Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove license-infringing / potentially malicious / obfuscated code #2151

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

parsee-mizuhashi
Copy link

@parsee-mizuhashi parsee-mizuhashi commented Oct 22, 2024

See also this PR in the appropriate repository

License Infringing

This code is copied, at least partially, from ComfyUI, which has a GPL-3.0 license, which prohibits releasing compiled code without publishing the source code to produce said compiled code. This therefore means that if the source code in the "Flux Realism" sampler is GPL-3.0, it violates the license and should have some way to obtain the source code that, which, when compiled or used, returns the "Flux Realism". This isn't an issue with using ComfyUI code, the issue is using compiled ComfyUI code without indicating what/how to get the source.

... That's a large if, isn't it?

Well, there is substantial proof for the "Flux Realism" sampler being ComfyUI code, which therefore, goes against the license. We can prove this by trying to de-obfuscate the code, which, while tough, includes a somewhat obfuscated re-mapping of the main obfuscated code, The full-ish remapping can be obtained by de-chaining some of the definitions (e.g. if GB_202 = GB_147 and GB_147 is "foo", then GB_202 is "foo"), and, once done, gives us a map of all the string/values used, which you can read here. The most important thing in this map, at least for this section, is the GB_48 key, which results in a value of lbda. Now, if you look up lbda on forge, you get nothing, but there is one repository which might be interesting for us; ComfyUI. If we search up lbda on ComfyUI, we get a match in the sample_dpmpp_2s_ancestral_RF function, which, as the name implies, applies DPM++ 2S Ancestral to RF based models, like Flux. The most important thing here is, lbda is never mentioned ever again in the code, which means that for it to randomly appear in a completely different repository, which supposedly "Does Not Use ComfyUI Code", is not just suspicious, but a guarantee that this code is copied from ComfyUI. Oh, and the commit that added the sampler in ComfyUI got pushed way before the blockly repository.

Potentially Malicious

This section is more-so speculation, as, without the original de-obfuscated code, we can only see into the string mappings and make conclusions. One of those weird string mappings is GB_407, which returns a value of exec_module... huh... I wonder what that could do. There's also a bunch of free sitting letters, and the function join, which could possibly be to combine lists of chars into a string, which, is odd... There is also GB_684 which returns os. oh... oh no...... Fortunately the list doesn't include system so a sampler can't run arbitrary commands.

Obfuscated

If you want more info, read this PR in the blockly prototypes repo, it basically boils down to: "This makes no sense", "Blockly can compile directly into python" and "This is just obfuscated". Another thing to add onto is GB_941 which maps to RSA; GB_657, which maps to AES; GB_63, which maps to main_verification_function; GB_959, which maps to compare_key; GB_367, which maps to compare_user_key; GB_1080, which maps to verify_environment_or_quit and GB_943, which maps to verify_certification. Now, why would all of these encryption/hashing/key-related terms be in a sampler of all places? Surely not to avoid de-compilation... right?

I end this PR with a message, not to the community contributors, but to @lllyasviel themself. All of these things you have done, (copying comfy code, obfuscating, being generally very aggressive and maybe even possibly surely not including some very weird imports) go against the FOSS spirit. Tell us, why couldn't you just credit where you took the code from?

Copy link

@AshtakaOOf AshtakaOOf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a positive change to ensure the security of this program

@alebeard
Copy link

alebeard commented Oct 22, 2024 via email

@Enferlain
Copy link

ezgif-7-8a06f67f46

@altoiddealer
Copy link
Contributor

All of the things you have done ... all go against the FOSS spirit

Like, all all?

@parsee-mizuhashi
Copy link
Author

All of the things you have done ... all go against the FOSS spirit

Like, all all?

All the things referred to by this post, or, what the parenthesis say.

@altoiddealer
Copy link
Contributor

All the things referred to by this post, or, what the parenthesis say.

How about "These things (X, Y, Z) go against..." instead of literally "All you have done (X, Y, Z) all go against...".

You'll be taken more seriously if you take Illyasviel more seriously - they have overwhelming evidence supporting that they are a shining beacon, a leader in the FOSS community. My brain is too smooth to understand your complaint, I won't comment on that, but you sound like a troll using this sort of absolute terminology. I've looked at your PR in the blockly prototypes repo and, again, this looks like one way to not be taken seriously.

@Enferlain
Copy link

Just for clarity, it is mostly trolling, the comments in those prs are from people on the same discord and they're just fucking around. Maybe doesn't take away the entire point, but validity doesn't feel as genuine as if it was pointed out by non-comfy dickriders.

@parsee-mizuhashi
Copy link
Author

How about "These things (X, Y, Z) go against..." instead of literally "All you have done (X, Y, Z) all go against...".

That would be a fair substitution; I've replaced it;

My brain is too smooth to understand your complaint, I won't comment on that, but you sound like a troll using this sort of absolute terminology.

As Enferlain has posted, yeah this is mostly a troll, but the issue that's been posted is an actual issue and should be acted upon; but will lllyasviel actually do anything? Probably not, since they'd rather keep the code they stole than credit it (please prove me wrong, lllyasviel)
If you wish to take this as a joke, then feel free to do so, even if that wasn't my goal. But if you do want to see if this is a joke or not, try following the steps I've done, if lllyasviel hasn't changed anything in the blockly repo in a while, you should be able to come to the same conclusions as me.

@dramatticdev
Copy link

@lllyasviel has done more for the AI art community than anyone else. I am not a programmer I am not a coder. I am an ai art generator. And the tools he provided free of charge has been a godsend to the community.

@kknowk6352410
Copy link

I hope for more sharing rather than mutual hostility; this is the spirit of open source.

@AshtakaOOf
Copy link

@lllyasviel has done more for the AI art community than anyone else. I am not a programmer I am not a coder. I am an ai art generator. And the tools he provided free of charge has been a godsend to the community.

Does that excuse ignoring the license and stealing code? ControlNet does not justify license violations.
This PR is about obfuscated code introduced into this project by infringing on ComfyUI's license, which could have been avoided by simply letting (or even asking) the community to create a proper extension for forge.

I hope for more sharing rather than mutual hostility; this is the spirit of open source.

The code removed by this PR is against said spirit.

@Hujikuio
Copy link

Hujikuio commented Jan 6, 2025

Leaving this unaddressed is such a weird hill to die on. Surely this will have to be addressed some day? I highly doubt it's malicious code and it's probably just a "borrowed" sampler or bits of code, but I don't really think it's that big of a deal. Forge is great and the creator has done so much for this community, surely he has enough "cred" or "clout" to just issue a statement and move on. Ill's is literally in the hall of fame for stable diffusion as far as I'm concerned, so to ruin that legacy over something so trivial is just making me wonder if it really IS something way worse than a stupid sampler. I think even just removing the code without a statement would be a much better course of action than the current silence and continuing to leave it in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants