Closed weiji14 closed 11 months ago
Thank you for bringing this to our attention @weiji14. I will check with the SDK team to see how we can avoid logging sensitive information in these yml
files.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue was closed because it has been stalled for 5 days with no activity.
Describe the Bug
As of
comet-ml
version 3.27.0 released 24 Feb 2022 (https://www.comet.ml/docs/python-sdk/releases/#release-3270), conda packages, channels and configurations are logged as Experiment assets. Understandably, this is to ensure reproducibility of the software environment, but I was surprised to see that sensitive API tokens were uploaded as well. I've had to revoke/refresh several of my keys/tokens, but wanted to point out that this can be a security concern.Expected behavior
There should be a way to disable logging of environment variables set in conda's
environment.yml
, while still being able to log the dependency list. I've had a look under https://www.comet.ml/docs/python-sdk/advanced/#experiment-configuration-parameters and couldn't see an obvious way to do so, but maybe I'm missing something.Where is the issue?
To Reproduce
Steps to reproduce the behavior:
Specifically, the issue is when a user has a conda
environment.yml
with thevariables
set like so, see also https://docs.conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#setting-environment-variables:When running an experiment within that activated conda-environment,
comet-ml>=3.27.0
would automatically upload aconda-environment.yml
file under the Assets -> Other tab like so:Note that the API keys/tokens were uploaded as well, thereby exposing potentially sensitive information.
Stack Trace
If possible please include the full stack trace of your issue here
Comet Debug Log
If possible, please follow the instructions here to run Comet in debug mode and attach the resulting log file.
Screenshots or GIFs
If applicable, add screenshots/gifs to help explain your problem.
Link to Comet Project/Experiment
If applicable, please provide a link to your Comet Project or Experiment.
Additional context
Add any other context about the problem here.
Current workaround might be to pin to
comet-ml=3.26.1
. Or perhaps I should just store those environment variables in another location, but I wanted to point this out in case others face the same issue.