Suggestion: "django-admin startproject" should not put secrets in settings.py

[Roy Smith]

In the past, I've worked on a couple of django projects where we violated the:

> # SECURITY WARNING: keep the secret key used in production secret!"

advice because on day one, somebody didn't know what we they were doing and 
never fixed it.  Looking around at a collection of django projects (by various 
developers), I see that's often the case.  SECRET_KEY, oauth keys, aws keys, 
etc all end up in settings.py files.  And show up in github, etc.

This is not terribly surprising.  I expect most people just sit down with the 
tutorial 
, 
follow the first example:

> $ django-admin startproject mysite

and instantly have a working, but insecure, setup.

So, why not have startproject start people off on the right foot?  Build a 
settings.py file and a secret_settings.py file.  Put the SECRET_KEY in 
secrets.py.  Have settings.py do "from secret_settings import SECRET_KEY".  
Make secret_settings.py mode 0400 by default (or whatever that translates to on 
windows).  Print out a message telling people to exclude secret_settings.py 
from version control.


As people add more secrets, they have a low-effort path to continuing to do 
something reasonable.  A more sophisticated user can tear that out and replace 
it with their own secrets infrastructure.  But, at least we will have started 
newbies off with something reasonable.

I see this has been discussed before 
,
 but I disagree with a lot of the opinions in that thread.  This wouldn't be 
forcing developers to do it any specific way.  It just provides a default 
that's better than the current default.  Expecting that newbies to follow best 
practices just because they're documented somewhere is irrational, as can be 
seen by perusing github.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/E7AED784-145B-45A5-9C23-8700E72E5CB8%40panix.com.

Re: Query Optimization (Huge Data in the Database)

[Sci Mithilesh]

call or replay me I am interested +918709440658

On Sun, 19 Jul 2020, 9:11 am karthik challa, 
wrote:

> Hi Experts,
>
> I am trying to execute a Django query (ORM) but my query is taking more
> than  4 mins as the table have huge records.
>
> Here are the details
>
> 1> I am using left outer join to get count from other table
>
> 2>Django query
> subject = Table1.objects.all().annotate(numItems=Count('table2.field')).
> order_by('name')
>
>
>
> 3>Here I am converting the above query set to Raw sql
> SELECT "table1"."id", "table1"."created_at", "table1"."name", COUNT(
> "table2"."id") AS "numItems"  FROM
> "table1" LEFT OUTER JOIN "table2" ON ("table1"."id" = "table2".
> "subdomain_id") GROUP BY "table1"."id" ORDER BY "table1"."name" ASC
>
> and I am returning response to template index.html
>
> response = render(request, 'search_home.html', context)
>
>
> My template looks like this
> {% if context.subject %}
> {% for item in context.subject %}
> {{ item }}
> {% endfor %}
> {% endif %}
> Please  let me know how can i reduce the performance time or how can i
> optimize the query .
>
> Thanks & Regards,
> Karthik
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/ab90edb2-7d5e-4e01-9fad-0c71cb916a67o%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAJP%3DbzCehTLi3znPp%2Bv1zKPJ20VbhbNJS2nEHox%2BPKjMTrhLkA%40mail.gmail.com.

Re: Making startproject's settings more 12-factor-y

[Sci Mithilesh]

ok whatsapp +918709440658

On Fri, 10 Jul 2020, 2:54 pm '1337 Shadow Hacker' via Django developers
(Contributions to Django itself), 
wrote:

> All right, thank you for your feedback.
>
> May I throw in the idea of using DJ_ instead of DJANGO_ as prefix ?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers  (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/PBiCVsKC2UAJFHuD-tEkUh2063D7DgV1DcAxdlcFI2tSqpPxK-8XVWSPbSnyvG5spVf_1QYHZeyNN2dimPNPk7NrS0eh9zq-PhAQxSHAsMk%3D%40protonmail.com
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAJP%3DbzAUtXSLRRtDOx%2BBRPe%3Dt7f9s%3DXc%2BUP1Y1OCJmz1GsT7Jg%40mail.gmail.com.

Re: Suggestion: "django-admin startproject" should not put secrets in settings.py

[Tom Carrick]

Hi Roy,

There's also a more recent thread on this:
https://groups.google.com/u/2/g/django-developers/c/CIPgeTetYpk

Tom

On Sun, 26 Jul 2020 at 18:00, Roy Smith  wrote:

> In the past, I've worked on a couple of django projects where we violated
> the:
>
> # SECURITY WARNING: keep the secret key used in production secret!"
>
>
> advice because on day one, somebody didn't know what we they were doing
> and never fixed it.  Looking around at a collection of django projects (by
> various developers), I see that's often the case.  SECRET_KEY, oauth keys,
> aws keys, etc all end up in settings.py files.  And show up in github, etc.
>
> This is not terribly surprising.  I expect most people just sit down with the
> tutorial
> ,
> follow the first example:
>
> $ django-admin startproject mysite
>
>
> and instantly have a working, but insecure, setup.
>
> So, why not have startproject start people off on the right foot?  Build a
> settings.py file and a secret_settings.py file.  Put the SECRET_KEY in
> secrets.py.  Have settings.py do "from secret_settings import SECRET_KEY".
> Make secret_settings.py mode 0400 by default (or whatever that translates
> to on windows).  Print out a message telling people to exclude
> secret_settings.py from version control.
>
>
> As people add more secrets, they have a low-effort path to continuing to
> do something reasonable.  A more sophisticated user can tear that out and
> replace it with their own secrets infrastructure.  But, at least we will
> have started newbies off with something reasonable.
>
> I see this has been discussed before
> ,
> but I disagree with a lot of the opinions in that thread.  This wouldn't be
> forcing developers to do it any specific way.  It just provides a default
> that's better than the current default.  Expecting that newbies to follow
> best practices just because they're documented somewhere is irrational, as
> can be seen by perusing github.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/E7AED784-145B-45A5-9C23-8700E72E5CB8%40panix.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHoz%3DMaEHnGimaV6zcvuTU9fTytbr1D4ixJOVLzFJnBtzpFpfw%40mail.gmail.com.

Re: Making startproject's settings more 12-factor-y

[Florian Apolloner]

Comments like these are inappropriate for this mailing list. Stop spamming 
your whatsapp number all over the place.

On Sunday, July 26, 2020 at 6:00:47 PM UTC+2 mithileshr...@gmail.com wrote:

> ok whatsapp +918709440658 <+91%2087094%2040658>
>
> On Fri, 10 Jul 2020, 2:54 pm '1337 Shadow Hacker' via Django developers 
> (Contributions to Django itself),  wrote:
>
>> All right, thank you for your feedback.
>>
>> May I throw in the idea of using DJ_ instead of DJANGO_ as prefix ?
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers  (Contributions to Django itself)" group.
>
>
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-develop...@googlegroups.com.
>>
> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/PBiCVsKC2UAJFHuD-tEkUh2063D7DgV1DcAxdlcFI2tSqpPxK-8XVWSPbSnyvG5spVf_1QYHZeyNN2dimPNPk7NrS0eh9zq-PhAQxSHAsMk%3D%40protonmail.com
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/9cc9da3e-daf6-4006-9c90-339f1b52c7a8n%40googlegroups.com.