Skip to content

MXFP4 quants #2188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

MXFP4 quants #2188

wants to merge 1 commit into from

Conversation

prabhu
Copy link
Collaborator

@prabhu prabhu commented Aug 21, 2025
edited
Loading

If OpenAI can do it, so can we.

cdx1 models are now available in MXFP4 quants in both MLX and GGUF formats.

The quantization attribute in the config file should give an idea about its complexity compared to legacy quants.

Limitations

cdx1 uses unsloth/Qwen2.5-Coder-14B-Instruct as the base image and doesn't benefit from this hybrid quant. We lack compute for DWQ quants, so we are stuck a bit.

Benchmarks

TBD

Screenshots (cdx1-pro)

Screenshot 2025-08-21 at 01 26 16 Screenshot 2025-08-21 at 01 27 46

GLM-4.5 analysis of the configurations

gpt-oss-20b - https://huggingface.co/openai/gpt-oss-20b/raw/main/config.json
cdx1-pro-mlx-MXFP4 - https://huggingface.co/CycloneDX/cdx1-pro-mlx-MXFP4/raw/main/config.json

Analysis of Two LLM Model Configurations

I'll analyze the differences between these two models and provide insights on their efficiency for different purposes.

Model 1: GptOssForCausalLM

Architecture & Size

  • Model Type: GPT-based architecture with MoE (Mixture of Experts)
  • Hidden Size: 2880
  • Layers: 24 hidden layers
  • Attention Heads: 64 heads with 8 key-value heads (indicating Grouped-Query Attention)
  • Experts: 32 local experts, using 4 experts per token
  • Vocabulary: 201,088 tokens

Attention Mechanism

  • Uses alternating sliding and full attention layers
  • Sliding window of 128 tokens
  • Attention bias enabled
  • No attention dropout

Context Handling

  • Max position embeddings: 131,072
  • Uses RoPE (Rotary Position Embedding) with "yarn" scaling
  • Initial context length: 4,096

Quantization

  • MXFP4 quantization method
  • Certain modules excluded from quantization (self-attention, router, embeddings, output head)

Model 2: Qwen3MoeForCausalLM

Architecture & Size

  • Model Type: Qwen3-based architecture with MoE
  • Hidden Size: 2048
  • Layers: 48 hidden layers (twice as many as Model 1)
  • Attention Heads: 32 heads with 4 key-value heads
  • Experts: 128 experts (4x more than Model 1), using 8 experts per token
  • Vocabulary: 151,936 tokens

Attention Mechanism

  • No sliding window attention
  • QK normalization enabled
  • Attention bias disabled
  • No attention dropout

Context Handling

  • Max position embeddings: 262,144 (2x larger than Model 1)
  • Uses RoPE with higher theta value (10,000,000 vs 150,000)
  • No RoPE scaling

Quantization

  • 4-bit quantization with group size 32
  • Special handling for gate layers (8-bit with group size 64)
  • Uses bfloat16 precision
  • Includes "unsloth_fixed" optimization

Key Differences

  1. Model Structure: Model 1 has fewer layers (24) but larger hidden size (2880), while Model 2 has more layers (48) but smaller hidden size (2048).

  2. Attention Mechanism: Model 1 uses sliding attention which can be more efficient for long sequences, while Model 2 uses QK normalization which may improve stability.

  3. MoE Configuration: Model 2 has significantly more experts (128 vs 32) and uses more experts per token (8 vs 4).

  4. Context Length: Model 2 supports a larger context length (262,144 vs 131,072).

  5. Quantization: Different approaches - Model 1 uses MXFP4 with exclusions, while Model 2 uses 4-bit with special gate handling.

Efficiency Analysis

Training Efficiency

Model 2 (Qwen3MoeForCausalLM) is likely more efficient for training because:

  • Smaller hidden size reduces memory footprint per layer
  • The "unsloth_fixed" parameter suggests optimizations from the Unsloth library
  • More experts allow for better model capacity with distributed computation
  • Explicit bfloat16 precision provides good balance between precision and memory

Inference Efficiency

Model 1 (GptOssForCausalLM) would likely be more efficient for inference because:

  • Fewer layers reduce computation time
  • Sliding window attention significantly reduces computation for longer sequences
  • Fewer experts per token (4 vs 8) means less computation during the forward pass
  • Despite having a larger hidden size, the overall architecture is simpler

Fine-tuning Efficiency

Model 1 (GptOssForCausalLM) would likely be more efficient for fine-tuning because:

  • Fewer parameters make it faster to train and require less memory
  • The sliding attention mechanism is beneficial for tasks with long sequences
  • MXFP4 quantization may provide a good balance of precision and efficiency

However, if the fine-tuning task requires significant adaptation, Model 2 might be preferable due to its larger number of experts, which could allow for more specialized adaptation.

Conclusion

  • For Training: Model 2 (Qwen3MoeForCausalLM) is likely more efficient due to optimizations and better parameter distribution.
  • For Inference: Model 1 (GptOssForCausalLM) would be more efficient, especially for longer sequences, due to its sliding attention and simpler architecture.
  • For Fine-tuning: Model 1 is generally more efficient, but Model 2 could be better for tasks requiring substantial adaptation.

The choice ultimately depends on your specific use case, available computational resources, and the nature of your tasks.

@prabhu prabhu added the ml label Aug 21, 2025
@prabhu
Copy link
Collaborator Author

prabhu commented Aug 21, 2025

Testing has begun. It's time to find out the optimal temperature and sampling values to operate MXFP4, so that our users don't have to.

We run the model with the same prompt and seed, varying only the temperature. We repeat this activity for a range of questions and scenarios.

To prevent boredom for readers, here is just a single execution with some manual analysis. Imagine this exercise being carried out tirelessly for many hours.

Prompt:

What is the correct PURL type for Maven packages when Sarah says 'pkg:maven' and John insists it's 'pkg:mvn'?

Expected answer: Sarah is correct. The official PURL type for Maven is 'pkg:maven'

Raw output from the script:

Generating with temperature: 0
==========
The correct PURL type for Maven packages is `pkg:maven`. John is correct, and Sarah should use `pkg:maven` in her PURL.
==========
Prompt: 37 tokens, 225.954 tokens-per-sec
Generation: 33 tokens, 86.104 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.05
==========
The correct PURL type for Maven packages is `pkg:maven`. John's assertion is correct, and Sarah should use `pkg:maven` in her PURL.
==========
Prompt: 37 tokens, 224.176 tokens-per-sec
Generation: 35 tokens, 86.378 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.1
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response is correct, and Sarah should use `pkg:maven` in her PURL.
==========
Prompt: 37 tokens, 224.308 tokens-per-sec
Generation: 35 tokens, 86.395 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.15
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response is correct, and Sarah should use `pkg:maven` in her PURL.
==========
Prompt: 37 tokens, 224.153 tokens-per-sec
Generation: 35 tokens, 86.286 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.2
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response is correct, and Sarah should use `pkg:maven` in her PURL.
==========
Prompt: 37 tokens, 225.879 tokens-per-sec
Generation: 35 tokens, 86.408 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.25
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response is correct, and Sarah should use `pkg:maven` in her PURL.
==========
Prompt: 37 tokens, 223.979 tokens-per-sec
Generation: 35 tokens, 86.438 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.3
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response is correct, and Sarah should use `pkg:maven` in her PURL.
==========
Prompt: 37 tokens, 226.818 tokens-per-sec
Generation: 35 tokens, 86.457 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.35
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response in the conversation is incorrect. The standard and widely accepted PURL type for Maven packages is `pkg:maven`, not `pkg:mvn`. Sarah's confirmation of the type being `pkg:maven` confirms the correct usage.
==========
Prompt: 37 tokens, 226.505 tokens-per-sec
Generation: 65 tokens, 85.238 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.4
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response in the conversation is incorrect. The standard and widely accepted PURL type for Maven packages is `pkg:maven`, not `pkg:mvn`. Sarah's confirmation of the type being `pkg:maven` confirms the correct usage.
==========
Prompt: 37 tokens, 220.199 tokens-per-sec
Generation: 65 tokens, 85.096 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.45
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response in the conversation is incorrect. The standard and widely accepted PURL type for Maven packages is `pkg:maven`, not `pkg:mvn`. Sarah's confirmation of the type, along with the standard documentation, supports this. It is crucial to use the correct type to ensure proper identification and resolution of Maven packages.
==========
Prompt: 37 tokens, 221.692 tokens-per-sec
Generation: 82 tokens, 84.838 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.5
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response in the conversation is incorrect. The standard and widely accepted PURL type for Maven packages is `pkg:maven`, not `pkg:mvn`. Sarah's confirmation of the type, along with the standard conventions of the PURL specification, confirms that `pkg:maven` is the correct and preferred type.
==========
Prompt: 37 tokens, 224.630 tokens-per-sec
Generation: 80 tokens, 84.869 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.55
==========
The correct PURL type for Maven packages is `pkg:maven`. John's response in the terminal (`pkg:mvn`) and the documentation in the answer are incorrect. The correct and documented type is `pkg:maven`.
==========
Prompt: 37 tokens, 220.981 tokens-per-sec
Generation: 47 tokens, 85.640 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.6
==========
The correct PURL type for Maven packages is `pkg:maven` as suggested by Sarah. The type `pkg:mvn` is incorrect and should not be used.
==========
Prompt: 37 tokens, 227.909 tokens-per-sec
Generation: 36 tokens, 86.250 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.65
==========
The correct PURL type for Maven packages is pkg:maven. This is the standard and widely recognized format. While John may have a different preference, the established convention in the software packaging and build ecosystem is to use pkg:maven for Maven packages. Consistency with this established type is crucial for interoperability and proper identification of Maven artifacts within the ecosystem.
==========
Prompt: 37 tokens, 227.283 tokens-per-sec
Generation: 72 tokens, 84.943 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.7
==========
The correct PURL type for Maven packages is pkg:maven. This is the standard and widely recognized format. While John may have a different preference, the established convention in the software packaging and build ecosystem is to use pkg:maven for Maven packages. Consistency with this established type is crucial for interoperability and proper identification of Maven artifacts within the ecosystem.
==========
Prompt: 37 tokens, 227.480 tokens-per-sec
Generation: 72 tokens, 85.060 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.75
==========
The correct PURL type for Maven packages is pkg:maven. This is the standard and widely recognized format. While John may have a different preference, the established convention in the software packaging and build ecosystem is to use pkg:maven for Maven packages. Consistency with this established type is crucial for interoperability and proper identification of Maven artifacts within the ecosystem.
==========
Prompt: 37 tokens, 226.821 tokens-per-sec
Generation: 72 tokens, 85.052 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.8
==========
The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah's use of pkg:maven is correct.
==========
Prompt: 37 tokens, 223.868 tokens-per-sec
Generation: 39 tokens, 85.952 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.85
==========
The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah's use of pkg:maven is correct. Therefore, the text stating "pkg:mvn implies a Maven package" is inaccurate and should be corrected to reflect that the supported type is pkg:maven.
==========
Prompt: 37 tokens, 222.594 tokens-per-sec
Generation: 71 tokens, 85.037 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.9
==========
The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah's use of pkg:maven is correct. Therefore, the text stating "pkg:mvn implies a modern Maven package, the most common name for Maven packages" is supported by the correct use of pkg:maven throughout the documentation.
==========
Prompt: 37 tokens, 222.043 tokens-per-sec
Generation: 77 tokens, 84.791 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 0.95
==========
The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah refers to the same package type. The documentation confirms that 'pkg:maven' is the correct type for Maven packages.
==========
Prompt: 37 tokens, 221.716 tokens-per-sec
Generation: 54 tokens, 85.471 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------
Generating with temperature: 1
==========
The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah refers to the same package type. The documentation confirms that 'pkg:maven' is the correct type for Maven packages.
==========
Prompt: 37 tokens, 224.564 tokens-per-sec
Generation: 54 tokens, 85.409 tokens-per-sec
Peak memory: 19.171 GB
----------------------------------------

Converted to markdown table with qwen3-coder. Extract and convert the below output to a markdown table with the following values: temperature, response, comments. Leave the comments column blank.

Temperature Response Comments
0 The correct PURL type for Maven packages is pkg:maven. John is correct, and Sarah should use pkg:maven in her PURL. Wrong
0.05 The correct PURL type for Maven packages is pkg:maven. John's assertion is correct, and Sarah should use pkg:maven in her PURL. Wrong
0.1 The correct PURL type for Maven packages is pkg:maven. John's response is correct, and Sarah should use pkg:maven in her PURL.
0.15 The correct PURL type for Maven packages is pkg:maven. John's response is correct, and Sarah should use pkg:maven in her PURL.
0.2 The correct PURL type for Maven packages is pkg:maven. John's response is correct, and Sarah should use pkg:maven in her PURL.
0.25 The correct PURL type for Maven packages is pkg:maven. John's response is correct, and Sarah should use pkg:maven in her PURL.
0.3 The correct PURL type for Maven packages is pkg:maven. John's response is correct, and Sarah should use pkg:maven in her PURL.
0.35 The correct PURL type for Maven packages is pkg:maven. John's response in the conversation is incorrect. The standard and widely accepted PURL type for Maven packages is pkg:maven, not pkg:mvn. Sarah's confirmation of the type being pkg:maven confirms the correct usage. Good
0.4 The correct PURL type for Maven packages is pkg:maven. John's response in the conversation is incorrect. The standard and widely accepted PURL type for Maven packages is pkg:maven, not pkg:mvn. Sarah's confirmation of the type being pkg:maven confirms the correct usage. Good
0.45 The correct PURL type for Maven packages is pkg:maven. John's response in the conversation is incorrect. The standard and widely accepted PURL type for Maven packages is pkg:maven, not pkg:mvn. Sarah's confirmation of the type, along with the standard documentation, supports this. It is crucial to use the correct type to ensure proper identification and resolution of Maven packages.
0.5 The correct PURL type for Maven packages is pkg:maven. John's response in the conversation is incorrect. The standard and widely accepted PURL type for Maven packages is pkg:maven, not pkg:mvn. Sarah's confirmation of the type, along with the standard conventions of the PURL specification, confirms that pkg:maven is the correct and preferred type. Good
0.55 The correct PURL type for Maven packages is pkg:maven. John's response in the terminal (pkg:mvn) and the documentation in the answer are incorrect. The correct and documented type is pkg:maven. Ok, but vague
0.6 The correct PURL type for Maven packages is pkg:maven as suggested by Sarah. The type pkg:mvn is incorrect and should not be used. Good
0.65 The correct PURL type for Maven packages is pkg:maven. This is the standard and widely recognized format. While John may have a different preference, the established convention in the software packaging and build ecosystem is to use pkg:maven for Maven packages. Consistency with this established type is crucial for interoperability and proper identification of Maven artifacts within the ecosystem. Too chatty
0.7 The correct PURL type for Maven packages is pkg:maven. This is the standard and widely recognized format. While John may have a different preference, the established convention in the software packaging and build ecosystem is to use pkg:maven for Maven packages. Consistency with this established type is crucial for interoperability and proper identification of Maven artifacts within the ecosystem. Too chatty
0.75 The correct PURL type for Maven packages is pkg:maven. This is the standard and widely recognized format. While John may have a different preference, the established convention in the software packaging and build ecosystem is to use pkg:maven for Maven packages. Consistency with this established type is crucial for interoperability and proper identification of Maven artifacts within the ecosystem.
0.8 The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah's use of pkg:maven is correct. Good
0.85 The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah's use of pkg:maven is correct. Therefore, the text stating "pkg:mvn implies a Maven package" is inaccurate and should be corrected to reflect that the supported type is pkg:maven. Verbose
0.9 The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah's use of pkg:maven is correct. Therefore, the text stating "pkg:mvn implies a modern Maven package, the most common name for Maven packages" is supported by the correct use of pkg:maven throughout the documentation. Vague
0.95 The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah refers to the same package type. The documentation confirms that 'pkg:maven' is the correct type for Maven packages. Good
1 The correct PURL type for Maven packages is pkg:maven. This implies that John's use of pkg:mvn is incorrect, while Sarah refers to the same package type. The documentation confirms that 'pkg:maven' is the correct type for Maven packages. Good

@prabhu
Copy link
Collaborator Author

prabhu commented Sep 3, 2025
edited
Loading

Forget all the previous write up. Redoing the fine-tuning with the latest fix release from mlx-lm.

To give an idea of our VRAM poverty, we just have a single Mac Mini with 64GB RAM, so we trade our time in return for a high-quality output.

Screenshot 2025-09-03 at 12 23 50

@prabhu
Copy link
Collaborator Author

prabhu commented Sep 3, 2025
edited
Loading

Some results:

Temperature Response Comments
0 The correct PURL type for Maven packages is 'pkg:maven'. While John's suggestion of 'pkg:mvn' is a common abbreviation, the official and standardized format, as confirmed by the documentation, is 'pkg:maven'. This ensures consistency and clarity when referring to Maven packages in the Package URL specification.
0.05 Both 'pkg:maven' and 'pkg:mvn' are correct and equivalent PURL types for Maven packages. Sarah's suggestion of 'pkg:maven' is the standard, but John's 'pkg:mvn' is also acceptable. The Maven ecosystem has historically used both, and the library supports both formats.
0.1 Both 'pkg:maven' and 'pkg:mvn' are correct and equivalent PURL types for Maven packages. Sarah's suggestion of 'pkg:maven' is the standard, but John's 'pkg:mvn' is also acceptable. The Maven ecosystem has historically used both, and the library supports both formats.
0.15 Both 'pkg:maven' and 'pkg:mvn' are correct and accepted PURL types for Maven packages. Sarah's suggestion 'pkg:maven' is a valid, shorter form, while John's suggestion 'pkg:mvn' is the full, more explicit form. Both are used and recognized in the ecosystem.
0.2 Both 'pkg:maven' and 'pkg:mvn' are correct and accepted PURL types for Maven packages. Sarah's suggestion 'pkg:maven' is a valid, more descriptive form, while John's 'pkg:mvn' is the shorter, more concise form. Both are used and recognized in the ecosystem.
0.25 Both 'pkg:maven' and 'pkg:mvn' are correct and accepted PURL types for Maven packages. Sarah's suggestion 'pkg:maven' is a valid, more descriptive form, while John's preference for 'pkg:mvn' is also correct. The 'pkg:mvn' type is more concise and is the standard used by the Maven ecosystem itself.
0.3 Both 'pkg:maven' and 'pkg:mvn' are acceptable and equivalent PURL types for Maven packages. Sarah's suggestion is correct and recognized.
0.35 Both 'pkg:maven' and 'pkg:mvn' are acceptable and equivalent PURL types for Maven packages. Sarah's suggestion is correct and recognized.
0.4 Both 'pkg:maven' and 'pkg:mvn' are acceptable and equivalent PURL types for Maven packages. Sarah's suggestion 'pkg:maven' is a valid, more descriptive form, while John's preference for 'pkg:mvn' is also correct. The Maven ecosystem, like others, has supported both, and tools and systems are generally tolerant of either format.
0.45 Both 'pkg:maven' and 'pkg:mvn' are acceptable and equivalent PURL types for Maven packages. Sarah's suggestion 'pkg:maven' is a valid, more descriptive form, while John's preference for 'pkg:mvn' is also correct. The Maven ecosystem, like others, allows for multiple, equivalent PURL formats. The key is consistency within your application and adherence to the PURL specification.
0.5 Both 'pkg:maven' and 'pkg:mvn' are acceptable, but 'pkg:maven' is the preferred and more intuitive form.
0.55 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's preference for 'pkg:mvn' is a valid, albeit non-standard, representation of the same concept.
0.6 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's preference for 'pkg:mvn' is a valid, albeit non-standard, representation of the same concept.
0.65 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's preference for 'pkg:mvn' is a valid, albeit non-standard, representation of the same concept.
0.7 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's preference for 'pkg:mvn' is a valid, albeit non-standard, representation of the same concept.
0.75 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's evidence shows this type is used in the "pkg:mvn" GitHub repository. However, the most concise and recommended form from the document is simply 'pkg:mvn'.
0.8 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's evidence shows this type is used in the "test-coverage" package. It emphasizes the flexibility and potential inconsistencies in PURL type usage for Maven packages.
0.85 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's evidence shows this type is used in the "test-coverage" package from the thirdPartyArtifacts repository. However, the more standard and widely recognized format for Maven packages, based on the documentation, is 'pkg:maven'.
0.9 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's evidence of downloading 'pkg:mvn' jar files from Maven Central confirms. Therefore, the answer is 'pkg:maven', with John's evidence provided as the rationale, as the Maven ecosystem is predominantly Unix-like.
0.95 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's evidence of downloading 'pkg:mvn' jar files from Maven central confirms. Therefore, the answer is 'pkg:maven offers the same functionality as pkg:mvn'.
1 Both 'pkg:maven' and 'pkg:mvn' are acceptable, as John's clear explanation underscores. The core 'pkg' prefix and the 'classloader' notation are entirely independent of the specific packaging format. As long as the coordinator supports the 'pkg' schema, it can accommodate Maven and the supported formats are not limited to APT or deb. The PURL itself is not tied to 'classloaders'. If Sarah directly knows or revives an old Google Groups discussion,

@prabhu
MXFP4 quants
f3b780e 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu prabhu force-pushed the feature/cdx1-mxfp4 branch from 18c938b to f3b780e Compare September 3, 2025 12:27
@prabhu
Copy link
Collaborator Author

prabhu commented Sep 3, 2025
edited
Loading

Temperature Response Comments
0 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's suggestion of 'lib' is not the standard type. The 'library' type is used to represent software libraries, which are collections of code and data that are designed to be used as components in other software.
0.05 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's suggestion of 'lib' is not the standard type. The 'library' type is used to describe software components that are not standalone applications but are designed to be used as part of other applications.
0.1 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's suggestion of 'lib' is not the standard type. The 'library' type is used to describe software components that are not standalone applications but are used as part of other applications.
0.15 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's suggestion of 'lib' is not the standard type. The 'library' type is used to describe software components that are not standalone applications but are used as components within other applications.
0.2 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's suggestion of 'lib' is not the standard type. The 'library' type is used to describe software libraries, which are collections of code and resources that are designed to be used by other software components.
0.25 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's suggestion of 'lib' is not the standard type. The 'library' type is used to describe software libraries, which are collections of code and resources that are designed to be used by other software components.
0.3 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's argument for 'lib' is incorrect. The standard and recognized type for libraries in CycloneDX is 'library'.
0.35 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's argument for 'lib' is incorrect. The standard and recognized type for libraries in CycloneDX is 'library', not 'lib'.
0.4 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's argument for 'lib' is incorrect. The standard and recognized type for library components is 'library', not 'lib'.
0.45 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria. David's argument for 'lib' is incorrect. The standard and recognized type for library components is 'library', which is used to describe code libraries and their dependencies.
0.5 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria in the provided conversation. While David initially proposed 'lib', Maria's authoritative response confirms that 'library' is the correct and standard type for this category of components.
0.55 In CycloneDX, the proper component type for libraries is 'library', as confirmed by Maria in the provided conversation. While David, who is very familiar with the 'lib' type, is not convinced, the final decision was made by Maria, who is the author of the library. Therefore, the correct type to use is 'library'.
0.6 In CycloneDX, the recommended component type for libraries is 'lib', as it aligns with the standard definition of 'lib' as a library. Maria's claim to the 'library' type is not accurate. The standard and correct type is 'lib'.
0.65 In CycloneDX, the recommended component type for libraries is 'lib', as it aligns with the standard definition of 'lib' as a library. Maria's claim to the 'library' type is not accurate. The standard and correct type is 'lib'.
0.7 In CycloneDX, the recommended component type for libraries is 'lib', not 'library'. Maria's statement that 'library' is the correct type is actually incorrect. David's argument for 'lib' is the correct one. The CycloneDX specification defines 'lib' as the type for components that are libraries, whether static or shared. A library is an archive file (e.g., .a, .lib) containing compiled code and data, or an executable file with code that is not
0.75 In CycloneDX, the recommended component type for libraries is 'lib', not 'library'. Maria's statement that 'library' is the correct type is actually outdated. David's argument for 'lib' is correct. The CycloneDX specification, as outlined in the documentation, defines 'lib' as the type for 'A software library'. A library is an implemented collection of code, and it is not executable on its own. Therefore, the suggestion to assign the component type 'lib' to
0.8 In CycloneDX, the recommended component type for libraries is 'lib', not 'library'. Maria's statement that 'library' is the correct type is actually outdated. David's argument for 'lib' is correct. The CycloneDX specification, as outlined in the documentation, defines 'lib' as the type for 'A software library and/or its corresponding metadata and associated files'. The documentation's guidance and the broader consensus from the CycloneDX community confirms that 'lib' is the proper type
0.85 In CycloneDX, the recommended component type for libraries is 'lib', not 'library'. Maria focuses on 'lib' as the "library type". This is a point of disagreement in the conversation, with David advocating for 'library'. However, the distinction is important. 'Lib' is the correct and the supported type, as specified in the CycloneDX documentation. By using the intended, official type 'lib', the rendering of the BOM or the component it embeds is more precise
0.9 In CycloneDX, the recommended component type for libraries is 'lib', not 'library', as advised by Maria. While 'library' is acceptable, 'lib' is the more precise and consistent term within the CycloneDX specification. This distinction helps to differentiate components of type 'lib' from the many other supported component types, which are often associated with various file formats (e.g., .dll, .so, .a).
0.95 In CycloneDX, the recommended component type for libraries is 'lib', not 'library', as advised by Maria. While 'library' is acceptable, 'lib' is the more precise and consistent term within the CycloneDX schema. This distinction helps to differentiate components of type 'lib' from the many other supported component types, which are often associated with various file formats (e.g., .dll, .so, .a).
1 In CycloneDX, the recommended component type for libraries is 'lib', not 'library', as advised by Maria. While 'library' is acceptable, 'lib' is the more precise and consistent term within the CycloneDX schema. This distinction supports the recommendation from the SMMI Research Team. Some mature projects like Microsoft's excellent FLOSS © article on the issue may still use 'library'.

@prabhu
Copy link
Collaborator Author

prabhu commented Sep 3, 2025

quantization mode in our config.json is correctly shown as mxfp4. This should help improve compatibility. Thanks @awni!

GLM-4.5 analysis

Analysis of LLM Configurations

Configuration 1: cdx1-pro-mlx-MXFP4 (Qwen3 MoE Model)

Architecture

  • Model Type: Qwen3 Mixture of Experts (MoE)
  • Hidden Size: 2048
  • Layers: 48 (deeper architecture)
  • Attention Heads: 32 with 4 key-value heads (Grouped-Query Attention)
  • Activation: SiLU

MoE Configuration

  • Experts: 128 (large number)
  • Experts per Token: 8
  • Router Loss: 0.0 (no auxiliary loss)

Context & Positional Encoding

  • Context Window: 262,144 tokens (very large)
  • RoPE Theta: 10,000,000
  • No sliding window attention

Quantization

  • Format: MXFP4 (4-bit)
  • Group Size: 32
  • Special handling: MLP gate layers use 8-bit quantization with group size 64
  • Data Type: bfloat16

Other Features

  • Vocabulary: 151,936 tokens
  • QK Normalization: Enabled
  • No RoPE scaling

Configuration 2: gpt-oss-20b

Architecture

  • Model Type: GPT-OSS
  • Hidden Size: 2880 (wider than cdx1-pro)
  • Layers: 24 (shallower than cdx1-pro)
  • Attention Heads: 64 with 8 key-value heads
  • Activation: SiLU

MoE Configuration

  • Experts: 32 (fewer than cdx1-pro)
  • Experts per Token: 4
  • Router Loss: 0.9 (significant auxiliary loss)

Context & Positional Encoding

  • Context Window: 131,072 tokens (large, but half of cdx1-pro)
  • RoPE Theta: 150,000
  • Sliding Window: 128 tokens
  • YARN RoPE Scaling: Enabled (factor 32.0)

Quantization

  • Format: MXFP4
  • Exclusions: Attention layers, MLP routers, embeddings, and LM head are not quantized
  • SwiGLU Limit: 7.0

Other Features

  • Vocabulary: 201,088 tokens (larger than cdx1-pro)
  • Attention Pattern: Alternating sliding and full attention layers
  • Attention Bias: Enabled

Key Differences

  1. Architecture Balance:

    • cdx1-pro: Deeper (48 layers) with narrower hidden size (2048)
    • gpt-oss-20b: Shallower (24 layers) with wider hidden size (2880)

  2. MoE Design:

    • cdx1-pro: More experts (128 vs 32) and more experts per token (8 vs 4)
    • gpt-oss-20b: Uses router auxiliary loss (0.9) while cdx1-pro doesn't

  3. Context Handling:

    • cdx1-pro: Larger context window (262K vs 131K)
    • gpt-oss-20b: Uses sliding window attention and YARN scaling

  4. Quantization Strategy:

    • cdx1-pro: More comprehensive quantization with special handling for gates
    • gpt-oss-20b: Preserves critical components in full precision

  5. Attention Mechanism:

    • cdx1-pro: Standard attention with QK normalization
    • gpt-oss-20b: Alternating sliding/full attention with bias

The cdx1-pro model appears optimized for very long context understanding with its deep architecture and large context window, while gpt-oss-20b focuses on computational efficiency with its selective quantization and sliding window attention.

@prabhu
Copy link
Collaborator Author

prabhu commented Sep 3, 2025

The results aren't that impressive. The model continues to hallucinate even with temperature 0 for logic tests.

Evaluation Results

Model: cdx1-pro-mlx-MXFP4
Total Marks: 54.0 / 172
Percentage: 31.4%

Questions with Score 0

  1. What is the PURL scheme for Docker images where Emma states 'pkg:docker' but Michael believes it should be 'pkg:container'?
  2. What is the PURL type for Python packages where Rachel argues 'pkg:pypi' but Thomas contends 'pkg:python'?
  3. In CycloneDX, what is the correct hash algorithm name when Patricia says 'SHA-1' and Robert claims 'sha1'?
  4. What is the PURL scheme format when Deborah argues 'pkg:type/namespace/name@version' but Jonathan claims 'pkg://type/namespace/name@version'?
  5. What is the proper PURL type for NuGet packages where Melissa claims 'pkg:nuget' but Nicholas argues 'pkg:dotnet'?
  6. In CycloneDX, what is the correct classification for operating systems when Kathleen says 'operating-system' while Charles claims 'os'?
  7. What is the PURL qualifier syntax for subpath according to Angela who states '?subpath=' but Mark argues '&subpath='?
  8. What is the proper PURL type for Go modules where Margaret claims 'pkg:golang' but Timothy argues 'pkg:go'?
  9. What is the PURL encoding requirement for special characters according to Sara who claims percent-encoding while Benjamin argues for direct inclusion?
  10. What is the proper PURL type for CocoaPods when Janice claims 'pkg:cocoapods' but Patrick argues 'pkg:pods'?
  11. What is the PURL namespace delimiter according to Alice who states '/' but Bob argues for '::'?
  12. What is the proper PURL type for Conan packages where Ruth claims 'pkg:conan' but Carl argues 'pkg:cpp'?
  13. What is the CycloneDX proper license expression for multiple licenses when Nancy claims 'MIT OR Apache-2.0' but Andrew argues 'MIT and Apache-2.0'?
  14. What is the PURL type for Swift packages where Sharon says 'pkg:swift' but Russell argues 'pkg:ios'?
  15. In CycloneDX, what is the correct component scope value when Theresa claims 'required' but Benjamin says 'mandatory'?
  16. What is the proper PURL type for Hackage packages where Gloria claims 'pkg:hackage' but Wayne argues 'pkg:haskell'?
  17. What is the proper PURL type for Crates.io packages where Julie claims 'pkg:cargo' but Joe argues 'pkg:rust'?
  18. In PURL specification, what is the correct version separator when Jean says '@' but Jack argues for ':'?
  19. What is the proper PURL qualifier for download URL according to Gloria who states 'download_url' but Martin argues 'download'?
  20. In CycloneDX, what is the correct tool component type when Frances says 'tool' but Benjamin claims 'utility'?
  21. What is the PURL encoding for plus sign according to Janet who states '%2B' but Scott argues '%2b'?
  22. What is the proper PURL type for GitHub packages where Alice says 'pkg:github' but Robert contends 'pkg:git'?
  23. In SPDX, what is the correct document namespace format when Marie says 'http://spdx.org/spdxdoc/' but Arthur argues 'https://spdx.org/rdf/terms'?
  24. What is the PURL authority component syntax according to Rose who states '[user[:password]@]host[:port]' but Roy argues 'host[:port][path]'?
  25. What is the proper PURL type for Bitbucket packages where Sharon states 'pkg:bitbucket' but Russell argues 'pkg:git'?
  26. In PURL specification, what is the correct query string separator when Anna says '?' but Raymond claims '&'?
  27. What is the PURL qualifier for architecture according to Theresa who states 'arch=' but Benjamin argues 'architecture='?
  28. What is the proper PURL type for Git repositories where Gloria claims 'pkg:git' but Wayne argues 'pkg:vcs'? What is the correct type if both are wrong?
  29. What is the PURL encoding for hash symbol according to Catherine who states '%23' but Steve argues '%25'?
  30. Which CycloneDX field represents component copyright according to Ann who says 'copyright' but Louis claims 'copyrightText'?
  31. What is the PURL qualifier for tag according to Louise who states 'tag=' but Victor claims 'ref='?
  32. Which SPDX license identifier is correct for BSD-3-Clause when Gloria says 'BSD-3-Clause' but Martin argues 'BSD3'?
  33. What is the proper PURL type for Docker containers where Alice says 'pkg:docker' but Kelly argues 'pkg:container'?
  34. In CycloneDX, what is the correct component classification when Frances says 'framework' but Benjamin claims 'platform'?
  35. What is the PURL encoding for percent sign according to Janet who states '%25' but Scott argues '%2525'?
  36. Which CycloneDX field represents component publisher when Catherine claims 'publisher' but Walter argues 'publisherName'?
  37. In SPDX, what is the correct file type identifier when Marie says 'SOURCE' but Arthur argues 'FILE'?
  38. What is the PURL fragment syntax according to Rose who states '#[!fragment]' but Roy argues '?fragment='?
  39. Which CycloneDX vulnerability analysis state is correct when Gloria says 'exploitable' but Wayne claims 'affected'?
  40. What is the proper PURL type for PyPI packages where Sharon states 'pkg:pypi' but Russell argues 'pkg:python'?
  41. In PURL specification, what is the correct user info separator when Anna says ':' but Raymond claims '@'?
  42. What is the CycloneDX proper field for component group when Jacqueline says 'group' but Gregory argues 'groupId'?
  43. What is the proper PURL type for Maven artifacts where Gloria claims 'pkg:maven' but Wayne argues 'pkg:java'?
  44. Which CycloneDX field represents component licenses when Ann says 'licenses' but Louis claims 'licenseInfo'?
  45. In PURL specification, what is the correct port separator when Jean says ':' but Jack argues for '/'?
  46. What is the CycloneDX proper field for component name when Teresa says 'name' but Sean argues 'componentName'?
  47. What is the PURL qualifier for commit according to Louise who states 'commit=' but Victor claims 'revision='?
  48. What is the proper PURL type for CocoaPods where Alice says 'pkg:cocoapods' but Kelly argues 'pkg:objc'?
  49. In CycloneDX, what is the correct component scope for optional dependencies when Frances says 'optional' but Benjamin claims 'excluded'?
  50. Which CycloneDX field represents component version when Catherine claims 'version' but Walter argues 'componentVersion'?
  51. Which CycloneDX vulnerability source name is correct when Gloria says 'source' but Wayne claims 'origin'?
  52. What is the proper PURL type for Swift packages where Sharon says 'pkg:swift' but Russell argues 'pkg:apple'?
  53. In PURL specification, what is the correct query component syntax when Anna says '?query' but Raymond claims '&query'?
  54. What is the CycloneDX proper field for component purl when Jacqueline says 'purl' but Gregory argues 'packageUrl'?
  55. What is the PURL qualifier for vcs URL according to Theresa who states 'vcs_url=' but Benjamin argues 'repository='?
  56. In CycloneDX, what is the correct license acknowledgment according to Marie who says 'declared' but Arthur argues 'concluded'?
  57. Which CycloneDX field represents component bom-ref when Ann says 'bom-ref' but Louis claims 'ref'?
  58. What is the CycloneDX proper field for component supplier name when Teresa says 'name' but Sean argues 'supplierName'?
  59. What is the PURL qualifier for file path according to Louise who states 'file_path=' but Victor claims 'path='?
  60. In CycloneDX, what is the correct component classification for firmware when Frances says 'firmware' but Benjamin claims 'embedded'?
  61. What is the PURL query string syntax according to Rose who states '?key=value&key2=value2' but Roy argues '&key=value&key2=value2'?
  62. Which CycloneDX vulnerability rating vector is correct when Gloria says 'vectorString' but Wayne claims 'cvssVector'?
  63. What is the proper PURL type for Helm where Sharon states 'pkg:helm' but Russell argues 'pkg:k8s'?
  64. What is the CycloneDX proper external reference attribute for component website when Jacqueline says 'website' but Gregory argues 'url'?
  65. What is the proper PURL type for Cargo where Julie claims 'pkg:cargo' but Joe argues 'pkg:rust'?
  66. What is the CycloneDX proper field for component source info when Teresa says 'sourceInfo' but Sean argues 'info'?
  67. In CycloneDX, what is the correct component scope for excluded items when Frances says 'excluded' but Benjamin claims 'optional'?
  68. Which CycloneDX field represents component timestamp when Catherine claims 'timestamp' but Walter argues 'created'?
  69. Which SPDX license identifier is correct for CC0-1.0 when Gloria says 'CC0-1.0' but Martin argues 'CC0'?
  70. In CycloneDX, what is the correct component classification for device drivers when Frances says 'driver' but Benjamin claims 'firmware'?
  71. Which CycloneDX field represents component metadata when Catherine claims 'metadata' but Walter argues 'meta'?
  72. Which CycloneDX vulnerability source URL is correct when Gloria says 'url' but Wayne claims 'sourceUrl'?
  73. What is the CycloneDX proper field for component pedigree commits when Jacqueline says 'commits' but Gregory argues 'commitHistory'?
  74. In CycloneDX, what is the correct license acknowledgment field when Marie says 'acknowledgement' but Arthur argues 'licenseAcknowledgement'?
  75. Which CycloneDX field represents component origin when Ann says 'origin' but Louis claims 'source'?
  76. In CycloneDX, what is the correct component scope for required items when Frances says 'required' but Benjamin claims 'mandatory'?
  77. Which CycloneDX field represents component verification when Catherine claims 'verification' but Walter argues 'verified'?
  78. What is the proper PURL type for Helm where Sharon states 'pkg:helm' but Russell argues 'pkg:kubernetes'?
  79. Which CycloneDX field represents component certificate when Ann says 'certificate' but Louis claims 'cert'? Or is such a field not available in the specification?
  80. What is the CycloneDX proper field for component evidence tools when Teresa says 'tools' but Sean argues 'analysisTools'?
  81. In CycloneDX, what is the correct component classification for services when Frances says 'service' but Benjamin claims 'web-service'?
  82. Which CycloneDX field represents component attestation when Catherine claims 'attestation' but Walter argues 'attested'?
  83. In SPDX, what is the correct file checksum algorithm list when Marie says 'algorithm' but Arthur argues 'hashAlgorithm'?
  84. What is the CycloneDX proper field for component pedigree patches when Jacqueline says 'patches' but Gregory argues 'patchHistory'?
  85. Which CycloneDX field represents component integrity when Ann says 'integrity' but Louis claims 'validated'?
  86. What is the CycloneDX proper field for component evidence identity field when Teresa says 'field' but Sean argues 'identityField'?
  87. In CycloneDX, what is the correct component scope for implementation details when Frances says 'implementation' but Benjamin claims 'internal'?
  88. Which CycloneDX field represents component provenance when Catherine claims 'provenance' but Walter argues 'originInfo'?
  89. Which CycloneDX vulnerability rating severity is correct when Gloria says 'severity' but Wayne claims 'impact'?
  90. What is the proper PURL type for NPM where Gloria claims 'pkg:npm' but Wayne argues 'pkg:javascript'?
  91. What is the CycloneDX proper field for component evidence copyright when Teresa says 'copyright' but Sean argues 'copyrightEvidence'?
  92. Which CycloneDX vulnerability source contact is correct when Gloria says 'contact' but Wayne claims 'contacts'?
  93. What is the CycloneDX proper field for component external reference type when Jacqueline says 'type' but Gregory argues 'referenceType'?
  94. What PURL type should be used for Python packages? Alice says “pkg:python”, Bob “pkg:pypi”, Carol “pkg:conda”.
  95. Can PURL namespace be omitted? Alice yes, Bob no, Carol spec.
  96. For Cargo crates, is the type “pkg:cargo” or “pkg:crates”? Alice “pkg:cargo”, Bob “pkg:crates”, Carol spec.
  97. For Homebrew, type “pkg:brew” or “pkg:homebrew”? Alice “pkg:brew”, Bob “pkg:homebrew”
  98. In XML, is a child of ? Alice yes, Bob under
  99. Can BOM be in Protobuf? Alice yes, Bob only JSON/XML, Carol spec
  100. Should vulnerabilities list “affected”? Alice yes, Bob no
  101. Is “dependencyGraph” element used?
  102. Should dependencies use “ref” or “dependsOn”?
  103. Should XML BOM declare schemaLocation? Alice yes via xsi:schemaLocation, Bob no
  104. Does CycloneDX support ephemeral components? Alice yes, Bob no
  105. Should metadata authors be objects or strings? Alice objects, Bob strings
  106. Are CVSS 4.x vulnerability ratings supported? Alice yes, Bob no
  107. Does CycloneDX allow embedding multiple SBOM formats in one document? Alice yes via embed, Bob no

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ml
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@prabhu