in the latter case is 
`STATIC_ROOT = os.path.join(ROOT_DIR, 'static')` a valid default.

Given this range of options, I still find it best for users to think about what 
they're doing, read the docs, hopefully review security considerations, define 
the settings they need and understand their deployment. I also believe that 
unused settings can be confusing and make it more difficult to diagnose 
deployment problems.

I'm sure there's a more extensive project template somewhere that will suit 
your needs better.

Best regards,

-- 
Aymeric.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/3D52B789-F9E1-497D-B5C1-C994D1581155%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to