Hi Ralf:

In message <1561294337.71.0.360196406483.issue2551048@roundup.psfhosted.org>,
Ralf Schlatterbeck writes:
>When running roundup as a multi-process application like CGI or WSGI,
>the default value for the variable 'secret_key' in secion [web] is not
>constant and will be different for each process. The reason is that it
>uses a random value for initialisation if the item is unconfigured. This
>random value is different in each process.
> [...]
>We should either come up with a fix or document this in the REST-API
>documentation.

One of two things should be happening here:

  1) If that option is not set in config.ini, there should be a
     failure on startup. Similar to not setting TRACKER_WEB.
     Is secret_key in your config.ini set to nothing:
       [web]
       secret_key =
     or is secret_key not present in your config.ini? If not present,
     I can see how this could happen, but I am not sure how to fix it. 

  2) That key should be set to a constant value when running:

      roundup-admin -i . updateconfig config.ini

     as specified in doc/upgrading.txt as:

       Migrating from 1.6.0 to x.y.0
       =============================

       Upgrade tracker's config.ini file
       --------------------------------------
       Once you have installed the new roundup, use:

	 roundup-admin -i /path/to/tracker updateconfig new_init_file.ini

       to generate a new ini file preserving all your settings. You can then
       ...

     so that value shouldn't be empty.

The secret_key is defined using configuration.py's MandatoryOption
class. So using:

  secret_key =

should be an error. If secret_key is not in the config.ini, then
configuration.py doesn't try to set secret_key to an unset value and
the exception for a null value is not raised. Could this be the
failure mode you are seeing?