I imagine it has more to do with whether or not the file appears to have executable python code in it, as a .pth file is usually just a a pickled python object and these can be manipulated to load arbitrary python code when loaded.
This is not the first time I've heard of checkpoints being used to distribute malware. In fact, I've heard this was a popular vector from shady international groups.
I wouldn't expect this from Bilibili's Index Team, though, given how high profile they are. It's probably(?) a false positive. Though I wouldn't use it personally, just to be safe.
The safetensors format should be used by everyone. Raw pth files and pickle files should be shunned and abandoned by the industry. It's a bad format.
Thanks!
> This model has 1 file scanned as unsafe. testvl-pre76-top187-rec69.pth
Hm, perhaps I'll wait for this to get cleared up?
Disty of SD.Next has made a version in diffusers format.
https://huggingface.co/Disty0/Index-anisora-5B-diffusers
For the record, the dev branch of SD.Next (https://github.com/vladmandic/sdnext) already supports it.
thanks
I wonder if the entropy of model weights and their size causes statistical false positives to appear often?
I imagine it has more to do with whether or not the file appears to have executable python code in it, as a .pth file is usually just a a pickled python object and these can be manipulated to load arbitrary python code when loaded.
This is not the first time I've heard of checkpoints being used to distribute malware. In fact, I've heard this was a popular vector from shady international groups.
I wouldn't expect this from Bilibili's Index Team, though, given how high profile they are. It's probably(?) a false positive. Though I wouldn't use it personally, just to be safe.
The safetensors format should be used by everyone. Raw pth files and pickle files should be shunned and abandoned by the industry. It's a bad format.