Nick Wynja writes:
INSTALLED_APPS = [a for a in INSTALLED_APPS if not a.startswith('allauth.socialaccount.providers') and not a.startswith('django_mailman3.lib.auth.fedora')]
This way if Postorius ever adds any apps you won't need to update your local settings. Anyone see any downsides to doing it this way?
Aside from the circular import issue mentioned by Abhilash
AIUI, the OP didn't want to present options to users that they don't need and might confuse/annoy them. This does the wrong thing for the OP if so.
Implicitly adding apps in this way increases the attack surface on the system by allowing additional opportunities to access resources.[1] This approach doesn't even necessarily get rid of all social authentication providers: others may be special-cased in the same way as Fedora in the future.
Of course, the default configuration in the containers will be good for a very common use case, and sufficiently secure for most instances. But the general rule for Internet-facing applications is "shut off all access by default, and explicitly open up only the channels you need." I'm not saying your "subtract the social authentication applications" has a downside in all cases. Just that some of us prefer to expend the effort to (a) follow that general rule, and (b) advise others of its existence :-).
Footnotes: [1] You're right, the admin has to intervene if Mailman adds new "must-install" apps, or Postorius won't run. It's possible we should do something about this, such as dividing the set of apps into those we are sure Mailman needs and and having the user configure only those that provide more or less optional features that users should make their own decisions about.