Hi, This is a follow-up discussion from PR-11546 <https://github.com/apache/incubator-mxnet/pull/11546#pullrequestreview-134215477> per suggestion from Marco. The proposed approach is to add an option to allow users who call the download function to explicitly turn off ssl verification. The default behavior is unchanged (i.e. always verify). From the comments so far:
Pros: Users can use this function to download from trusted links that don't have proper ssl cert set-up, only by disabling this option explicitly. Without this option, the download function cannot be used in such case. Cons: Vulnerable to MITM when disabled. My take on this is that having such option is better, since download function can be useful in more scenarios. I'd like to hear from others if there are scenarios that this approach is absolutely not acceptable. Thanks. -sz