Remove license-infringing / potentially malicious / obfuscated code #2151
+0
−37
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See also this PR in the appropriate repository
License Infringing
This code is copied, at least partially, from ComfyUI, which has a GPL-3.0 license, which prohibits releasing compiled code without publishing the source code to produce said compiled code. This therefore means that if the source code in the "Flux Realism" sampler is GPL-3.0, it violates the license and should have some way to obtain the source code that, which, when compiled or used, returns the "Flux Realism". This isn't an issue with using ComfyUI code, the issue is using compiled ComfyUI code without indicating what/how to get the source.
... That's a large if, isn't it?
Well, there is substantial proof for the "Flux Realism" sampler being ComfyUI code, which therefore, goes against the license. We can prove this by trying to de-obfuscate the code, which, while tough, includes a somewhat obfuscated re-mapping of the main obfuscated code, The full-ish remapping can be obtained by de-chaining some of the definitions (e.g. if
GB_202
=GB_147
andGB_147
is "foo", thenGB_202
is"foo"
), and, once done, gives us a map of all the string/values used, which you can read here. The most important thing in this map, at least for this section, is theGB_48
key, which results in a value oflbda
. Now, if you look uplbda
on forge, you get nothing, but there is one repository which might be interesting for us; ComfyUI. If we search uplbda
on ComfyUI, we get a match in thesample_dpmpp_2s_ancestral_RF
function, which, as the name implies, applies DPM++ 2S Ancestral to RF based models, like Flux. The most important thing here is,lbda
is never mentioned ever again in the code, which means that for it to randomly appear in a completely different repository, which supposedly "Does Not Use ComfyUI Code", is not just suspicious, but a guarantee that this code is copied from ComfyUI. Oh, and the commit that added the sampler in ComfyUI got pushed way before the blockly repository.Potentially Malicious
This section is more-so speculation, as, without the original de-obfuscated code, we can only see into the string mappings and make conclusions. One of those weird string mappings is
GB_407
, which returns a value ofexec_module
... huh... I wonder what that could do. There's also a bunch of free sitting letters, and the functionjoin
, which could possibly be to combine lists of chars into a string, which, is odd... There is alsoGB_684
which returnsos
. oh... oh no...... Fortunately the list doesn't includesystem
so a sampler can't run arbitrary commands.Obfuscated
If you want more info, read this PR in the blockly prototypes repo, it basically boils down to: "This makes no sense", "Blockly can compile directly into python" and "This is just obfuscated". Another thing to add onto is
GB_941
which maps to RSA;GB_657
, which maps to AES;GB_63
, which maps tomain_verification_function
;GB_959
, which maps tocompare_key
;GB_367
, which maps tocompare_user_key
;GB_1080
, which maps toverify_environment_or_quit
andGB_943
, which maps toverify_certification
. Now, why would all of these encryption/hashing/key-related terms be in a sampler of all places? Surely not to avoid de-compilation... right?I end this PR with a message, not to the community contributors, but to @lllyasviel themself. All of the things you have done, (copying comfy code, obfuscating, being generally very aggressive and maybe even possibly surely not including some very weird imports) all go against the FOSS spirit. Tell us, why couldn't you just credit where you took the code from?