Agree with Sheng. Not always a website has trusted SSL cert, and you might still want to download cat and elephant pictures from it. (I checked some usages of this function).
On Wed, Jul 4, 2018 at 9:47 AM Marco de Abreu <[email protected]> wrote: > Thanks for raising this issue Sheng. > > My proposal would be to always print a warning message when this function > is called with the ssl check disabled. This functionality would be tested > by a unit test which mocks the network access. > > Additionally, I'd like to propose that we set a policy for ourselves that > we as MXNet community never submit any code that has this flag disabled and > rather ensure that the servers we are using are properly secured with > correct ssl certificates. > > -Marco > > Sheng Zha <[email protected]> schrieb am Mi., 4. Juli 2018, 08:58: > > > Hi, > > > > This is a follow-up discussion from PR-11546 > > < > > > https://github.com/apache/incubator-mxnet/pull/11546#pullrequestreview-134215477 > > > > > per > > suggestion from Marco. The proposed approach is to add an option to allow > > users who call the download function to explicitly turn off ssl > > verification. The default behavior is unchanged (i.e. always verify). > From > > the comments so far: > > > > Pros: > > Users can use this function to download from trusted links that don't > have > > proper ssl cert set-up, only by disabling this option explicitly. Without > > this option, the download function cannot be used in such case. > > > > Cons: > > Vulnerable to MITM when disabled. > > > > My take on this is that having such option is better, since download > > function can be useful in more scenarios. I'd like to hear from others if > > there are scenarios that this approach is absolutely not acceptable. > > Thanks. > > > > -sz > > >
