Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚨🚨🚨 Delete conversion scripts when making release wheels #35296

Merged
merged 3 commits into from
Dec 17, 2024

Conversation

Rocketknight1
Copy link
Member

@Rocketknight1 Rocketknight1 commented Dec 16, 2024

This PR updates release.py to delete model conversion scripts. These scripts are generally included with specific model classes to convert checkpoints in non-Transformers formats. Often these scripts have to open insecure file types, because those were the file types the model was released with (e.g. pickle or old Torch .bin checkpoints). This results in vulnerability scanners flagging us, and can cause compliance issues for users.

We don't see this as a serious attack vector in practice because users would have to be induced to download a malicious file and call an obscure conversion script on it, but excluding these files from release wheels should help with compliance issues!

Fixes #34840

@Rocketknight1
Copy link
Member Author

cc @LysandreJik @ArthurZucker for core maintainer review! I checked with make pre-release locally and it worked as intended.

@HuggingFaceDocBuilderDev

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

Copy link
Collaborator

@ArthurZucker ArthurZucker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, let's just put 🔴 🔴 🔴 in the PR name!

@Rocketknight1 Rocketknight1 changed the title Delete conversion scripts when making release wheels 🚨🚨🚨 Delete conversion scripts when making release wheels Dec 17, 2024
@Rocketknight1 Rocketknight1 merged commit e0ae9b5 into main Dec 17, 2024
11 checks passed
@Rocketknight1 Rocketknight1 deleted the exclude_conversion_scripts_from_release branch December 17, 2024 14:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2024-11392/11393/11394 vulnerabilities
3 participants