Pickle conversion now requires `--trust-remote-code`. (#1704)
# What does this PR do? <!-- Congratulations! You've made it this far! You're not quite done yet though. Once merged, your PR is going to appear in the release notes with the title you set, so make sure it's a great title that fully reflects the extent of your awesome contribution. Then, please replace this with a description of the change and which issue is fixed (if applicable). Please also include relevant motivation and context. List any dependencies (if any) that are required for this change. Once you're done, someone will review your PR shortly (see the section "Who can review?" below to tag some potential reviewers). They may suggest changes to make the code even better. If no one reviewed your PR after a week has passed, don't hesitate to post a new comment @-mentioning the same persons---sometimes notifications get lost. --> <!-- Remove if not applicable --> Fixes # (issue) ## Before submitting - [ ] This PR fixes a typo or improves the docs (you can dismiss the other checks if that's the case). - [ ] Did you read the [contributor guideline](https://github.com/huggingface/transformers/blob/main/CONTRIBUTING.md#start-contributing-pull-requests), Pull Request section? - [ ] Was this discussed/approved via a Github issue or the [forum](https://discuss.huggingface.co/)? Please add a link to it if that's the case. - [ ] Did you make sure to update the documentation with your changes? Here are the [documentation guidelines](https://github.com/huggingface/transformers/tree/main/docs), and [here are tips on formatting docstrings](https://github.com/huggingface/transformers/tree/main/docs#writing-source-documentation). - [ ] Did you write any new necessary tests? ## Who can review? Anyone in the community is free to review the PR once the tests have passed. Feel free to tag members/contributors who may be interested in your PR. <!-- Your PR will be replied to more quickly if you can figure out the right person to tag with @ @OlivierDehaene OR @Narsil -->
This commit is contained in:
parent
99874eae74
commit
c7e570e59d
|
@ -23,6 +23,8 @@
|
||||||
title: All TGI CLI options
|
title: All TGI CLI options
|
||||||
- local: basic_tutorials/non_core_models
|
- local: basic_tutorials/non_core_models
|
||||||
title: Non-core Model Serving
|
title: Non-core Model Serving
|
||||||
|
- local: basic_tutorials/safety
|
||||||
|
title: Safety
|
||||||
title: Tutorials
|
title: Tutorials
|
||||||
- sections:
|
- sections:
|
||||||
- local: conceptual/streaming
|
- local: conceptual/streaming
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Model safety.
|
||||||
|
|
||||||
|
[Pytorch uses pickle](https://pytorch.org/docs/master/generated/torch.load.html) by default meaning that for quite a long while
|
||||||
|
*Every* model using that format is potentially executing unintended code while purely loading the model.
|
||||||
|
|
||||||
|
There is a big red warning on Python's page for pickle [link](https://docs.python.org/3/library/pickle.html) but for quite a while
|
||||||
|
this was ignored by the community. Now that AI/ML is getting used much more ubiquitously we need to switch away from this format.
|
||||||
|
|
||||||
|
HuggingFace is leading the effort here by creating a new format which contains pure data ([safetensors](https://github.com/huggingface/safetensors))
|
||||||
|
and moving slowly but surely all the libs to make use of it by default.
|
||||||
|
The move is intentionnally slow in order to make breaking changes as little impact as possible on users throughout.
|
||||||
|
|
||||||
|
|
||||||
|
# TGI 2.0
|
||||||
|
|
||||||
|
Since the release of TGI 2.0, we take the opportunity of this major version increase to break backward compatibility for these pytorch
|
||||||
|
models (since they are a huge security risk for anyone deploying them).
|
||||||
|
|
||||||
|
|
||||||
|
From now on, TGI will not convert automatically pickle files without having `--trust-remote-code` flag or `TRUST_REMOTE_CODE=true` in the environment variables.
|
||||||
|
This flag is already used for community defined inference code, and is therefore quite representative of the level of confidence you are giving the model providers.
|
||||||
|
|
||||||
|
|
||||||
|
If you want to use a model that uses pickle, but you still do not want to trust the authors entirely we recommend making a convertion on our space made for that.
|
||||||
|
|
||||||
|
https://huggingface.co/spaces/safetensors/convert
|
||||||
|
|
||||||
|
This space will create a PR on the original model, which you are use directly regardless of merge status from the original authors. Just use
|
||||||
|
```
|
||||||
|
docker run .... --revision refs/pr/#ID # Or use REVISION=refs/pr/#ID in the environment
|
||||||
|
```
|
|
@ -249,6 +249,13 @@ def download_weights(
|
||||||
local_pt_files = utils.download_weights(pt_filenames, model_id, revision)
|
local_pt_files = utils.download_weights(pt_filenames, model_id, revision)
|
||||||
|
|
||||||
if auto_convert:
|
if auto_convert:
|
||||||
|
if not trust_remote_code:
|
||||||
|
logger.warning(
|
||||||
|
f"🚨🚨BREAKING CHANGE in 2.0🚨🚨: Safetensors conversion is disabled without `--trust-remote-code` because "
|
||||||
|
f"Pickle files are unsafe and can essentially contain remote code execution!"
|
||||||
|
f"Please check for more information here: https://huggingface.co/docs/text-generation-inference/basic_tutorials/safety",
|
||||||
|
)
|
||||||
|
|
||||||
logger.warning(
|
logger.warning(
|
||||||
f"No safetensors weights found for model {model_id} at revision {revision}. "
|
f"No safetensors weights found for model {model_id} at revision {revision}. "
|
||||||
f"Converting PyTorch weights to safetensors."
|
f"Converting PyTorch weights to safetensors."
|
||||||
|
|
Loading…
Reference in New Issue