pickle is a security issue
🚀 Feature
We need to do something with it.
Motivation
Pickle is a security issue that can be used to hide backdoors. Unfortunately lots of projects keep using torch.save and torch.load.
Pitch
- make
pytorch.loaduse pickle only as a serialization format, use an own virtual machine (https://github.com/CensoredUsername/picklemagic can be helpful) for processing pickle files that will do only allowed operations in pytorch itself in a completely controlled way instead of relying on pickle machinery. - replace with ONNX
- deprecate
pytorch.load,pytorch.save - remove
pytorch.save/make it save into ONNX
Alternatives
- support pickle via a VM indefinitely.
cc @mruberry @nairbv @NicolasHug @vmoens @jdsgomes @ailzhang