Safetensors Officially Joins the PyTorch Foundation

Safetensors, the machine learning (ML) model storage format developed by Hugging Face, has officially joined the PyTorch Foundation as a foundation-hosted project. It now sits alongside DeepSpeed, Helion, Ray, vLLM, and PyTorch itself under the Linux Foundation umbrella. With this move, the trademark, repository, and governance of Safetensors are transferred from Hugging Face's sole stewardship to the Linux Foundation.

Why This Announcement Matters

Safetensors is currently the default storage format for tens of thousands of models on the Hugging Face Hub, spanning every modality—text, image, audio, and beyond. The project has become the de facto standard for open-source ML model sharing, and it now moves out of single-company ownership into a vendor-neutral governance structure.

The significance goes beyond expanded code contribution channels. A formal, documented path for any contributor to become a maintainer has been established via GOVERNANCE.md and MAINTAINERS.md. Structurally, the risk of critical open-source infrastructure being swayed by any single company's shifting priorities or business decisions is substantially reduced.

What Has Changed

For existing users, nothing changes: the format, APIs, and Hub integration remain identical. Models already stored in Safetensors format will continue to work without any migration.

How We Got Here — From Security Vulnerability to Ecosystem Standard

Safetensors was born from a structural vulnerability in the Python ecosystem. The pickle-based serialization formats that dominated early ML workflows allowed arbitrary code execution simply by loading a file. This was a tolerable risk when model sharing was limited to small research circles, but as open model sharing exploded via the Hugging Face Hub in 2022–2023, pickle became a viable supply chain attack vector.

Hugging Face's solution was deliberately minimal. The format consists of a JSON header (capped at 100MB, describing tensor metadata) followed by raw tensor data. Key properties include zero-copy loading that maps tensors directly from disk, and lazy loading that allows reading individual weights without deserializing an entire checkpoint. With no code execution path in the format itself, malicious payloads have no structural entry point.

Adoption outpaced expectations. Major model hubs and frameworks rapidly adopted Safetensors as their default format, and today it spans LLMs (large language models), image generation models, audio models, and more.

What Comes Next [Expert Analysis]

The roadmap unveiled alongside the PyTorch Foundation announcement suggests Safetensors is set to evolve from a file format into a core layer of ML infrastructure.

PyTorch Core Integration: Work is underway with the PyTorch team to make Safetensors the default serialization system for torch models. If completed, this could reshape the default save/load experience for hundreds of millions of PyTorch users.

Device-Aware Loading: Planned support for loading tensors directly onto CUDA, ROCm, and other accelerators without unnecessary CPU staging is likely to meaningfully reduce inference startup latency for large models.

Parallel Loading APIs: First-class APIs for Tensor Parallel and Pipeline Parallel loading—enabling each rank or pipeline stage to load only the weights it needs—are on the roadmap. This is a high-impact feature for operating models with hundreds of billions of parameters at lower cost.

Quantization Format Support: Official support for FP8, block-quantized formats such as GPTQ and AWQ, and sub-byte integer types will be formalized, directly addressing the growing demand from the inference efficiency community.

The Linux Foundation governance structure is also likely to lower the barrier for enterprise adoption. Large organizations with strict supply chain security and open-source dependency policies tend to place greater trust in neutral-foundation projects than in those controlled by a single vendor. Safetensors may be positioning itself to become the internet-standard equivalent for ML infrastructure.