CLI for inspection, and conversion to skops format, of sklearn pickle files

[BenjaminBossan]

It would be useful for skops to provide a CLI that allows to find the untrusted types in an sklearn pickle file, and to convert it to the skops format.

Details have yet to be discussed, but it could look something like this:

$ ls
my-model.pkl my-other-model.pkl
$ python -m skops inspect my-model.pkl
untrusted types: ...
$ python -m skops convert my-model.pkl
error: untrusted types ... found, pass trusted=true if you trust them or pass a list of explicitly trusted types
$ python -m skops convert my-model.pkl truste=true  # works
$ ls
my-model.pkl my-model.skops my-other-model.pkl
$ python -m skops convert *.pkl  # convert multiple models
$ ls
my-model.pkl my-model.skops my-other-model.pkl my-other-model.skops

[merveenoyan]

It will simply be a script with argument parser? Is there anything else on top of this?

[BenjaminBossan]

Maybe we could add a utility function to skops.io so that the conversion can also be called from Python, but apart from that, it should be really straightforward. Probably for this purpose, argparse would be sufficient.

[adrinjalali]

We would also need to define an entry point:

• https://packaging.python.org/en/latest/specifications/entry-points/
• https://amir.rachum.com/blog/2017/07/28/python-entry-points/

[E-Aho]

Picking this up :)

[E-Aho]

So I'm working on this, and I want to double check I'm not missing something:

To check a pkl file is "trusted" or not, or convert it, we need to call pkl.load() on a pickled object, then construct a tree for it, right?

Double checking I've not missed a method or API we already have for this.

[BenjaminBossan]

Yes, it involves loading the pickled object. That's a good point. So the help of those commands should emphasize that this will happen and what it implies.

[adrinjalali]

Right now the tree can only be constructed from a skops file, not a pickle file/object, and there isn't much of a point to try and check security once the object is loaded anyway. If the pickle file is compromised, the act of loading it runs arbitrary code.

So as far as security goes, we only tell users that loading arbitrary pickle files can run arbitrary code, and then we convert the file. Once the file is converted, we can tell them which types they'd need to pass as trusted to load the file. This is also what I did in this space: https://huggingface.co/spaces/adrin/pickle-to-skops

[BenjaminBossan]

Yes, it should be framed as "unknown types", not "untrusted".