> On Dec 22, 2016, at 1:41 PM, Tim Graham <timogra...@gmail.com> wrote: > > There's debate in #24994 about whether or not settings.SECRET_KEY should or > may be a bytestring. Some select quotes to summarize the discussion: > > [snip] > > I hope we can come to a decision and at least clarify the documentation. > Perhaps deferring a code change (if any) until Django 2.0 so that only Python > 3 is a consideration would help. > > https://code.djangoproject.com/ticket/24994 > https://code.djangoproject.com/ticket/19980
It seems to me that whatever option is chosen, it should support some mechanism that all provided bytes be random. In the case of using ascii-only bytes, this is not the case. With that goal in mind, I think there are, at least in principle, two choices, and the correct one depends on what is a more important priority. If its more important to transparently have the right data type, then we should use bytes. This may mean that we prefer to generate bytes that are not fully random (top bits are always 0, etc) so that we can avoid escape sequences. If we'd rather ensure that all of the bits we generate both avoid escape sequences and provide all of their own bytes randomly, then we'll need to have settings.SECRET_KEY be an encoded bytes, perhaps base64. In that case, it likely doesn't matter whether it's a string or a bytes, as base64.b64decode permits either. I suspect making SECRET_KEY encoded with something like base64 is likely a non-starter due to backward compatibility, so that means to me that using bytes would be preferable. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/520E361B-6CC9-4D66-BA51-E0C9A9C77165%40ryanhiebert.com. For more options, visit https://groups.google.com/d/optout.
