Well it will be used by the user deploying the application. This can be the
developer or even multiple end-users (if the application itself is
distributed). In both cases there would be a simple deployment instruction:
"Upon installation you need to execute 'pyramid-keygen -w cookie_secret -b
256'" or similar. Then you have a secret file and can use it in your
application. Otherwise each developer has to develop their own method of
generating such a secret during the deployment process. Furthermore, we
could then add a hint to the documentation to use this if they want a
strong secret (see below).
Yeah, I took a step back, changed it to be only a callable and made it very
simple again. Take look at the corresponding commit and tell me if it is
still too much.
If you approve, I would really recommend changing the docs at least in
regards to a notice that the default behavior is at least not *that* secure.