[Django] #31757: Adjust default SECRET_KEY to use `dj::insecure` prefix and add matching deployment system check.
Django
deployment system check.
------------------------------------------------+------------------------
Reporter: Carlton Gibson | Owner: nobody
Type: New feature | Status: new
Component: Core (System checks) | Version: 3.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
[https://groups.google.com/d/topic/django-
developers/CIPgeTetYpk/discussion Recent thread on the mailing list about
making the default settings more 12 factor friendly]. (Related to similar
discussions in say #20081.)
Conclusion there was that environment variables are only one way to go.
(...)
In the discussion it came up that we could prefix the generated SECRET_KEY
with say, `dj::insecure` and then add a deployment system check to ensure
that wasn't used in production. (Paraphrasing various points: might not be
100% robust but would capture most cases.)
So:
* Prefix secret key in project template.
* Add system check to ensure secret key does not have prefix.
--
Ticket URL: <https://code.djangoproject.com/ticket/31757>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
deployment system check.
Reporter: Carlton Gibson | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* version: 3.0 => master
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:1>
Django
deployment system check.
Reporter: Carlton Gibson | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by René Fleschenberg):
Shai Berger suggested an alternative approach: Marking the string as
insecure by making it an instance of a custom str subclass
(https://groups.google.com/d/msg/django-developers/CIPgeTetYpk/3a0lkAu-
BgAJ). I am not sure which of the two approaches we prefer.
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:2>
Django
deployment system check.
Reporter: Carlton Gibson | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by René Fleschenberg):
* cc: René Fleschenberg (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:3>
Django
deployment system check.
Reporter: Carlton Gibson | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* cc: Shai Berger (added)
Comment:
Replying to [comment:2 René Fleschenberg]:
> Shai Berger suggested an alternative approach: Marking the string as
insecure by making it an instance of a custom str subclass
(https://groups.google.com/d/msg/django-developers/CIPgeTetYpk/3a0lkAu-
BgAJ). I am not sure which of the two approaches we prefer.
Prefix is fine, IMO.
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:4>
Django
deployment system check.
Reporter: Carlton Gibson | Owner: kosc
Type: New feature | Status: assigned
Component: Core (System checks) | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* owner: nobody => kosc
* status: new => assigned
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/13183 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:5>
Django
deployment system check.
Reporter: Carlton Gibson | Owner: kosc
Type: New feature | Status: assigned
Component: Core (System checks) | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:6>
Django
deployment system check.
Reporter: Carlton Gibson | Owner: kosc
Type: New feature | Status: assigned
Component: Core (System checks) | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Comment (by Shai Berger):
Replying to [comment:4 felixxm]:
> Replying to [comment:2 René Fleschenberg]:
> > Shai Berger suggested an alternative approach: Marking the string as
insecure by making it an instance of a custom str subclass
>
> Prefix is fine, IMO.
Missed this earlier... prefix is fine IMO too.
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:7>
Django
deployment system check.
Reporter: Carlton Gibson | Owner: kosc
Type: New feature | Status: assigned
Component: Core (System checks) | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Nick Pope):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:8>
Django
deployment system check.
Reporter: Carlton Gibson | Owner: kosc
Type: New feature | Status: assigned
checks) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:9>
Django
deployment system check.
Reporter: Carlton Gibson | Owner: kosc
Component: Core (System | Version: master
checks) |
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"b7f500396e05cd1f0bb8901fce16e2d8393d2779" b7f5003]:
{{{
#!CommitTicketReference repository=""
revision="b7f500396e05cd1f0bb8901fce16e2d8393d2779"
Fixed #31757 -- Adjusted system check for SECRET_KEY to warn about
autogenerated default keys.
Thanks Nick Pope, René Fleschenberg, and Carlton Gibson for reviews.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31757#comment:10>