-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[slsa_for_models] Support directory models (SavedModel) #49
Comments
Could you explain what's wrong with the current approach, where each file is listed individually in the |
Models beyond a certain size ( |
Another issue here is that you can remove a file from the directory, SLSA verification will still pass, but most models will no longer work |
Let's implement a Go library (or just create a Go reference implementation) of the existing serialize_v1 https://github.com/google/model-transparency/blob/main/model_signing/serialize.py#L325. slsa-framework/slsa-verifier#730 and slsa-framework/slsa-github-generator#3070 can make use of it. It will avoid duplicating implementations. Overtime we can create ref implementations for other languages in this repo. Wdut? |
This sounds great! Let's chat about this and plan it |
We should migrate to using the same hashing scheme as in model signing, but this will require first a standardization and then updating SLSA tooling |
Models that are saved as a directory (e.g., TF's SavedModel) require SLSA changes to record the hash. This is different that what we use for signing, where we can compute a directory hash.
Until we standardize this for SLSA, we won't be able to support these directory models for now. We need to converge on a single scheme for both signing and SLSA.
The text was updated successfully, but these errors were encountered: