Enforce safetensors format | AI HUB | Page 1

cyan oyster Jun 6, 2024, 12:44 PM

#

PyTorch RVC models are not safe to use due to possible malicious code execution (https://huggingface.co/docs/hub/security-pickle). This can be partially mitigated by uploading a model to trusted sources (like huggingface, that checks pickled imports and may highlight possibility malicious code). But this approach is also error-prone, requires manual review and more sophisticated attacks can be applied that can be left undetected.

A possible approach could be:

Forcing RVC developers to support safetensors format for inference and training (or at least provide tooling for conversion).
Require model makers to provide/convert their models in safetensors format.

To smoothen transition, both pth and safetensors models may be supported and provided, but the use of pth models must be discouraged.

Don't expect anyone to drive this activity since this is not really about the server, but I'd like to at least bring awareness to this topic.

fresh riverBOT Jun 6, 2024, 12:45 PM

#

Vote for this suggestion!

wheat ember Jun 12, 2024, 1:37 PM

#

cyan oyster PyTorch RVC models are not safe to use due to possible malicious code execution ...

on progress btw

cyan oyster Jun 12, 2024, 1:39 PM

#

wheat ember on progress btw

That's great! And I already have support inference with safetensors models in my fork :)

wheat ember Jun 12, 2024, 1:39 PM

#

the smooth transition should be easy with something like this

cyan oyster Jun 12, 2024, 1:41 PM

#

wheat ember the smooth transition should be easy with something like this

I remember I had difficulties with load_file method, but I don't remember what it was exactly... And in the end I resorted to a bit customized method
https://github.com/deiteris/voice-changer/blob/master-custom/server/voice_changer/common/SafetensorsUtils.py#L9

And loading is done like this
https://github.com/deiteris/voice-changer/blob/master-custom/server/voice_changer/RVC/inferencer/RVCInferencerv2.py#L18-L27

wheat ember Jun 12, 2024, 1:42 PM

#

what about performance?

#

better than .pth?

cyan oyster Jun 12, 2024, 1:43 PM

#

Models are loaded faster (much faster on CPU, a bit faster on GPU), so on average it's not that big improvement

#

But inference performance itself is not affected

cyan oyster Jun 12, 2024, 2:01 PM

#

There are also conversion functions here that I took from huggingface converter. In my fork, all pth models are converted automatically on upload and I haven't seen any issues with it yet
https://github.com/deiteris/voice-changer/blob/master-custom/server/voice_changer/common/SafetensorsUtils.py#L46-L99

#

But ofc that doesn't mean it's a safe approach, just convenient and is useful for sandbox environment. The resulting model will be defused, but the code will be executed because pth model is loaded with torch.load first.

sand spear Jun 14, 2024, 10:53 AM

#

The egirlv2 model is a virus according to windows

#

First model that ever gave a beep beep

#

I don't trust that guy

cyan oyster Jun 14, 2024, 11:00 AM

#

Link? Can't find the model in #1175430844685484042

#Enforce safetensors format