Re: Should SECRET_KEY be allowed to be bytes?

[Aymeric Augustin]

I’m happy with that.

-- 
Aymeric.

> On 27 Dec 2016, at 19:49, Tim Graham  wrote:
> 
> Thanks Aymeric. How about this documentation addition:
> 
> Uses of the key shouldn't assume that it's text or bytes. Every use should go
> through :func:`~django.utils.encoding.force_text` or
> :func:`~django.utils.encoding.force_bytes` to convert it to the desired type.
> 
> https://github.com/django/django/pull/7750 
> 
> 
> Adam created https://code.djangoproject.com/ticket/27635 
>  about the "use secrets" idea.
> 
> On Saturday, December 24, 2016 at 4:52:38 PM UTC-5, Aymeric Augustin wrote:
> Hello Andres,
> 
> We both seem to agree with the status quo — supporting both text and bytes.
> 
> 
> On 24 Dec 2016, at 00:36, 'Andres Mejia' via Django developers (Contributions 
> to Django itself) googlegroups.com 
> > wrote:
>> On 12/22/2016 05:15 PM, Aymeric Augustin wrote:
>>> export SECRET_KEY=… # generated with pwgen -s 50
>> What do you think is ultimately being used in the pwgen program? I'm going 
>> to guess, at least on POSIX systems, it is /dev/urandom or /dev/random, both 
>> of which return random bytes.
> 
> I understand this, but it doesn’t change my argument. I’m saying that the 
> format of SECRET_KEY doesn’t matter, as long as it contain enough entropy, 
> since it will be injected in hashing algorithms designed to extract the 
> entropy. I think we can agree on this.
> 
> We have different preferences for that format. You like keeping the original 
> raw binary data SECRET_KEY. I find it more convenient to convert it to an 
> ASCII-safe format, for example with pwgen. I really think this boils down to 
> taste. I don’t think we can conclusively determine that one approach is 
> superior to the other. I think my technique is more beginner friendly; while 
> not applicable to you, it’s a concern for Django in general.
> 
> The only cost of supporting both options is that every use must go either 
> through force_text or force_bytes to convert to a known type. 
> 
>>> - “I think it's fair to assume devs using the SECRET_KEY know it must be 
>>> used as bytes.” — well that doesn't include me or any Django dev I ever 
>>> talked to about this topic
>> (..)
> 
> Oops, I misunderstood “used as bytes” to mean “defined as bytes”. Sorry. I 
> withdraw this.
> 
> 
> And since I’ve been waving my hands about the types Django expects in a 
> previous email, here’s the full audit. Below, text means unicode on Python 2 
> and str on Python 3. ASCII-safe bytes means bytes containing only 
> ASCII-characters, so they can be used transparently as if they were text on 
> Python 2, because it will call decode() implicitly.
> 
> - django/conf/global_settings.py
> 
> Sets the default to an empty text string (note the unicode_literals import at 
> the top for Python 2).
> 
> - django/conf/settings.py-tpl
> 
> Sets the generated value to ASCII-safe bytes on Python 2 and text on Python 3 
> (no unicode_literals there).
> 
> - django/core/signing.py:
> 
> Calls force_bytes to support bytes and text in get_cookie_signer.
> 
> - django/utils/crypto.py:
> 
> Calls force_bytes to support bytes and text in salted_hmac.
> 
> Assumes SECRET_KEY contains text in the `if not using_sysrandom` branch of 
> `get_random_string`. This is the bug I hinted to in a previous email. It must 
> have appeared when adding the unicode_literals import to that file. No one 
> complained since June 2012. It only affects people setting their SECRET_KEY 
> to bytes on Python 3 or ASCII-unsafe bytes on Python 2 on Unix-like systems 
> that don’t provide /dev/urandom. This sounds uncommon.
> 
> While we’re there, we should use 
> https://docs.python.org/3/library/secrets.html#module-secrets 
>  on Python >= 
> 3.6.
> 
> 
> Best regards,
> 
> -- 
> Aymeric.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com 
> .
> To post to this group, send email to django-developers@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/django-developers 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/50b9dde6-4bab-4f00-b739-df06e90cce3f%40googlegroups.com
>  
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you

Re: Django 2.0 Python version support (Python 3.6+ only?)

[Claude Paroz]

I would like to voice my support for Florian's arguments. It's not only 
RedHat, Debian is also concerned. The current Jessie stable version which 
will be supported probably until mid-2018 is Python 3.4, and the upcoming 
stable version will most probably be Python 3.5. So a strong -1 for 
dropping 3.5 for Django 2.0. For Python 3.4, we might bring the issue to 
the technical board.
Dropping Python 2 will already be a strong progress and might allow nice 
improvements for Django.

Claude

Le mardi 27 décembre 2016 21:25:39 UTC+1, Florian Apolloner a écrit :
>
> Imo we should not drop Python versions overeagerly. After all I do not 
> wanna compile our own python for djangoproject.com :D Given that Redhat 
> is on Python 3.4 for the foreseeable future, I'd actually even like to see 
> 3.4 still supported in Django 2.0 unless there is a good reason to drop it. 
> Fwiw, Ubuntu Trusty which is LTS and still supported also is on Python 3.4. 
> So unless there are compelling arguments to drop 3.4, lets keep it as long 
> as it is not too much work.
>
> Either way, I am completely against dropping Python 3.5 now -- lets make 
> the Django 2.0 migration not more painful than it has to be (ie I do not 
> want to force people to upgrade existing supported systems just to get the 
> latest python and therefor Django).
>
> Cheers,
> Florian
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/fb8c83ee-c050-4d48-8db5-a8244c9cb489%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django 2.0 Python version support (Python 3.6+ only?)

[Aymeric Augustin]

> On 28 Dec 2016, at 15:53, Claude Paroz  wrote:
> 
> Dropping Python 2 will already be a strong progress and might allow nice 
> improvements for Django.

+1

The Python 3 transition will materialize brutally for many developers when they 
can’t upgrade Django anymore without upgrading Python as well.

I’m in favor of not making it more difficult to upgrade to Python 3 by not 
supporting versions available on Debian or Ubuntu stable.

(This isn’t an argument for supporting a particular version; I didn’t check the 
timeline precisely; it's a general inclination.)

-- 
Aymeric.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/A8860E5A-553E-440A-B73D-43372EC34252%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: Django 2.0 Python version support (Python 3.6+ only?)

[Claude Paroz]

Any idea why my message in this thread was deleted?

Claude

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/d8402d65-e24b-46f5-86d5-dfd6f595cbbc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django 2.0 Python version support (Python 3.6+ only?)

[Tim Graham]

There may be a bug in Google Groups -- I've seen my own messages deleted 
like that.

On Wednesday, December 28, 2016 at 2:41:59 PM UTC-5, Claude Paroz wrote:
>
> Any idea why my message in this thread was deleted?
>
> Claude
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/48044af8-b46a-428e-82bf-8a28d7e0b493%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Django 2.0 Python version support (Python 3.6+ only?)

[Karen Tracey]

On Wed, Dec 28, 2016 at 2:41 PM, Claude Paroz  wrote:

> Any idea why my message in this thread was deleted?
>

No idea. It was held in moderation as "possible spam" for reason only
Google Groups knows. When GG does this, it does not send moderators a note
about it until 3 or 4 days later. This one I happened to see when I went to
moderate a post from a first-time poster, and I sent both through. It came
through in email. No idea why in the group it shows up as "deleted". Maybe
it will re-appear in the group eventually...

Karen

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CACS9raeLU%2BtPGTx4ZQWmf0XhS7b-%2BK7b%3DykXGQsn8GvLjfDRsw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.