Why is strict-ssl false by default?

felixrieseberg / windows-build-tools

:package: Install C++ Build Tools for Windows using npm

MIT License

3.4k stars 237 forks source link

Why is strict-ssl false by default? #156

Open cinderblock opened 6 years ago

cinderblock commented 6 years ago

The README says that --strict-ssl is by default off. Why?

This seems like a security issue.

I noticed some other issues relating to SSL (#109 #128) that suggest it is actually on by default. However reading the code, it does seem like it is set to false by default. https://github.com/felixrieseberg/windows-build-tools/blob/master/src/download.ts#L50

Thanks

jacobq commented 6 years ago

Hmm, this is surprising to me too. In my experience it is advisable to default to the best practice. nugget's CLI option (to override default) is the inverse: --no-strict-ssl. It may be that we've mistakenly inverted the polarity of this option.

cc @felixrieseberg Can you offer some insight about this? Is there some historical reason we're missing here?