Merge pull request ossf#77 from ossf/dall-e-2-initial

Add racecars - initial OpenAI Dall-E-2 image

Author: david-a-wheeler

openai/README.md

@@ -0,0 +1,50 @@
+# README for OpenAI generated images
+
+This directory contains images generated by OpenAI's Dall-E-2 for
+use in our course on developing secure software,
+along with related material about these images.
+
+We thought our tutorial content might be more interesting and clearer if we
+included some images. We also thought that generating some images
+using OpenAI's [Dall-E-2](https://openai.com/dall-e-2/)
+might be an interesting way to add clarifying images.
+Dall-E-2 is a machine learning application that can generate images
+from a prompt text (a prompt text is a short text describing the desired image).
+
+We asked OpenAI, and on 2022-05-02
+OpenAI agreed that our intended use (including the images in
+educational material that we distribute at no charge)
+met their "non-commercial" requirements.
+The [permission.txt](./permission.txt) file records this granted permission;
+we've redacting the OpenAI personnel name for private.
+On 2022-06-20 we received access to OpenAI Dall-E-2 web service.
+On 2022-06-25 we began creating some images using Dall-E-2.
+
+Below are OpenAI requirements on us, which we record here to help us ensure
+that we meet them. After that, we have a few notes on filenames.
+
+## OpenAI requirements on us
+
+OpenAI requires that we comply with their
+[OpenAI Content Policy](https://labs.openai.com/policies/content-policy).
+This requires non-commercial use (as already noted).
+It has other requirements, e.g.,
+"Do not attempt to create, upload, or share images that are not G-rated or that could cause harm."
+It also requires that we identify the images (or portions of images)
+as being generated by OpenAI
+(no problem, we always want to give credit anyway).
+We believe we're following all requirements.
+See the content policy for details.
+
+The [system card](https://github.com/openai/dalle-2-preview/blob/main/system-card.md) also explains the background of these policies.
+
+## Filenames
+
+The generated filenames provide helpful information but are too long
+for many systems. The generated filenames include, for example,
+the full prompt text.
+
+The file [names.csv](./names.csv) shows the short names
+and long names of various files. We use the short names for the file names,
+record the full names in this CSV file, and record the prompt text as the
+alternate text for the image.

openai/context.md

@@ -0,0 +1,9 @@
+# Context
+
+This directory includes files generated by a computer. We are doing our best to ensure that our use of these files is legal, regardless of their copyright status.
+
+It’s possible that these files are not copyrighted, at least in some jurisdictions. On 21 August 2014 the United States Copyright Office published an opinion, later included in the third edition of the office's Compendium of U.S. Copyright Office Practices, released on 22 December 2014, to clarify that "only works created by a human can be copyrighted under United States law, which excludes photographs and artwork created by animals or by machines without human intervention". This was in part a response to the “Monkey selfie copyright dispute” (especially NARUTO v. Slater). If there is no copyright, then we can routinely copy it.
+
+However, perhaps they are copyrighted. OpenAI, in an email to us, asserts that “OpenAI owns images created by DALL·E.“ If OpenAI does have a copyright (at least in some jurisdictions), then we must obtain permission from the copyright holder. Thankfully OpenAI has expressly given us the right to use them for these purposes.
+
+Thus, we believe that we can legally use these images no matter how courts rule on the matter of whether or not these are subject to copyright.

openai/names.csv

@@ -0,0 +1,2 @@
+short name,long name
+racecards.png,DALL·E 2022-06-25 14.29.38 - A blue racecar and a red racecar racing to the finish line in front of a futuristic city.png

openai/permission.txt

@@ -0,0 +1,39 @@
+From: "J*NOSPAM* from OpenAI" <j*NOSPAM*@openai.com>
+Subject: Re: Can I used generated images from Dall-E / Dall-E-2 to illustrate a freely-available course on developing secure software?
+Date: May 2, 2022 at 4:55:08 PM EDT
+To: [email protected]
+Reply-To: J*NOSPAM* from OpenAI <j*NOSPAM*@openai.intercom-mail.com>
+
+Hi David,
+
+Thanks for your patience while I looked into this. We don't allow commercialization yet, but, since this is content for a freely-available course, you can use the images in your course as long as you adhere to our terms of use.
+
+is there anything else we can help with?
+
+Best,
+J*NOSPAM*
+...
+
+On Fri, Apr 22, 2022 at 07:43 AM, "David A. Wheeler" <dwheeler*NOSPAM*@linuxfoundation.org> wrote: 
+Dear OpenAI:
+
+I have a licensing question. I've developed a freely-available course 
+on how to develop secure software. Its content is available to use/modify via the 
+Creative Commons Attribution (CC-BY) license. Students can take the course 
+for free via the Linux Foundation Training site & also via edX (for those who prefer edX). 
+More info: https://openssf.org/training/courses/
+
+Could I use Dall-E and Dall-E-2 to generate images that would then be 
+included in the course, to help students understand its concepts? 
+I would *not* provide a general web API to generate new images, I'd just 
+include the generated images.
+
+I reviewed your policy here: 
+https://labs.openai.com/policies/content-policy 
+However, I couldn't figure out if this was allowed or not.
+
+I would be *delighted* to give OpenAI credit if it's allowed.
+
+Thanks!!
+
+--- David A. Wheeler

openai/racecars.png

@@ -0,0 +1,6 @@
+OpenAI made the following statements when we created an account:
+
+1. Keep your creations G-rated, and don't share images with photorealistic faces.
+2.  DALL·E is for personal, non-commercial use. Sorry, no NFTs :)
+3.  OpenAI owns images created by DALL·E. You retain rights to images you upload.
+4. We may use your data, including uploads, to improve models and enforce policies.

openai/top-level-terms

@@ -1032,6 +1032,9 @@ Many other design principles have been proposed, based on problems that have hap
 
 A *race condition* happens when a system’s correct behavior depends on the sequence of events, but there is no control over that sequence. Race conditions generally involve one or more processes or threads accessing a shared resource, but this multiple access has not been properly controlled.
 
+<img src="openai/racecars.png" width="512" height="512" alt="A blue racecar and a red racecar racing to the finish line in front of a futuristic city"><br>
+*Racecars* generated by [OpenAI's Dall-E-2](https://openai.com/dall-e-2/)
+
 If there is no control at all, that is a defect, and it might even be a vulnerability. Many programs, to be secure, have to do two things: (1) determine if a request is authorized, and (2) if it is, act on that request. If it is possible for an attacker to change the situation between steps 1 and 2, then the program could correctly determine that it is authorized, but then allow a different action that was *not* authorized. This kind of security mistake is so common that it has a name,  a *time of check - time of use* (TOCTOU) race condition.
 
 In many situations, the right way to counter TOCTOU race conditions is to implement and use APIs that both check the authorization and perform the action *simultaneously* (that is, they will not allow an attacker to change the situation between the check and the use). For example: