Address ALLOWED_HOSTS changes.
In Django 1.5, it's required to set ALLOWED_HOSTS in the settings. Previously,

this had defaulted to ['*'], which performed no host validation (and

potentially allowed host poisoning attacks).
I've added a default of ['*'] to settings.py, which is expected to be

overridden by settings_local.py. For new installations, rb-site will set this

to the domain name entered during installation. There's not a fantastic way to

deal with this for upgrades. rb-site upgrade can modify settings_local.py, but

it doesn't have the domain name.
I think what we'll do is mostly documentation, with a three-fold approach:

* Include instructions in the release notes.

* Create a "security practices" document in the admin manual, bringing together

  content from various existing documents/faqs/etc, and include ALLOWED_HOSTS

  in this as well.

* Build a page in the admin site that can do automated security checks and make

  recommendations to the user.

Ran with DEBUG=False against Django 1.5.4 and verified that the default

  setting worked correctly.
Built an egg and installed it into a virtualenv. Created a site with rb-site

  and checked that settings_local.py contained a correct ALLOWED_HOSTS.