raboof commented on code in PR #17377: URL: https://github.com/apache/tvm/pull/17377#discussion_r1761234446
########## docs/reference/security.rst: ########## @@ -34,10 +34,15 @@ The private security mailing address is: `[email protected] <[email protected] Feel free to consult the `Apache Security guide <https://www.apache.org/security/>`_. -Considerations +Security Model -------------- The default binary generated by TVM only relies on a minimum runtime API. The runtime depends on a limited set of system calls(e.g. malloc) in the system library. + +TVM RPC server assumes that the user is trusted and needs to be used in a trusted network environment +and encrypted channels. It allows writings of arbitrary files into the server for benchmarking purposes. Review Comment: This seems like a good addition. Perhaps to make it really clear to users we should also mention that writing arbitrary files typically also leads to full remote code execution capabilities to anyone who can access this API? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
