-
Notifications
You must be signed in to change notification settings - Fork 928
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove license-infringing / potentially malicious / obfuscated code #2151
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is a positive change to ensure the security of this program
After reading this I hope he stays firm and ignores giving any credit at all
…On Tue, Oct 22, 2024, 4:43 PM Adrien ***@***.***> wrote:
***@***.**** approved this pull request.
this is a positive change to ensure the security of this program
—
Reply to this email directly, view it on GitHub
<#2151 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHN7U77M7ELVLIVLEWDYIB3Z43PIXAVCNFSM6AAAAABQNRQAVGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDGOBWGU4TMMZWGY>
.
You are receiving this because you are subscribed to this thread.Message
ID: <lllyasviel/stable-diffusion-webui-forge/pull/2151/review/2386596366@
github.com>
|
Like, all all? |
All the things referred to by this post, or, what the parenthesis say. |
How about "These things (X, Y, Z) go against..." instead of literally "All you have done (X, Y, Z) all go against...". You'll be taken more seriously if you take Illyasviel more seriously - they have overwhelming evidence supporting that they are a shining beacon, a leader in the FOSS community. My brain is too smooth to understand your complaint, I won't comment on that, but you sound like a troll using this sort of absolute terminology. I've looked at your PR in the blockly prototypes repo and, again, this looks like one way to not be taken seriously. |
Just for clarity, it is mostly trolling, the comments in those prs are from people on the same discord and they're just fucking around. Maybe doesn't take away the entire point, but validity doesn't feel as genuine as if it was pointed out by non-comfy dickriders. |
That would be a fair substitution; I've replaced it;
As Enferlain has posted, yeah this is mostly a troll, but the issue that's been posted is an actual issue and should be acted upon; but will lllyasviel actually do anything? Probably not, since they'd rather keep the code they stole than credit it (please prove me wrong, lllyasviel) |
@lllyasviel has done more for the AI art community than anyone else. I am not a programmer I am not a coder. I am an ai art generator. And the tools he provided free of charge has been a godsend to the community. |
I hope for more sharing rather than mutual hostility; this is the spirit of open source. |
Does that excuse ignoring the license and stealing code? ControlNet does not justify license violations.
The code removed by this PR is against said spirit. |
Leaving this unaddressed is such a weird hill to die on. Surely this will have to be addressed some day? I highly doubt it's malicious code and it's probably just a "borrowed" sampler or bits of code, but I don't really think it's that big of a deal. Forge is great and the creator has done so much for this community, surely he has enough "cred" or "clout" to just issue a statement and move on. Ill's is literally in the hall of fame for stable diffusion as far as I'm concerned, so to ruin that legacy over something so trivial is just making me wonder if it really IS something way worse than a stupid sampler. I think even just removing the code without a statement would be a much better course of action than the current silence and continuing to leave it in. |
See also this PR in the appropriate repository
License Infringing
This code is copied, at least partially, from ComfyUI, which has a GPL-3.0 license, which prohibits releasing compiled code without publishing the source code to produce said compiled code. This therefore means that if the source code in the "Flux Realism" sampler is GPL-3.0, it violates the license and should have some way to obtain the source code that, which, when compiled or used, returns the "Flux Realism". This isn't an issue with using ComfyUI code, the issue is using compiled ComfyUI code without indicating what/how to get the source.
... That's a large if, isn't it?
Well, there is substantial proof for the "Flux Realism" sampler being ComfyUI code, which therefore, goes against the license. We can prove this by trying to de-obfuscate the code, which, while tough, includes a somewhat obfuscated re-mapping of the main obfuscated code, The full-ish remapping can be obtained by de-chaining some of the definitions (e.g. if
GB_202
=GB_147
andGB_147
is "foo", thenGB_202
is"foo"
), and, once done, gives us a map of all the string/values used, which you can read here. The most important thing in this map, at least for this section, is theGB_48
key, which results in a value oflbda
. Now, if you look uplbda
on forge, you get nothing, but there is one repository which might be interesting for us; ComfyUI. If we search uplbda
on ComfyUI, we get a match in thesample_dpmpp_2s_ancestral_RF
function, which, as the name implies, applies DPM++ 2S Ancestral to RF based models, like Flux. The most important thing here is,lbda
is never mentioned ever again in the code, which means that for it to randomly appear in a completely different repository, which supposedly "Does Not Use ComfyUI Code", is not just suspicious, but a guarantee that this code is copied from ComfyUI. Oh, and the commit that added the sampler in ComfyUI got pushed way before the blockly repository.Potentially Malicious
This section is more-so speculation, as, without the original de-obfuscated code, we can only see into the string mappings and make conclusions. One of those weird string mappings is
GB_407
, which returns a value ofexec_module
... huh... I wonder what that could do. There's also a bunch of free sitting letters, and the functionjoin
, which could possibly be to combine lists of chars into a string, which, is odd... There is alsoGB_684
which returnsos
. oh... oh no...... Fortunately the list doesn't includesystem
so a sampler can't run arbitrary commands.Obfuscated
If you want more info, read this PR in the blockly prototypes repo, it basically boils down to: "This makes no sense", "Blockly can compile directly into python" and "This is just obfuscated". Another thing to add onto is
GB_941
which maps to RSA;GB_657
, which maps to AES;GB_63
, which maps tomain_verification_function
;GB_959
, which maps tocompare_key
;GB_367
, which maps tocompare_user_key
;GB_1080
, which maps toverify_environment_or_quit
andGB_943
, which maps toverify_certification
. Now, why would all of these encryption/hashing/key-related terms be in a sampler of all places? Surely not to avoid de-compilation... right?I end this PR with a message, not to the community contributors, but to @lllyasviel themself. All of these things you have done, (copying comfy code, obfuscating, being generally very aggressive and maybe even possibly surely not including some very weird imports) go against the FOSS spirit. Tell us, why couldn't you just credit where you took the code from?