From bb7626b2f257852f426723de551418753e3dd692 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 9 Oct 2019 15:03:45 -0400 Subject: Use secrets and fall back to random.SystemRandom for keys The random module uses the Mersenne Twister pseudorandom number generator and is not a cryptographically secure random number generator[0]. The secrets[1] module is intended for generating cryptographically strong random numbers, so recommend using that to generate the secret key. It's new in Python 3, so if it's unavailable fall back to using the ``os.urandom()`` backed implementation of random. NOTE(stephenfin): Modified to include change to 'config.yaml'. Also renamed reno to just stick with hyphens for filenames. [0] https://docs.python.org/3/library/random.html [1] https://docs.python.org/3/library/secrets.html Signed-off-by: Jeremy Cline Signed-off-by: Stephen Finucane --- ...d-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml (limited to 'releasenotes/notes') diff --git a/releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml b/releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml new file mode 100644 index 0000000..7b101cb --- /dev/null +++ b/releasenotes/notes/use-secrets-and-fall-back-to-random-SystemRandom-for-keys-9ceb496919a1bb6f.yaml @@ -0,0 +1,5 @@ +--- +security: + - | + Change the recommended method for generating the Django secret key to use a + cryptographically secure random number generator. -- cgit v1.2.3