Safetensors Moves to PyTorch Foundation for Open Governance
SAN FRANCISCO — Hugging Face is transferring Safetensors, its widely adopted format for storing and sharing machine learning model weights, to the PyTorch Foundation, the company announced April 8.
The move places the security-focused serialization format under the same Linux Foundation umbrella that governs PyTorch itself, alongside projects including DeepSpeed, vLLM and Ray. Hugging Face is transferring the trademark, repository and governance structure to the foundation, according to a Hugging Face blog post (https://huggingface.co/blog/safetensors-joins-pytorch-foundation) by engineers Luc Georges and Lysandre Debut.
“We want Safetensors to truly belong to the community,” the authors wrote. “By bringing more companies and contributors into the governance of the project, we make sure that progress reflects the breadth of the community building on top of it.”
What Safetensors Does
Safetensors was designed to address a persistent security risk in machine learning: the use of Python’s pickle format for model weight storage, which can execute arbitrary code when a file is loaded. The format instead uses a JSON header with a hard 100-megabyte limit paired with raw tensor data, making it impossible to embed executable code in model files.
The format also offers performance advantages, including zero-copy loading that maps tensors directly from disk and lazy loading that allows individual weights to be read without deserializing an entire checkpoint.
Safetensors has become the default format for model distribution across the Hugging Face Hub and is used by tens of thousands of models across all modalities, according to the company.
Governance and Continuity
Under the new structure, Hugging Face maintainers Luc Georges and Daniel will remain on the project’s Technical Steering Committee. The foundation will maintain formal governance and maintainer documents, opening a documented path to maintainership for outside contributors.
The company emphasized that no breaking changes are planned. The format specification, APIs and Hugging Face Hub integration will remain identical, according to the blog post.
“Safety is best guaranteed when every contributor can build on what already exists; a principle now embedded in the project’s governance itself,” the authors wrote.
Roadmap Under Foundation Governance
The project’s roadmap includes deeper integration with PyTorch’s core serialization system, device-aware loading for CUDA and ROCm accelerators, parallel loading APIs for tensor and pipeline parallelism, and expanded quantization support for formats including FP8, GPTQ and AWQ.
The transfer follows a pattern of maturing AI infrastructure projects moving from single-company ownership to foundation governance. The PyTorch Foundation, backed by major U.S. technology companies including Meta, Microsoft and Google, has become a primary home for open-source ML tooling.
