One issue would have allowed cross-tenant attacks, and another enabled access to a shared registry for container images; exploitation via an insecure Pickle file showcases emerging risks for AI-as-a-service more broadly.
it’s not the only problem listed here, and they’re pretty explicit that pickle files are known to be insecure. however, Huggingface isn’t being negligent by allowing them. somewhat ironically, it’s tough to get ML engineers/researchers to try anything they didn’t learn first. Huggingface themselves makes safetensors which is a more secure open weights format, but there are also competing standards in this space and many stubborn and apathetic devs will stick with pickle cuz it’s easy. it’s a tough problem for HF, but i understand why they do it this way.
in a previous job i asked that we not use pickle files either in trying new models or internally distributing models, and they didn’t see the point. this a wider cultural problem, and HF is just trying to capitalize on that market of dumb dumb ML researchers
it’s not the only problem listed here, and they’re pretty explicit that pickle files are known to be insecure. however, Huggingface isn’t being negligent by allowing them. somewhat ironically, it’s tough to get ML engineers/researchers to try anything they didn’t learn first. Huggingface themselves makes
safetensors
which is a more secure open weights format, but there are also competing standards in this space and many stubborn and apathetic devs will stick with pickle cuz it’s easy. it’s a tough problem for HF, but i understand why they do it this way.in a previous job i asked that we not use pickle files either in trying new models or internally distributing models, and they didn’t see the point. this a wider cultural problem, and HF is just trying to capitalize on that market of dumb dumb ML researchers