mxnet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sokolov, Sergey" <sssok...@amazon.com.INVALID>
Subject Re: Allow SSL Verification to be off in mx.gluon.utils.download?
Date Wed, 04 Jul 2018 18:49:29 GMT
The warning message might have its value if a user just copied and pasted the code from somewhere.
 
Sergey.

On 2018-07-04, 07:45, "Thomas DELTEIL" <thomas.delteil1@gmail.com> wrote:

    Agree that we should never push code that has a download with the flag
    disabled. But I don't see a problem having a flag to disable ssl
    verification if users want to put themselves at risk. I don't think à
    warning is necessary as long as the API wording is scary enough.
    
    All the best,
    
    Thomas
    
    On Wed, Jul 4, 2018, 06:50 kellen sunderland <kellen.sunderland@gmail.com>
    wrote:
    
    > I'd agree with Sheng and Pedro.  I would also not put a warning message in
    > place when the function is explicitly called with SSL verification turned
    > off.  I would assume if the code author intentionally disables verification
    > that the message being displayed would not provide value.
    >
    > -Kellen
    >
    >
    > On Wed, Jul 4, 2018 at 3:42 PM Pedro Larroy <pedro.larroy.lists@gmail.com>
    > wrote:
    >
    > > Agree with Sheng. Not always a website has trusted SSL cert, and you
    > might
    > > still want to download cat and elephant pictures from it. (I checked some
    > > usages of this function).
    > >
    > > On Wed, Jul 4, 2018 at 9:47 AM Marco de Abreu
    > > <marco.g.abreu@googlemail.com.invalid> wrote:
    > >
    > > > Thanks for raising this issue Sheng.
    > > >
    > > > My proposal would be to always print a warning message when this
    > function
    > > > is called with the ssl check disabled. This functionality would be
    > tested
    > > > by a unit test which mocks the network access.
    > > >
    > > > Additionally, I'd like to propose that we set a policy for ourselves
    > that
    > > > we as MXNet community never submit any code that has this flag disabled
    > > and
    > > > rather ensure that the servers we are using are properly secured with
    > > > correct ssl certificates.
    > > >
    > > > -Marco
    > > >
    > > > Sheng Zha <szha.pvg@gmail.com> schrieb am Mi., 4. Juli 2018, 08:58:
    > > >
    > > > > Hi,
    > > > >
    > > > > This is a follow-up discussion from PR-11546
    > > > > <
    > > > >
    > > >
    > >
    > https://github.com/apache/incubator-mxnet/pull/11546#pullrequestreview-134215477
    > > > > >
    > > > > per
    > > > > suggestion from Marco. The proposed approach is to add an option to
    > > allow
    > > > > users who call the download function to explicitly turn off ssl
    > > > > verification. The default behavior is unchanged (i.e. always verify).
    > > > From
    > > > > the comments so far:
    > > > >
    > > > > Pros:
    > > > > Users can use this function to download from trusted links that don't
    > > > have
    > > > > proper ssl cert set-up, only by disabling this option explicitly.
    > > Without
    > > > > this option, the download function cannot be used in such case.
    > > > >
    > > > > Cons:
    > > > > Vulnerable to MITM when disabled.
    > > > >
    > > > > My take on this is that having such option is better, since download
    > > > > function can be useful in more scenarios. I'd like to hear from
    > others
    > > if
    > > > > there are scenarios that this approach is absolutely not acceptable.
    > > > > Thanks.
    > > > >
    > > > > -sz
    > > > >
    > > >
    > >
    >
    

Mime
View raw message