Should paperless enforce randomized Django SECRET_KEY? #4386
Replies: 2 comments
-
This discussion has been automatically closed due to inactivity. Please see our contributing guidelines for more details. |
Beta Was this translation helpful? Give feedback.
0 replies
-
This discussion has been automatically locked since there has not been any recent activity after it was closed. Please open a new discussion for related concerns. See our contributing guidelines for more details. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The current implementation reads
SECRET_KEY
fromPAPERLESS_SECRET_KEY
. This assumes that every system administrator/user reads the documentation carefully or installs paperless from a source that takes this to account (or of course only runs it locally). The official install scripts and docker-compose files do this sufficiently, but there may be systems that implement their own installation method (such as NixOS) and fail to do this.I'm posting this here since NixOS does not enforce adding a
PAPERLESS_SECRET_KEY
in the usual nix-like way, neither does it inform the user to do so (see NixOS/nixpkgs#261085). While this is obviously a problem that should get fixed in the NixOS package, I would say that this points out that there may be a design issue here.In my opinion, paperless should create this secret itself when the user does not provide one just to be on the safe site in any case. The secret could for example be stored in the database. Why isn't that the case already? Is this a problem of non-existent entropy in the target?
Beta Was this translation helpful? Give feedback.
All reactions