I agree with the others. This is very much the correct step going
forward. These fallback methods have worried me, and definitely weaken
the security of the improvements.
One idea I had been kicking around was some way to tell Django what
version of these things to expect, and disable the fallback
+1, this seemed kludgy to me and had potential insecurities as it was.
You're only as strong as your weakest link, right?
All the best,
- Gabriel
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to dj
On Mon, Mar 28, 2011 at 4:19 PM, Luke Plant wrote:
> Proposal: remove compatibility fallbacks for short-lifetime signed data
> (shortening the deprecation process).
Sounds perfectly fine to me. Skipping versions is generally a dicey
idea anyway, so recommending a brief stop in 1.3 for people goin
Proposal: remove compatibility fallbacks for short-lifetime signed data
(shortening the deprecation process).
= Explanation =
In 1.3, various bits of code were updated to use a better system for
signing using the SECRET_KEY. However, for compatibility with existing
data, the old methods were left