"real" config should not be in version control system, only reference
config should be stored in version control.
Consider database credentials - they should not be publicly available
/ downloadable from internet and they fall in same category -
sensitive information in settings.py .
Memcache credentials - in many cases memcache is unprotected .
I think docs should be updated to reflect sensitive settings.py
variables, which are confidential and provide "best practices" way
({local|secret}_settings.py ?) for deployment :). Perhaps manage.py
command to generate adequate strenght / randomness secret would be
beneficial .
Kristaps Kūlis
On Mon, Mar 21, 2011 at 4:59 PM, Matt Harasymczuk <m...@harasymczuk.pl> wrote:
> I had an idea.
> From time to time I find on the Internet a django app source code with
> secret_key shown.
>
> how about creating an secret.key file next to settings.py in main
> project module, which should be added by developer
> to .gitignore, .hgignore or equivalent
>
> in settings we read key from file to SECRET_KEY and we go as usual.
>
> SECRET_KEY = open("secret.key").read()
>
> then, a django-admin startproject should give a warning "add
> secret.key to your version management system ignore file", it should
> automatically put generate secret phrase to this file
>
> what about downloading an app from the Internet
>
> manage.py createsecret
> will ask if we want to generate new secret file
> if file exists, and overwrite an existing one
>
> dajngo has to be pythonic, therefore
> cat secretkey.py
>
> SECRET_KEY = "as it goes usual"
>
> and in settings file
>
> from .secretkey import *
>
>
> What do you think?
> IMHO both this ways are good
>
>
> --
> Matt Harasymczuk
> http://www.matt.harasymczuk.pl
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
