Hello here,
Following the discussion in
https://lists.apache.org/thread/xsc1174o6yjogxsvrq60nn93l0r4g91g, I would
like to ask for a lazy consensus on:
* Adopting the proposed Fernet Key approach to keep consistency
- specified but empty ('') → use NullFernet (with a big warning that it is
unencrypted)
- not specified → attempt to generate and persist a key; fail if unable
- specified and non-empty → attempt to use it; fail if invalid format
* Adding clear documentation and warnings for the empty-key (unencrypted)
case, and ensuring consistent behaviour across configuration sources (env
vars, config files, defaults)
* Optionally introducing a special explicit non-encrypted indicator (e.g.,
NOT_ENCRYPTED or NOT_PROVIDED) to avoid accidental misconfigurations
The lazy consensus will end on Thursday, the 27th of November, 11 pm CET :
https://www.timeanddate.com/countdown/generic?iso=20251127T23&p0=16&msg=Countdown+Timer&font=cursive
No need to answer unless you do not agree with the consensus.
Thanks!
Kind regards,
--
Bugra Ozturk
