is `load` supposed to perform model validation?

[yamt]

load takes binary blob models.
i guess typical wasi-nn implementations just pass them to the backing nn library as they are.
if the backing library doesn't have enough validation for the untrusted inputs, it can be a security problem.
i don't expect typical nn libraries to provide wasm-sandbox-level input validations.
what do you think?

[abrown]

So far we have been relying on the ML backends to validate the models but, yes, certain backends will not sandbox to the extent we would expect for WebAssembly. E.g., some TF operators can access files and network, which led to us not merging TF support in Wasmtime (bytecodealliance/wasmtime#3977 (comment)). To make that kind of thing safe, the right answer would be to validate at the runtime level (e.g., read the model and error if it uses certain ops).

[yamt]

So far we have been relying on the ML backends to validate the models but, yes, certain backends will not sandbox to the extent we would expect for WebAssembly. E.g., some TF operators can access files and network, which led to us not merging TF support in Wasmtime (bytecodealliance/wasmtime#3977 (comment)). To make that kind of thing safe, the right answer would be to validate at the runtime level (e.g., read the model and error if it uses certain ops).

interesting.
are backends wasmtime currently has known to be safe in this regard?

[yamt]

To make that kind of thing safe, the right answer would be to validate at the runtime level (e.g., read the model and error if it uses certain ops).

i feel it's too much burden for each runtime implementer to figure out.
it would be helpful for us (wasi-nn) to have supplemental doc to explain what exactly should be validated and how.