-
Notifications
You must be signed in to change notification settings - Fork 878
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wandb token exposed to wandb users #1123
Comments
This is not good. I guess the Wanda token need to be exempted from making it in the metadata. This is something @kohya-ss need to filter in the training scripts. There is not much I can do about the metadata… |
In my understanding, the metadata in the training model doesn't contain wandb token, but it would appear on the GUI screen. |
need to recommend users to go with |
That makes sense. I will update the doc in next release. |
fwiw in Diffusers, there is simply a check whether wandb is enabled and the commandline args contain the Huggingface Hub token, because any secrets on cmdline will be exposed via wandb. but in this case, its the wandb token itself on the cmdline. i am not sure that a documentation hint is enough to stop a user from doing this. the fact that it's on the cmdline at all means it will be exposed 100% of the time this is used. |
You are correct. We must filter sensitive fields from command line args. In my understanding, the repo doesn't expose either wandb token or command line args currently (the latter is discussed in #1231). If you find any code to do it, please let me know. |
Thank you for clarification. That's not good. I think it is undesirable to disclose not only wandb token but other information as well. Is there any way to control this? |
none that i have found. i resorted in simpletuner to using json config files to hide cmdline args |
Thank you. That's nice. sd-scripts has .toml for configs, so I will show WARNING if the sensitive training args given in the command line. |
I have opened a PR for this #1240, If you have time to review it, I would greatly appreciate it. |
Would be great bowever to send parameters to Wanda. At the moment in kohya_ss, we don't see any training parameters in Wandb, only the project name (tracker name), and the run name set from kohya gui. Is it a problem to send all parameters through config? |
hello, there exists a parameter to pass a wandb token into the training utility. unfortunately, this shows on the "Overview" tab of the training session, as a part of the complete commandline that is used to execute the trainer.
This exposes users to potentially nefarious activity, or at the very least, a sense of unease and the possibility of snooping/leaking internal data.
The text was updated successfully, but these errors were encountered: