LWN: Comments on "Insecurity and Python pickles"

Separate process

sammythesnake — Tue, 26 Mar 2024 16:27:03 +0000

Getting the data from the "unpickling process" to the process you want it in would involve serialising/deserialising all over again, though!

You could potentially use this to do various sanity checks/sanitisation before re-pickling for interprocess transfer, but it would probably make more sense to do that as a preprocessing step before the data gets to your code at all.

I wonder if a safe-unpickle library could be written that does some magic on the code execution part of the unpickling process to disable access to any variables outside of the unpickled objects and ensures the methods of the created objects match the definition of the loaded modules. Come to think of it, why wouldn't this be part of the built in pickle functionality already :-/

Insecurity and Python pickles

lobachevsky — Tue, 19 Mar 2024 15:15:50 +0000

I wonder why the ML community came up with safetensor when there already is the npy format that Numpy uses to save arrays for similar reasons. The header there isn't JSON, but it's broadly similar. The differences I see are that safetensor adds arbitrary key value pairs in the header and multiple tensors in one file, which Numpy does by zipping up multiple npy files, though I'm not sure whether that is strong enough a motivation.

Separate process

jhumphries — Mon, 18 Mar 2024 19:23:02 +0000

What is the overhead for unpickling an ML model? If the overhead is sufficiently high, wouldn't it make sense to just isolate the unpickle code in a separate process since the context switch overhead is negligible?

ML vs HDF5

summentier — Sun, 17 Mar 2024 11:25:01 +0000

My view is certainly somewhat contrarian, but I don't think HDF5 is a good file format for scientific data.

First of all, an HDF5 spec is enormous for a file format. This is not just a set of tensors organized in a tree structure, there is all sorts of additional stuff: attributes, compression, data layout, custom data types, you name it. For this reason, I disagree that there are “mature implementations in pretty much every language”, there really is only one feature-complete implementation: libhdf5, written in C, which pretty much every other language wraps around. (Yes, there is jHDF for Java, which can only read, there is JLD2 and some rust crates, but none of them support the full spec last time I checked.)

Because the HDF5 spec is so large and complex, you essentially have to tool around libhdf5 or use an HDF5 viewer every time you want to look at the data – hex dumps are of no use to you. But this also means that things like mem-mapping parts of a large datasets becomes a problem – libhdf5 to this day does not support this properly. Writing and reading HDF5 files is thus quite cumbersome and tends to be slow. Compare that with a simple binary file format like numpy, where you simply have a text header followed by some binary data, this becomes trivial.

What about HDF5 as an archiving format, then? Well, OK, there is a spec, but what use is that if, say, libhdf5 ceases to be maintained? In this case, how on Earth are we going to get the data out of a compressed data set with custom data types nestled deep into a tree hierarchy without reimplementing the spec? And even then, since there is essentially only one implementation that everyone uses, we have to pray that libhdf5 actually followed the HDF5 spec ...

In summary, I consider a tarball of binary files with text headers a la numpy a vastly superior file format to HDF5. It is clear, universally understood, and easy to view and tool around. (Of course, HDF5 being not a good format does not excuse using pickle ...)

Insecurity and Python pickles

notriddle — Sat, 16 Mar 2024 16:29:53 +0000

> JSON serialization is trivially easy these days in languages like Rust.

Not really. You have to put derive(Serialize) on every intermediate data structure. If the library you’re using doesn’t have that, you have to write the serde impl yourself. You can’t serialize Voldemort types (closures, async blocks) at all.

That is intentional, because Serialize is an API. It’s not supposed to be there unless the library author promises not to change it. For publicly downloadable data, stable file formats are a good thing.

Pickle, in its original use as a way to checkpoint jobs, sounds less like an alternative to serde and more like “I wish I was running out of a Smalltalk image.”

Insecurity and Python pickles

Wol — Fri, 15 Mar 2024 09:52:25 +0000

> I think we're using the same words to mean different things. The data I've worked with has come in two different forms:

No surprise ...

> * arrays of records (and collections of these arrays): generally having a db makes it easier and faster to do more complex queries over these vs multiple files (or a single file with multiple arrays), and formats designed for efficient use of "tabular" data (e.g. parquet) are better than random CSV/TSV.

So are your records one-dimensional? That makes your "arrays of records" two-dimensional - what I think of as your typical relational database table.

And what do you mean by "a complex query"? In MV that doesn't make sense. Everything that makes SQL complicated, belongs in an MV Schema - joins, case, calculations, etc etc. Pretty much ALL MV queries boil down to the equivalent of "select * from table".

> * n-dimensional arrays: this represent images/cubes/higher moments of physical data (vs metadata), and so are different in kind to the arrays of records. This is is where HDF5, netCDF, FITS (if you're doing observational astronomy) come in.

And if n=2? That's just your standard relational database aiui.

It's strange you mention astronomy. Ages back there was a shoot-out between Oracle, and Cache (not sure whether it was Cache/MV). The acceptance criteria were to hit 100K inserts/hr or whatever - I don't know what these speeds are, I'm generally limited by the speed people can type. Oracle had to struggle to hit the target - all sorts of optimisations like disabling indices on insert and running an update later etc etc. Cache won, went into production, and breezed through 250K within weeks ...

> I think the data you're talking about is more graph-like right (and feels like the kind of thing where you want to talk about the structure of how data is related)? That feels different in kind to both the above, and so naturally tools designed for other types of data don't match?

Graph-like? I'm not a visual person so I don't understand what you mean (and my degree is Chemistry/Medicine).

To me, I have RECORDs - which are the n-dimensional 4NF representation of an object, and the equivalent of a relational row!

I then have FILEs which are a set of RECORDS, and the equivalent of a relational table.

All the metadata your relational business analyst shoves in the data, I shove in the schema.

With the result that all the complexities of a SQL query, and all the multiple repetitions across multiple queries, just disappear because they're in the schema! (And with a simple translation layer defined in the schema, I can run SQL over my FILEs.)

I had cause to look up the "definition" of NoSQL recently. Version 1 was the name of a particular database. Version 2 was the use I make of it - defined by the MV crowd, "Not only SQL" - databases that can be queried by SQL but it's not their native language (in MV's case because it predates relational). Version 3 is the common one now, web stuff like JSON that doesn't really have a schema, and what there is is embedded with the data.

So I understand talking past each other with the same language is easy.

But all I have to do is define N as two (if my records just naturally happen to be 1NF), and I've got all the speed and power of your HDF5-whatever, operating like a relational database. But I don't have the complexity, because 90% of SQL has been moved into the database schema.

Cheers,
Wol

Insecurity and Python pickles

aragilar — Fri, 15 Mar 2024 08:43:13 +0000

I think we're using the same words to mean different things. The data I've worked with has come in two different forms:
* arrays of records (and collections of these arrays): generally having a db makes it easier and faster to do more complex queries over these vs multiple files (or a single file with multiple arrays), and formats designed for efficient use of "tabular" data (e.g. parquet) are better than random CSV/TSV.
* n-dimensional arrays: this represent images/cubes/higher moments of physical data (vs metadata), and so are different in kind to the arrays of records. This is is where HDF5, netCDF, FITS (if you're doing observational astronomy) come in.

I think the data you're talking about is more graph-like right (and feels like the kind of thing where you want to talk about the structure of how data is related)? That feels different in kind to both the above, and so naturally tools designed for other types of data don't match?

My understand of ML/AI is generally they're pushed into one of the two bins above, but that may be a bias based on the data I encounter.

Insecurity and Python pickles

dvdeug — Thu, 14 Mar 2024 20:34:45 +0000

> Maybe it is time to stop saying that when talking about software.

Do you want actual security, or are you just trying to shift the blame?

Everyone of us has run into an interface where it demands "are you sure you want to do this?" and you hit yes without thinking because you've been asked that question over and over when you're trying to do exactly that. There is some user blame where the user understands the question (e.g. "are you sure you want to delete this file?"). However, "do I want this spreadsheet to work?" -- when 99% don't have a clue what that means and the remaining 1% _could_ spend the next hour doing a forensic examination of the guts of the spreadsheet but aren't going to waste their time without reason -- is just blame-shifting.

Even a question of "this spreadsheet is trying to write to an external file. This is a warning sign of a malicious spreadsheet; do you want it to continue?" is going to auto-yessed by 50% of the users, and it's going to be a pain using the office spreadsheet that does do that for non-malicious purposes, because 15% of the users are going to auto-no that, even when they're prewarned. That's not completely security theater, but the fail cases on both sides makes it pretty ineffective.

Insecurity and Python pickles

pizza — Thu, 14 Mar 2024 19:28:51 +0000

> Police officers don't even get prompted by their gun's safety lock, they just disable it and shoot the criminal if necessary.

So? Police weaponry is specifically designed to kill or otherwise incapacitate; they have no other legitimate uses. [1]

Whereas these "dangerous" software features are used as intended by untold millions of office drones every single day.

[1] They are also used to project the implicit and explicit threat of potentially lethal force should you not submit to their authority.

Insecurity and Python pickles

adobriyan — Thu, 14 Mar 2024 19:01:09 +0000

> > This is easily fixable by casting spell called "Criminal Negligence" readily available in most countries.
> Except that criminal laws are not retroactive.

I'm not proposing new law. I believe all the laws are in place already, it is just that governments chose to not exercise them.

I remember Nimda pandemic while at the university. Us, Linux users were laughing at Windows suckers.
But our machine was dual booting so we were laughing at ourselves too.

It is unthinkable how Microsoft was not crucified for those stunts. It was so easy politically.

> > Whoever enables eval() equivalent by default goes to prison.
> Ok, so users have to change the default setting to achieve common legitimate use cases.

Yes, and then it is not on the manufacturer.

> Or they're prompted "do <potentially dangerous thing> Y/N?" so often that they automatically say "Yes" without thinking about it any more.

Police officers don't even get prompted by their gun's safety lock, they just disable it and shoot the criminal if necessary.
Somehow, the society lives with it and this situation is considered OK by general public, gun manufacturers, police and soldiers.
Nobody is saying "hey, police officer would have override safety lock so many times in his career that they would do it without thinking".
Maybe it is time to stop saying that when talking about software.

Insecurity and Python pickles

pizza — Thu, 14 Mar 2024 18:28:23 +0000

> This is easily fixable by casting spell called "Criminal Negligence" readily available in most countries.

Except that criminal laws are not retroactive.

> Whoever enables eval() equivalent by default goes to prison.

Ok, so users have to change the default setting to achieve common legitimate use cases.

Or they're prompted "do <potentially dangerous thing> Y/N?" so often that they automatically say "Yes" without thinking about it any more.

....That which makes computers useful also makes them dangerous. And the definition of each varies on an individual and/or situational basis.

Insecurity and Python pickles

adobriyan — Thu, 14 Mar 2024 17:18:17 +0000

This is easily fixable by casting spell called "Criminal Negligence" readily available in most countries.

Whoever enables eval() equivalent by default goes to prison.

All it would take is 1 sacrificial cow.

I'd suggest Microsoft PM who authorized Outlook executing attachments by default which clearly caused so much damage in 90s-2000s.
But status of limitations may have expired on the man.

Developers would probably revolt (they won't), both proprietary and open source.
It is important to absorb all the feedback from the constituents but ignore all their whining in the end
which politicians can be very good at.

Insecurity and Python pickles

NYKevin — Thu, 14 Mar 2024 16:58:01 +0000

> That's not quite it. You need to laboriously map all of the objects you have into an SQL model first. Then learn about prepared statements, etc. if you don't already know all of this stuff, which as the average scientist you don't. That's easily a dozen lines of code.

This is a game of "don't read the thread." I made that comment in response to an assertion that some data could not be mapped into SQL because it was not 2D. In that case, you already have to turn it into bytes anyway (e.g. with numpy.ndarray.tofile() into a BytesIO object, which was already being done in the code I was commenting on in the first place). My point is that you can put metadata and other such stuff into "real" SQL columns, and store anything that doesn't easily map to SQL objects as TEXT, and then you can skip the nonsense with JSON. You have not meaningfully responded to that assertion, you've simply talked past me.

Insecurity and Python pickles

Wol — Thu, 14 Mar 2024 16:54:42 +0000

> My understand of "tabular" implies 2D (i.e. array of records)? In my experience, tabular/catalogue data makes sense in a database.

Actually, I would argue that tabular data does NOT make sense in a database. It starts with the very definition of data.

Relational data is defined as "coming in rows and columns". If it doesn't fit that definition, it's not data. Relational dictates what is acceptable.

My definition (the one I use in my databases) is "data is what the user gives you". I'm happy with whatever I'm given.

Now let's define metadata. I don't know what the Relational definition of metadata is, probably "it's the schema". My definition (that I use in my databases) is "metadata is data I have inferred about the data the user gave me". And one of my cardinal rules is NEVER EVER EVER MIX data and metadata in the same table !!!!!!

But that's exactly what the job of a relational data analyst is - to infer data about the user data, then promptly mix both data and metadata up in the same table. How else would you represent a list in a 2D table?

> Naturally, higher dimensional data requires different tools (e.g. HDF5).

No. Higher dimensional data requires a multi-dimensional database. Preferably with a query language that is multi-dimensional-aware.

SQL contains huge amounts of database functionality, because it was designed to query unstructured data. So the query had to be able to express the structure. Get a database where the schema can DEscribe the structure, and the query language can be simultaneously more expressive, more powerful, and simpler, because you've pushed a lot of the complexity into the database where it belongs.

SQL puts huge amounts of complexity in the wrong place. Some complexity is unavoidable, but dealing with it in the wrong place causes much AVOIDABLE complexity.

Just look back at my rants here about relational. Just don't set off another one, the regulars here will have their heads in their hands :-)

The best way to let you see roughly where I'm coming from, is I see everything similar to an XML/DTD pair. That is EASY to manipulate with automated tools. And those tools are heavily optimised for fast efficient processing. Okay, that's not an exact description of MultiValue, but it's close. Oh - and if I store one object per XML table, the tool makes it dead easy to link different objects together.

Cheers,
Wol

Insecurity and Python pickles

farnz — Thu, 14 Mar 2024 16:30:30 +0000

You start off with a 'this is a fast checkpoint method' and then at the next deadline/problem cycle you have 'oh lets just take that checkpoint and see if we can restart this' to 'oh we can send you the checkpoint' to 'everyone is sending everyone pickles so its a standard.'

This sort of creep in scope is also problematic by itself, even without "choosing convenience", because you change the context around.

The first developer, writing the "fast checkpoint" method, probably had a context of "and anyone who can tamper with the checkpoint can attach a debugger to the running code and replace it".

The second set were aware of that context, but didn't see it as a problem if you're using it as a suspend work + resume later mechanism - after all, if you could suspend work and resume it later on the same system, you can attach the debugger instead of suspending, changing the checkpoint, and resuming.

And the third set, who send checkpoints, aren't aware that the first developer made their choices in the context of "checkpoints are equivalent in threat to a debugger attached to the process loading them, and that's OK", so they simply adopt the existing checkpoint format, because surely it's secure enough, right?

Insecurity and Python pickles

smoogen — Thu, 14 Mar 2024 15:41:52 +0000

We have been making this mistake for a lot longer than Office macros, and we will keep making the mistake because people's brains are wired to consciously and subconsciously to choose convenience. Think about how everyone is supposed to drive 100% of the time following all the rules exactly.. and think about the number of times something happens where you drive over a limit, forget to do a turn signal, don't check your mirrors every 5-10 seconds, etc. We all know we should be doing these all the time, but there is some part in most people's brains to say "Oh I can get away with it for a short bit." and 99.999% of the time, that part is right. The same goes with choosing formats which are used to build things.
You start off with a 'this is a fast checkpoint method' and then at the next deadline/problem cycle you have 'oh lets just take that checkpoint and see if we can restart this' to 'oh we can send you the checkpoint' to 'everyone is sending everyone pickles so its a standard.'

In the end, this is where standards get forced into being. People blow up enough towns around factories and eventually someone makes an ISO about valve safety.

Insecurity and Python pickles

aragilar — Thu, 14 Mar 2024 10:32:37 +0000

It depends what you're working on/what libraries you're using, but tools like pandas make it fairly easy to dump out an sqlite file (see https://pandas.pydata.org/docs/user_guide/io.html#sql-que...). The larger python web frameworks either provide serialisation support, or recommend third-party libraries and demonstrate their use in their docs. There isn't a universal library like serde, but I personally wouldn't use serde for HPC (wrong design), so I'm not sure this is the actual reason (my expectation is that people are using notebooks, and want to pick up where they left off, and so while pickle is fine as a "dump the current state of my work to a file" tool, people then start sending this state around, and it gets embedded in workflows).

Insecurity and Python pickles

aragilar — Thu, 14 Mar 2024 09:44:27 +0000

JSON isn't exactly ideal for serialising complex data losslessly (nor is it exactly fast), both of which are key aspects for pickle (and recent versions have been leaning into making it faster by being able to pass around raw buffers).

There are numerous serialisation libraries in Python which are just as widely used as libraries like serde (and can dump JSON just as easily), but they typically are designed for web-apps, rather than multiprocessing (which is a very common use of pickles).

Insecurity and Python pickles

aragilar — Thu, 14 Mar 2024 09:28:32 +0000

My understand of "tabular" implies 2D (i.e. array of records)? In my experience, tabular/catalogue data makes sense in a database. Naturally, higher dimensional data requires different tools (e.g. HDF5).

Insecurity and Python pickles

atnot — Thu, 14 Mar 2024 09:14:08 +0000

> With SQLite: import sqlite3, then write a few lines of SQL. Done.

That's not quite it. You need to laboriously map all of the objects you have into an SQL model first. Then learn about prepared statements, etc. if you don't already know all of this stuff, which as the average scientist you don't. That's easily a dozen lines of code.

> Without SQLite: You have to write out this JSON stuff by hand, make sure your format is unambiguous, parse it back in, etc., and probably you also want to write tests for all of that functionality.

All of this needs to be done for SQL too. You don't just magically get the valid python objects you put in out again. Even if you use a third party ORM-like thing, what about third party objects that were never intending this. And tests are needed for all this stuff.

It's not like Rust etc. where there's a defacto standard for ser/des that everything implements, all of this is real work.

Meanwhile with pickle: You import pickle and just give it the python object you want to save and it works. One line. And it's just built into the language. Sure it's insecure, but you'll fix that maybe once this paper is out.

Insecurity and Python pickles

aragilar — Thu, 14 Mar 2024 09:09:01 +0000

HDF5 is used by at least some of the AI/ML projects (I'm guessing though most people working in the space are fairly new, and making it up as they go).

I'm not sure though you could say that there are multiple mature implementations though. Most libraries wrap libhdf5, and those that don't tend to be pretty limited (because why reinvent the wheel). That's not saying it's a bad format, but usually using libhdf5 is more than sufficient.

Insecurity and Python pickles

taladar — Thu, 14 Mar 2024 08:45:52 +0000

Python, the language, is absolutely at fault here. JSON serialization is trivially easy these days in languages like Rust.

Insecurity and Python pickles

Wol — Thu, 14 Mar 2024 07:36:39 +0000

> Without SQLite: You have to write out this JSON stuff by hand, make sure your format is unambiguous, parse it back in, etc., and probably you also want to write tests for all of that functionality.

You're assuming your JSON doesn't have a schema/definition.

There's a whole bunch of JSON-like stuff (XML/DTD, Pick/MultiValue) where having a schema is optional but enforceable.

If you *declare* that JSON/XML/MV etc without a schema is broken, then all this stuff can be automated extremely easily.

Cheers,
Wol

Insecurity and Python pickles

gspr — Thu, 14 Mar 2024 07:16:51 +0000

> I'm a bit confused about why people keep reinventing the "tabular data in a binary file" wheel. Are SQLite and/or DuckDB unsatisfactory for this purpose?

For ML model weights as discussed here, I've always been baffled that HDF5 isn't used more. It's an established, efficient and flexible standard with mature implementations in pretty much every language.

Insecurity and Python pickles

NYKevin — Thu, 14 Mar 2024 03:58:49 +0000

(And before anyone asks: sqlite3 is a standard library module. It is already installed in every reasonably modern version of Python. You do not have to download it, take a dependency on it, or faff about with pip.)

Insecurity and Python pickles

NYKevin — Thu, 14 Mar 2024 03:55:26 +0000

There is a problem with applying YAGNI here: YAGNI is supposed to *reduce* the amount of work you have to do, not increase it.

With SQLite: import sqlite3, then write a few lines of SQL. Done.

Without SQLite: You have to write out this JSON stuff by hand, make sure your format is unambiguous, parse it back in, etc., and probably you also want to write tests for all of that functionality.

Insecurity and Python pickles

intelfx — Thu, 14 Mar 2024 01:09:42 +0000

> shared and exclusive locking, write-ahead logging, etc.

I don't quite see how is any of this useful in the context of a data _interchange_ file format? All of these files are written exactly once and then read or distributed. If something happens during writing of such a file, the partial result is simply discarded and recomputed because it has no meaning.

Insecurity and Python pickles

NYKevin — Wed, 13 Mar 2024 22:31:59 +0000

SQLite can store any individual thing you want, as long as you can serialize it to bytes. Of course, a table full of TEXT objects is much less useful than a properly normalized table, but it does provide all of the supporting infrastructure (i.e. actually writing data out to files, shared and exclusive locking, write-ahead logging, etc.) for free, so it's still better than hand-rolled code.

Insecurity and Python pickles

Wol — Wed, 13 Mar 2024 22:05:43 +0000

> I'm a bit confused about why people keep reinventing the "tabular data in a binary file" wheel. Are SQLite and/or DuckDB unsatisfactory for this purpose?

Maybe because a two-dimensional table is unusual, unnatural, and constricting?

Is SQLite capable of storing a 4th-normal-form structure in a single row?

Cheers,
Wol

Insecurity and Python pickles

NYKevin — Wed, 13 Mar 2024 21:35:27 +0000

I'm a bit confused about why people keep reinventing the "tabular data in a binary file" wheel. Are SQLite and/or DuckDB unsatisfactory for this purpose?

Looking through your code, it appears that one of the things you're doing is moving data between the file and NumPy. I'm guessing that a major sticking point here is that SQLite provides no obvious way to efficiently move large quantities of data between itself and NumPy. Interestingly, it looks like DuckDB does actually try to support that use case to some extent.[1] But I don't know enough about your use case to say whether that's actually good enough.

[1]: https://duckdb.org/docs/api/python/overview.html and pages linked from there.

Insecurity and Python pickles

rav — Wed, 13 Mar 2024 19:39:36 +0000

> Safetensors files use a JSON header to describe the contained data: the shape of each layer of the model, the numeric format used for the weights, etc. After the header, a safetensors file includes a flat byte-buffer containing the packed weights.

Such a simple format - exactly how it should be. Maybe I'm a bit biased, because I came up with the same idea independently (and in another context - astrophysics rather than ML), although a multi-file format where it sounds like safetensors is a single-file format. https://github.com/Mortal/bintable/blob/main/bintable.py

Insecurity and Python pickles

NYKevin — Wed, 13 Mar 2024 17:43:52 +0000

I'm not sure it's that easy. Most people know the difference between a .exe and all other file formats (assuming a Windows context, because let's face it, that's where the users are). They may or may not be able to recognize any of the following as potentially dangerous:

*.dll (dynamic linked library, analogous to *.so on Linux) - Windows automatically loads DLLs in the same directory as an executable before searching other directories, on the theory that C:\Program Files\ is supposed to be root-owned and you're not supposed to have random *.exe files lying around your homedir.
*.reg (Windows Registry entries, exported as files) - to be fair, Windows does display a warning message on these when you double-click, but if clicked through, it will import them back into your registry.
*.vbs (VBScript, a scripting language supported by ~all versions of Windows) and various other extensions associated with VBScript.
*.bat (MS-DOS batch files, another scripting language supported by ~all versions of Windows)
*.ps1 (PowerShell script, supported by modern versions of Windows) - to be fair, Windows defaults to the "edit" verb on double-click, and unsigned scripts won't run unless a system-wide setting is adjusted.
*.hlp (WinHelp file, supported by everything older than Windows 10) - deprecated primarily because it is hideously insecure, but when I Google it, different websites seem to identify different specific problems (macros, embedded DLLs, possibly others?).

And probably other formats that I don't know about.

Insecurity and Python pickles

Karellen — Tue, 12 Mar 2024 21:59:04 +0000

And yes, sure, the pickles might be insecure, but they're you're pulling down megabytes of python code you don't understand to actually run the model anyway, so does it really matter?

The thing is, a lot of non-computer people understand the difference between "code" and "data". They might understand it with varying levels of sophistication, but they often understand that running random programs from arbitrary websites can be inherently dangerous, in a way that viewing random pictures, or random videos, or listening to random mp3s, or reading random web pages, "shouldn't" be (genuine bugs aside).

Sure, they don't understand the code that runs a model, in the same way they don't understand the code that makes up a media player. But if they trust the entity that wrote the code, they don't need to. And they probably can (and should) trust Huggingface, or Microsoft.

And with that trusted code, they should be able to try out data files from anywhere, with relative safety, right? Right?

Because, as we've known from auto-executing macros in Office documents for over a quarter of a century now, making data executable is a bad idea. So no-one would be stupid enough to make that mistake again, in the mid-2020s, surely? You, as a regular user who's not a software dev, shouldn't have to check if data is safe to load, should you?

Insecurity and Python pickles

flussence — Tue, 12 Mar 2024 21:33:13 +0000

Maybe nVidia had a point all those years ago when they were screaming from the rooftops that WebGL was a mistake, and weren't just saying it because it exposed how embarrassingly bad their own driver code was. There should be some barrier to entry, a minimum level of competence and common sense before you can even _know about_ the big toys, let alone wield them. We've taken all the molly guards away for the sake of convenience, assuming anyone in the control room would at least be smart enough to read the warning labels, and now here we are.

To be fair to Python, the language is absolutely not at fault. Pretty much every high level scripting language has an equivalent feature and the world hasn't ended because of it... though evidently not for lack of trying.

Insecurity and Python pickles

atnot — Tue, 12 Mar 2024 19:38:06 +0000

My lesson would rather be that if you provide something useful in a way that can not be used safely, it will inevitably expand in usage until it becomes a problem.

Pickle is used a lot by machine learning folks because it's an easy way to checkpoint long-running jobs. I've used it for that myself. You *could* hook up custom json serialization or something, but it's a pretty huge pain to do in python. And remember most of these people are researchers first and programmers second. And yes, sure, the pickles might be insecure, but they're you're pulling down megabytes of python code you don't understand to actually run the model anyway, so does it really matter?

And so, lacking better alternatives, the usage expands into new use cases until suddenly the theoretical issue becomes a practical one.

See also: PyYaml, which had all of these convenient functions for writing python inline in your local configuration files. Until people started using it for data interchange. Or the naive file format parsers of a nice convenient tool to resize your images. That then accidentally became the standard library people hooked up to their php sites.

Insecurity and Python pickles

pwfxq — Tue, 12 Mar 2024 18:50:31 +0000

You use an interface that is clearly labeled as being insecure and then are surprised to discover people can do bad things?

Colo[u]r me shocked.