As promised the PR: https://github.com/django/django/pull/13120 I also had to touch TokenResetGenerator since it stores the secret in a class level variable and that would prevent the server startup either way…
Let's see what the full test suite says, but I cannot really imagine many issues. On Sunday, June 28, 2020 at 10:27:44 AM UTC+2 Florian Apolloner wrote: > On Sunday, June 28, 2020 at 1:23:25 AM UTC+2 timog...@gmail.com wrote: > >> It seems like it could be insecure to move that to a system check as "For >> performance reasons, checks are not run as part of the WSGI stack that is >> used in deployment." (Also, it seems impossible to write a system check >> that determines whether or not a project will consult SECRET_KEY.) >> > > The check if it is empty can be done on access in LazySettings without any > real overhead. We are even calling url validators when access > MEDIA_URL/STATIC_URL ( > https://github.com/django/django/blob/62d85a283500e9abb0e1c9ec53c59be468f056a0/django/conf/__init__.py#L152-L158) > > -- so we really don't have to talk about overhead here :D > > I will try to remove those properties and move the checks into > `__getattr__`, this should result in a (small) one time overhead. PR(s) to > follow. > > I think a deployment system check for non-empty SECRET_KEY might also make > sense. > > Cheers, > Florian > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/596f6a5b-7ca0-4dd3-b765-f4d559758920n%40googlegroups.com.
