Don't use pickle to share weights

[unrealwill]

Hello,
Afaik pickle isn't safe from a security standpoint and expose your user to arbitrary code execution when they download what's supposed to be safe weights.

For example https://thisbeachdoesnotexist.com/ offer to download some pretrained model using your architecture.
But there is no way I'll trust a random website to run code, so I can't use their pretrained model.

Thanks.

[johndpope]

You could use docker as a shield to the OS.
or
https://github.com/CensoredUsername/picklemagic

[unrealwill]

I'm not in a developer role, I'm in a user role : I just want to run NVLabs' code with untrusted weights downloaded from the internet, to produce pretty images.

Running NVLabs' code :
python generate.py --outdir=out --trunc=1 --seeds=0-35 --class=1 --network=any-untrusted-weight.pkl

Should not compromise my machine or my network ever, and I shouldn't need to protect against using a pseudo jail like docker.

So NVLabs need to take an action, not me or any other user.

I'd advise NVLabs against using CensoredUsername's picklemagic unless they fully audit it first and forever.

[vsemecky]

I understand your concern, but...

1. Both StyleGan2-Ada and ThisBeachDoesNotExist.com are for research purposes only, not for end-users, so perhaps they don't deal with security that much.
2. PKL format is nothing but a serialized data structure. You can easily look inside the pkl file and verify that there is no malicious code.