Hi Flo, > And there are plenty more things to consider; for instance I do not > agree that it makes sense to have "SECRET_KEY" default to a value when > missing in the env. It is way to easy to type "SECRT_KEY" and never > realize that. So if "SECRET_KEY" is taken from the environment it should > fail loudly if it is not present. "DEBUG" is in a similar category there > but could default to False to be safe.
There is a trade-off between security and development convenience here. At the moment, the settings generated by manage.py startproject are geared towards development (random default value for SECRET_KEY, DEBUG = False). Personally, I like to keep that convenience, so I do SECRET_KEY = os.environ.get(SECRET_KEY, original_default_value) There is also manage.py check --deploy. This catches DEBUG = True, but not SECRET_KEY. Would it be a good idea to prefix the default SECRET_KEY with something like "insecure-" and check for that in manage.py check --deploy? > I personally rather have no solution in Django itself before forcing a > half-baked one down everyone. Also please note that the bar to add this > to Django is very high since it can (at least for things like > django-environ) easily live outside of Django with no realy downside. +1 -- René Fleschenberg -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/e10f9b32-41af-5cd1-a55d-8b8a9adf4f59%40fleschenberg.net.
