I believe hashes are unique to a model/ TI/ LoRA - is that right? I am 99% sure that another user on the forum has posted one of my textual inversions on their profile with a different name, and called it a 'LoRA'. I'm going to assume right now, in good faith, that it was just an error, though I have left a comment on the person's post.
Questions:
Isn't there a rule against doing this, assuming that the act is intentional - it seems akin to stealing IP.
What's the way of reporting this? None of the options under the 'report' seem to apply 100%. Is this a TOS violation?
Is there an automated way that such things can be flagged? I just happened to chance upon the model and was intrigued because a LoRA can't be just 25kb.
Here's my original TI: https://civitai.com/models/59634/desigirl-nsfw
Not posting the other, again - assuming an error in good faith.
2 Answers
It seems that it is possible for different models to share the same hash. The model-keyword extension keeps a big list of hashes, and looking through it you can find duplicates. One particular hash, de2f2560, is extremely common for some reason, with literally hundreds of lora sharing it.
AutoV1 hashes (to which woobly refers, 8 hex digits) are far from unique; a significant number are concentrated under de2f2560, and I've also seen a handful amongst hundreds under e3b0c442 (though for some reason these seem to be excluded). However, it is deprecated, and AutoV2 hash is the first 10 hex digits of the sha256 hash. This should approximately require 100000 assorted models to have a 1% chance to encounter a collision (see https://en.wikipedia.org/wiki/Birthday_problem#Probability_table), and the full sha256 is a virtual impossibility. Both can be seen on the model's page (though I've posted about civitai possibly showing incorrect hashes rarely). There's a simple function to calculate sha256 for a file in python if you need to.
However, most surefire test: get both models in your environment, generate each with the same seed & prompt settings and lora / embedding changed, and they should show exactly the same results if they are identical. If so, then I would only believe it a mistake if the model they published is entirely different from what you created, in terms of description and sample gens (ie uploaded wrong file accidentally, not intentionally republishing the same content with the same or similar gens).
I can't tell you specifics about the TOS with any authority, but recently I have seen claims (in another question, probably this: https://civitai.com/questions/1185/my-model-has-been-uploaded-by-someone-else-how-can-i-report-it) that publishing & usage etiquette (such as publishing another's models from / on other sites, generation services and such) are treated more like guidelines than strictly enforced.
Technically, the person who posted the model ostensibly infringes "You own the Content you create," , but there doesn't seem to be any content removal guideline on the matter ("Content Duplication and false impersonation" seems to refer to publishing as someone else only).
Oh, and I'm pretty sure an automatic detection based on sha256 could be implemented; civ's storing & displaying the hashes, so it's just a matter of indexing it (in case it isn't a PK on another table already) and adding an existence query during publishing / sha calculation. Running a similar thing locally. Whether it will be is a matter of priority on which I have little information, but the overall trend of features indicates a likely no way.