Hugging Face Kernels Project Sees Major Updates
Hugging Face's Kernels project introduces new repository type, trusted publishers, and code signing for enhanced security and discoverability.

In our previous post (From Zero to GPU), we introduced the 🤗 Kernels project, which aims at standardizing how custom kernels are packaged, distributed, and consumed. We want the project to be frictionless and secure, while making it as Hub-friendly as possible. Over the past few months, we have worked towards this goal.
In the process, we also almost completely redesigned the project. This post will summarize the major updates we have shipped and what’s coming. We have introduced a new repository type on the Hub called "kernel".
This enables us to cater to users with compute-related specificities. For example, a user can get a sense of which accelerators, operating systems, and backend versions are supported for a given kernel: One can browse all available kernels on the Hub here: https://huggingface.co/kernels. Making these kernels first-class citizens of the Hub also benefits the AI ecosystem.
Users can now see trends across kernels, models, and the applications that use them. The kernels become more discoverable to users. Kernels run native code with the same privileges as the Python process that loads them, so a malicious kernel can do real harm.
Therefore, security has always been of utmost importance to the Kernels project. This is why we focused early on reproducibility: you should be able to recompile a kernel yourself and verify that it matches the publicly available source. We use Nix to make this possible, since it keeps builds pure through hermetic evaluation of the build recipe and a strongly isolated sandbox.
We further improve provenance by embedding the source Git SHA1 into the kernel itself. In recent months, we have added additional layers of defense: trusted kernel publishers and code signing. With the new repo type, we also introduced “trusted publishers”.
Since kernels execute code on a machine with the same privileges as the Python process they are used in, an attacker could compromise machines by uploading a malicious kernel and coaxing you to use that kernel. To help you avoid such malicious kernels, the kernels package will now only load kernels by trusted publishers by default. A trusted publisher is an organization that is trusted by the community to act in good faith.
We still want to support loading kernels from organizations or users that are not trusted publishers, but you have to explicitly opt in using the trust_remote_code argument when loading a kernel from the Hub: By default, users cannot publish kernel repositories on the Hub. They have to request to be a kernel publisher. Users and organizations can request for access from their account settings.
This gives us time to treat these requests on a case-by-case basis. An additional layer of security that we are adding is code signing. Code signing protects against the scenario where an attacker uploads a malicious kernel to a kernel repo from a trusted publisher whose Hub credentials were compromised.
Source: Hugging Face