mxnet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marco de Abreu <marco.g.ab...@googlemail.com.INVALID>
Subject Re: Allow SSL Verification to be off in mx.gluon.utils.download?
Date Wed, 04 Jul 2018 07:47:21 GMT
Thanks for raising this issue Sheng.

My proposal would be to always print a warning message when this function
is called with the ssl check disabled. This functionality would be tested
by a unit test which mocks the network access.

Additionally, I'd like to propose that we set a policy for ourselves that
we as MXNet community never submit any code that has this flag disabled and
rather ensure that the servers we are using are properly secured with
correct ssl certificates.

-Marco

Sheng Zha <szha.pvg@gmail.com> schrieb am Mi., 4. Juli 2018, 08:58:

> Hi,
>
> This is a follow-up discussion from PR-11546
> <
> https://github.com/apache/incubator-mxnet/pull/11546#pullrequestreview-134215477
> >
> per
> suggestion from Marco. The proposed approach is to add an option to allow
> users who call the download function to explicitly turn off ssl
> verification. The default behavior is unchanged (i.e. always verify). From
> the comments so far:
>
> Pros:
> Users can use this function to download from trusted links that don't have
> proper ssl cert set-up, only by disabling this option explicitly. Without
> this option, the download function cannot be used in such case.
>
> Cons:
> Vulnerable to MITM when disabled.
>
> My take on this is that having such option is better, since download
> function can be useful in more scenarios. I'd like to hear from others if
> there are scenarios that this approach is absolutely not acceptable.
> Thanks.
>
> -sz
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message