Top LLM frameworks may not be as reliable as you think
Nearly a month ago, I decided to add Gemini support to Feeds Fun and did some research on top LLM frameworks — I didn't want to write my own bicycle.
As a result, I found an embarrassing bug (in my opinion, of course) in the integration with Gemini in LLamaIndex. Judging by the code, it is also present in Haystack and in the plugin for LangChain. And the root of the problem is in the Google SDK for Python.
When initializing a new client for Gemini, the framework code overwrites/replaces API keys in all clients created before. Because the API key, by default, is stored in a singleton.
It is death-like, if you have a multi-tenant application, and unnoticeable in all other cases. Multi-tenant means that your application works with multiple users.
For example, in my case, in Feeds Fun, a user can enter their API key to improve the quality of the service. Imagine what a funny situation could happen: a user entered an API key to process their news but spent tokens (paid for) for all service users.
I reported this bug only in LLamaIndex as a security issue, and there has been no reaction for 3 weeks. I'm too lazy to reproduce and report for Haystack and LangChain. So this is your chance to report a bug to a top repository. All the info will be below, reproducing is not difficult.
This error is notable for many reasons:
- The assessment of the criticality of the error depends a lot on taste, experience, and context. For me, in the projects I worked on, this is a critical security issue. However, it seems that this is not critical at all for most current projects that use LLMs. Which leads to some thoughts about mainstream near-LLM development.
- This is a good indicator of a low level of code quality control: code reviews, tests, all processes. After all, this is an integration with one of the major API providers. The problem could have been found in many different ways, but none worked.
- This is a good illustration of the vicious approach to development: "copy-paste from a tutorial and push to prod". To make such a mistake, you had to ignore both the basic architecture of your project and the logic of calling the code you are copying.
Ultimately, I gave up on these frameworks and implemented my own client over HTTP API.
My conclusion from this mess is: you can't trust the code under the hood of modern LLM frameworks. You need to double-check and proofread it. Just because they state that they are "production-ready" doesn't mean they are really production-ready.
Let me tell you more about the bug.
Grainau: hiking and beer at 3000 meters
How it all looks from the ground.
For her vacation, Yuliya decided to show me the beautiful German mountains and took me for a couple of days to Grainau — it's a piece of Bavaria that's almost like Switzerland. At least, it is similar to the pictures of Switzerland that I've seen :-D
In short, it's a lovely place with a measured pace of life. If you need to catch your breath, calm your nerves, and enjoy nature, then this is the place for you. But if you can't live without parties, you'll get bored quickly.
What's there:
- The highest mountain in Germany plus a couple of glaciers.
- There's skiing in winter. If you really need it, you can find a place to ski in summer, but the descent is short, and the lifts are turned off.
- A large clean lake and a couple of smaller ones.
- A huge number of trails for hiking.
- A huge number of waterfalls, streams, and a couple of mountain rivers.
- Restaurants with beer.
- Beautiful fallen trees in the forests, private property, fences, cows with bells, and "racing tractors" (I don't know how to name this phenomenon better, but tractors are moving fast there :-D).
This is briefly, and now in detail.
About the book "Piranesi"
Cover of the book "Piranesi"
"Piranesi" is both a continuation of the magical stories of Susanna Clarke and an independent book.
The book has no direct connection with the world of English magic [ru] from "Jonathan Strange & Mr. Norrell". If desired, one can find a connection and even say that the worlds are the same, only at different times: the events of "Piranesi" take place in the early 2000s. However, the author did not give any hints on this. Therefore, I consider the worlds to be different for now.
Susanna continues to persistently and effectively dig not even in the direction of animism as the basis of world perception but in the direction of extremely holistic view of the world, in contrast to the currently dominant reductionism.
The latter blows my mind. As an engineer, I'm an intuitive reductionist due to professional deformation. Reading "Jonathan Strange" and "Piranesi", I felt how Clarke, like Peter the Great, cuts a window in my brain to another picture of the world, a different world perception. And it's wonderful.
By the way, don't confuse holism with, say, an engineering view of the world, a-la systems engineering [ru] or even science. The latter is about decomposing reality into isolated parts with clear boundaries and synthesizing "pure" models of the world [ru], while in holism, the parts have no clear boundaries and penetrate each other.
But it is my interpretation, there are interpretations when holism is just an alternative name for a systems thinking/view — it's hard to find literature on this topic now, so it's hard for me to say where the truth is.
So, "Piranesi"
About the book "Economics: The User's Guide"
Cover of the book "Economics: The User's Guide"
This is the second book by Ha-Joon Chang that I've read. The first one, Bad Samaritans [ru], left a good impression, and it was also positively reviewed by Tim O'Reilly in his book WTF? [ru]. So, "Economics: The User's Guide" took its place on my reading list, and finally, I have read it.
Here and further, all quotes point to the Russian edition of the book and are translated into English by me (I have only the Russian edition) => inconsistencies are possible because of double translation English->Russian->English.
According to Chang, the book was conceived as an "introduction to economic theory for the widest possible audience" (page 299), and this reflects its essence well. I would only add, from the perspective of my post-Soviet education, that the book looks more like an "overview of the diversity and complexity of economics, supplemented with an introduction to the theory" rather than an "introduction to the theory".
The book contains no mathematical formulas or jaw-dropping statistics, just concrete facts. What makes it valuable, however, is a set of prisms through which you can — and should — view the economy to gain a basic understanding of what's happening around you.
Chan provides a set of points of view through which you can examine economic processes; describes their advantages and disadvantages; accompanies all this with examples, historical references, and facts.
Since the book serves as a sort of textbook, I won't attempt to retell it in full — this would lead to an attempt to repeat the book in a couple of pages, and I definitely can't do that. I will limit myself to describing the author's view of the economy as a whole as I understood it.
Hello, World!
Nice to meet you, friends!
My name is Aliaksei, but feel free to call me Tiendil — it is my nickname for the last 20 years or so :-)
A few words about me:
- By occupation, I am a software developer, mostly backend, mainly in Python.
- For most of my career, I've been working in game development on big projects and own indie games.
- I like playing games, reading books, and writing long-reads about partially complex topics.
You can find more about me:
- In the about page
- In my GitHub profile: github.com/tiendil
- In the LinkedIn profile: linkedin.com/in/tiendil
This is my first blog post in English, but not the first one in general. I have blogged in Russian for a long time and have always wanted to share my thoughts with the English-speaking world. At last, I found some time to adapt my blog, and here we are!
Most of the future posts will be bilingual (English & Russian). Also, with time, I'll translate my most interesting old posts.
Once again, nice to meet you! Feel free to contact me by any means.