Add racecars - initial OpenAI Dall-E-2 image

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

openai/README.md

@@ -0,0 +1,50 @@
+# README for OpenAI generated images
+
+This directory contains images generated by OpenAI's Dall-E-2 for
+use in our course on developing secure software,
+along with related material about these images.
+
+We thought our tutorial content might be more interesting and clearer if we
+included some images. We also thought that generating some images
+using OpenAI's [Dall-E-2](https://openai.com/dall-e-2/)
+might be an interesting way to add clarifying images.
+Dall-E-2 is a machine learning application that can generate images
+from a prompt text (a prompt text is a short text describing the desired image).
+
+We asked OpenAI, and on 2022-05-02
+OpenAI agreed that our intended use (including the images in
+educational material that we distribute at no charge)
+met their "non-commercial" requirements.
+The [permission.txt](./permission.txt) file records this granted permission;
+we've redacting the OpenAI personnel name for private.
+On 2022-06-20 we received access to OpenAI Dall-E-2 web service.
+On 2022-06-25 we began creating some images using Dall-E-2.
+
+Below are OpenAI requirements on us, which we record here to help us ensure
+that we meet them. After that, we have a few notes on filenames.
+
+## OpenAI requirements on us
+
+OpenAI requires that we comply with their
+[OpenAI Content Policy](https://labs.openai.com/policies/content-policy).
+This requires non-commercial use (as already noted).
+It has other requirements, e.g.,
+"Do not attempt to create, upload, or share images that are not G-rated or that could cause harm."
+It also requires that we identify the images (or portions of images)
+as being generated by OpenAI
+(no problem, we always want to give credit anyway).
+We believe we're following all requirements.
+See the content policy for details.
+
+The [system card](https://github.com/openai/dalle-2-preview/blob/main/system-card.md) also explains the background of these policies.
+
+## Filenames
+
+The generated filenames provide helpful information but are too long
+for many systems. The generated filenames include, for example,
+the full prompt text.
+
+The file [names.csv](./names.csv) shows the short names
+and long names of various files. We use the short names for the file names,
+record the full names in this CSV file, and record the prompt text as the
+alternate text for the image.

openai/names.csv

@@ -0,0 +1,2 @@
+short name,long name
+racecards.png,DALL·E 2022-06-25 14.29.38 - A blue racecar and a red racecar racing to the finish line in front of a futuristic city.png

openai/permission.txt

@@ -0,0 +1,39 @@
+From: "J*NOSPAM* from OpenAI" <j*NOSPAM*@openai.com>
+Subject: Re: Can I used generated images from Dall-E / Dall-E-2 to illustrate a freely-available course on developing secure software?
+Date: May 2, 2022 at 4:55:08 PM EDT
+To: [email protected]
+Reply-To: J*NOSPAM* from OpenAI <j*NOSPAM*@openai.intercom-mail.com>
+
+Hi David,
+
+Thanks for your patience while I looked into this. We don't allow commercialization yet, but, since this is content for a freely-available course, you can use the images in your course as long as you adhere to our terms of use.
+
+is there anything else we can help with?
+
+Best,
+J*NOSPAM*
+...
+
+On Fri, Apr 22, 2022 at 07:43 AM, "David A. Wheeler" <dwheeler*NOSPAM*@linuxfoundation.org> wrote: 
+Dear OpenAI:
+
+I have a licensing question. I've developed a freely-available course 
+on how to develop secure software. Its content is available to use/modify via the 
+Creative Commons Attribution (CC-BY) license. Students can take the course 
+for free via the Linux Foundation Training site & also via edX (for those who prefer edX). 
+More info: https://openssf.org/training/courses/
+
+Could I use Dall-E and Dall-E-2 to generate images that would then be 
+included in the course, to help students understand its concepts? 
+I would *not* provide a general web API to generate new images, I'd just 
+include the generated images.
+
+I reviewed your policy here: 
+https://labs.openai.com/policies/content-policy 
+However, I couldn't figure out if this was allowed or not.
+
+I would be *delighted* to give OpenAI credit if it's allowed.
+
+Thanks!!
+
+--- David A. Wheeler

openai/racecars.png

@@ -0,0 +1,6 @@
+OpenAI made the following statements when we created an account:
+
+1. Keep your creations G-rated, and don't share images with photorealistic faces.
+2.  DALL·E is for personal, non-commercial use. Sorry, no NFTs :)
+3.  OpenAI owns images created by DALL·E. You retain rights to images you upload.
+4. We may use your data, including uploads, to improve models and enforce policies.

openai/top-level-terms

@@ -1032,6 +1032,9 @@ Many other design principles have been proposed, based on problems that have hap
 
 A *race condition* happens when a system’s correct behavior depends on the sequence of events, but there is no control over that sequence. Race conditions generally involve one or more processes or threads accessing a shared resource, but this multiple access has not been properly controlled.
 
+![A blue racecar and a red racecar racing to the finish line in front of a futuristic city](openai/racecars.png)<br>
+*Racecars* generated by [OpenAI's Dall-E-2](https://openai.com/dall-e-2/)
+
 If there is no control at all, that is a defect, and it might even be a vulnerability. Many programs, to be secure, have to do two things: (1) determine if a request is authorized, and (2) if it is, act on that request. If it is possible for an attacker to change the situation between steps 1 and 2, then the program could correctly determine that it is authorized, but then allow a different action that was *not* authorized. This kind of security mistake is so common that it has a name,  a *time of check - time of use* (TOCTOU) race condition.
 
 In many situations, the right way to counter TOCTOU race conditions is to implement and use APIs that both check the authorization and perform the action *simultaneously* (that is, they will not allow an attacker to change the situation between the check and the use). For example: