About Whisper open source and "weights_only=False"

About Whisper open source and “weights_only=False”

In my environment, I install and use Whisper on Google Colab.

However, I am concerned about the following warning that appears every time I install it.


/usr/local/lib/python3.10/dist-packages/whisper/init.py:150: FutureWarning: You are using torch.load with weights_only=False (the current default value), which uses the default pickle module implicitly. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling (See pytorch/SECURITY.md at main · pytorch/pytorch · GitHub for more details). In a future release, the default value for weights_only will be flipped to True. This limits the functions that could be executed during unpickling. Arbitrary objects will no longer be allowed to be loaded via this mode unless they are explicitly allowlisted by the user via torch.serialization.add_safe_globals. We recommend you start setting weights_only=True for any use case where you don’t have full control of the loaded file. Please open an issue on GitHub for any issues related to this experimental feature. checkpoint = torch.load(fp, map_location=device)


I have installed the latest version of Whisper v20240927, but it doesn’t make any difference whether it’s large-v3 or turbo.

To improve this
It seems that it is necessary to specify “weights_only=true”, but Whisper does not seem to have that argument, so even if you specify it, it will have no effect.

How do you deal with this problem?


TypeError Traceback (most recent call last)
in <cell line: 1>()
----> 1 model = whisper.load_model(“large-v3”, weights_only=True)

TypeError: load_model() got an unexpected keyword argument ‘weights_only’


2 Likes

I have followed the link, and potential issues are essentially rooted in the possibility of unsanitized and deliberately malicious data within models themselves.

Someone may prepare a carefully-crafted input or pattern to a model as non-inspectable training, or even a hacked model with obfuscated patterns in code. Such deliberate input to the parser may generate attack patterns, or simply may do things other than matrix math, and result in code execution undesired by you at the behest of an attacker.

pyTorch Guidelines:

  • Prefer to execute untrusted models within a secure, isolated environment such as a sandbox
  • Be mindful of risky model formats.

So:

  • Do you consider the training weights and code of Whisper that were committed by OpenAI to have the potential to be untrustworthy?

If you do not consider Whisper to be a risky package to run, you can use the warnings module to capture and suppress undesired output to the console.