"real" config should not be in version control system, only reference config should be stored in version control.
Consider database credentials - they should not be publicly available / downloadable from internet and they fall in same category - sensitive information in settings.py . Memcache credentials - in many cases memcache is unprotected . I think docs should be updated to reflect sensitive settings.py variables, which are confidential and provide "best practices" way ({local|secret}_settings.py ?) for deployment :). Perhaps manage.py command to generate adequate strenght / randomness secret would be beneficial . Kristaps Kūlis On Mon, Mar 21, 2011 at 4:59 PM, Matt Harasymczuk <m...@harasymczuk.pl> wrote: > I had an idea. > From time to time I find on the Internet a django app source code with > secret_key shown. > > how about creating an secret.key file next to settings.py in main > project module, which should be added by developer > to .gitignore, .hgignore or equivalent > > in settings we read key from file to SECRET_KEY and we go as usual. > > SECRET_KEY = open("secret.key").read() > > then, a django-admin startproject should give a warning "add > secret.key to your version management system ignore file", it should > automatically put generate secret phrase to this file > > what about downloading an app from the Internet > > manage.py createsecret > will ask if we want to generate new secret file > if file exists, and overwrite an existing one > > dajngo has to be pythonic, therefore > cat secretkey.py > > SECRET_KEY = "as it goes usual" > > and in settings file > > from .secretkey import * > > > What do you think? > IMHO both this ways are good > > > -- > Matt Harasymczuk > http://www.matt.harasymczuk.pl > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.