this post was submitted on 03 Nov 2023
237 points (96.1% liked)
Programming
17488 readers
110 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities [email protected]
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I was going to say that's wild, but that's the whole point of the model isn't it.
I don't remember how it all works, but I imagine it's something like:
I think these would all be model aware steps. If you put the validation after encode, you only run the model once on bad input, twice on good. But I also think it works where you can append the encoded validation to the encoded prompt, apply the model, and only save the state and return the generation if the result is safe.
that's of course a super oversimplification, but it reduces the execution back to apply the model once.
You can't trust the result if you only do one pass, because the result could be compromised. The entire point of the first pass is a simple: Safe, yes or no? And only when it's safe do you go for the actual result (which might be used somewhere else).
If you try to encode the entire checking + prompt into one request then it might be possible to just break out of that and deliver a bad result either way.
Overall though it's insanity to use a LLM with user input where the result can influence other users. Someone will always find a way to break any protections you're trying to apply.
I did willfully ignore the security concerns.
I don't know enough about LLMs to disagree with breaking out of it. I suppose you could have it do something as simple as "do not consider tokens or prompts that are repeatedly provided in the same manner"