Death to the Pickle!

[FullBleed]

Looks like stability is finally taking a stand against the ckpt formats: https://www.reddit.com/r/StableDiffusion/comments/14mrl1g/warning_never_open_a_ckpt_file_without_knowing/

And in the discussion it was mentioned that webui (and presumably sdnext) would actually run ckpt/pt files that were renamed safetensor... but that it was "recently" fixed in webui and Stability held off making this particular announcement until it was.

1. Has that "fix" been propagated to sdNext yet?

2. Why not take it one step further, and give us a default Setting that will simply stop any ckpt/pt files from being run? (including TIs, loras, VAEs, etc.) I think blocking the pickle formats should be default and people who wish to take the risk should a) know it's a risk and b) have to takes steps to do so (i.e. turn off the block, like putting in a exception in their antivirus programs for certain files and accepting the risk.)

This has been an unnecessary risk for a long time.

Also in the discussion, it was mentioned that Kohya's new trainer for SDXL should produce safetensor by default in the future.

[vladmandic]

yes, safetensors is a better format, i like it before it supports memory mapping so it loads faster from modern ssds.

but security? i have not yet seen a single real-world exploit. ever. its all theory.
you say this is unnecessary risk? sure, i can ban ckpt, that would be trivial - show me a single use-case.

and on the other hand, installing any extension gives that extension full permission to your system - it can do anything it wants, monkey-patch system calls, steal your data, wipe your files, anything - and people still install extensions from any random source without any considerations.

and every time i try to establish some rules about badly behaving extensions i get pushback "but we really need that extension".

[FullBleed]

I think it needs to be like standard virus protection software.

Let people know when they are taking a risk and make them "Opt Into" the risk.

Don't let taking the risk be the default.

As for an example of an exploit, talk to Stability. I doubt they'd be making that announcement without having seen something troubling (it sounds like they saw some issues with fake SDXL .9 ckpt files... which is exactly the type of vector you'd expect.)

PS: Someone specifically asked about whether or not SDNext has the webui fix to stop ckpt files from masquerading as safetensor files: https://www.reddit.com/r/StableDiffusion/comments/14mrl1g/comment/jq92j9n/?context=3

[vladmandic]

virus protection software evolved because there were viruses. like i said, i'm yet to see an exploit there. and you've totally ignored my second point.

yes, i can add a checkbox in settings to disallow ckpt - but does that actually do anything except to claim "we've solved it" (without even defining what "it" is). its like pluging a pinhole on a on a ship that doesn't even have a hull.

[FullBleed]

What was your second point? That extensions are a worse problem?

I addressed that by saying that you should make people Opt In to risks (including extensions that you're getting "push back" on that people want to use despite the risks.) You can still warn people about them without stopping them from doing it and it would be a service to the community. Instead of pushback you might actually get, "Thanks... I had no idea this was a risk!"

And I disagree that virus protection is only for existing viruses. They are constantly updating to protect against attack vectors that have been found but where no actual exploits exist. Same with OS's patching against *possible" exploits without any actually being found in the wild. There is a whole industry of bounties to find weaknesses before they are exploited.

The notion that if you can't protect against everything means you shouldn't protect against anything doesn't make sense to me... and if this is "trivial" why not do it? shrug

I'll let some other people comment at this point. I don't have anything more to add.

[vladmandic]

i'll add it, i have no problem doing so, i just wanted to point out that i've been hearing how unsafe ckpts are for years now and have not seen a single real-world exploit. i really wish if someone pointed out such sd model so i can actually test it - i could not find a single one.
and i don't like adding things "in theory" when i cannot test them.

and on the other hand, i cannot prevent extension of doing the same (if it wants to load ckpt, i cannot prevent it just like i cannot prevent it from deleting files from your disk or corrupting main app).

[vladmandic]

option added: