Today, we are announcing that Safetensors has joined the PyTorch Foundation as a Foundation-hosted project under the Linux Foundation, alongside DeepSpeed, Helion, Ray, vLLM, and PyTorch itself.
How we got here
Safetensors started as a Hugging Face project born out of a specific need: a way to store and share model weights that wouldn’t allow arbitrary code to run. The pickle-based formats that dominated the ecosystem at the time meant there was a very real risk of running malicious code. While this was an acceptable risk when ML was in its infancy, it becomes unacceptable as sharing open models becomes central to how the ML community works.
The format we built is intentionally simple. That is, a JSON header with a hard limit of 100MB describes the tensor metadata, followed by the raw tensor data. Zero-copy reads that map tensors directly from disk. Lazy loading allows you to read individual weights without deserializing the entire checkpoint.
What we completely didn’t expect was how widely adopted it would be. Safetensor is now the default format for model distribution, such as Hugging Face Hub, and is used by tens of thousands of models across all modalities of ML. This has become the preferred method for the open source ML community to share models.
Why choose PyTorch Foundation?
We want Safetensor to truly belong to the community. This project has always been open source, but code contributions are only part of its evolution. By involving more companies and contributors in the governance of the project, we ensure that progress reflects the breadth of the community built on it. Joining the PyTorch Foundation means Safetensors has a vendor-neutral home. The project’s trademarks, repositories, and governance are managed by the Linux Foundation rather than by a single company. While Hugging Face’s two core maintainers, Luc and Daniel, remain on the technical steering committee and continue to lead the project on a day-to-day basis, Safetensors is now officially part of the community that depends on it.
We believe that safety is best guaranteed when all contributors can build on what already exists. This principle is now embedded in the project governance itself.
What this means for users and contributors
Nothing changes for the majority of users. The format, API, and hub integration are also the same. There are no breaking changes. Models currently saved in Safetensors format will continue to function exactly as they do today.
For contributors, the path to becoming a maintainer is now formally documented and open to anyone in the community. Project governance is located in the repository in GOVERNANCE.md and MAINTAINERS.md. For organizations building on Safetensor, neutral governance based on the Linux Foundation provides a stable, long-term foundation that is entirely community-driven.
what happens next
Although Safetensors is an established project and has been adopted across the ecosystem, we believe we are still in the early stages of the project.
We are working with the PyTorch team to enable Safetensor to be used within the PyTorch core as a serialization system for torch models.
With significant growth expected in the coming months, we can’t think of a better home for that next chapter than the PyTorch Foundation. Future roadmaps include device-aware loading and saving, so tensors can be loaded directly into CUDA, ROCm, and other accelerators without unnecessary CPU staging.
We’re also building first-class APIs for Tensor Parallel and Pipeline Parallel loading, so each rank or pipeline stage loads only the weights it needs. Additionally, as the quantization landscape of the ecosystem continues to evolve, we plan to formalize support for block quantization formats such as FP8, GPTQ and AWQ, and subbyte integer types.
These are problems that the entire ecosystem has a stake in solving, and being within the PyTorch Foundation means we can work on them in collaboration with other hosted projects, rather than in parallel.
participate
Safetensors is open source and welcomes contributions at all levels, from bug reports and documentation to new features and participation in governance.
If you are a developer, researcher, or organization building on Safetensor and would like to get more involved in shaping its direction, please open an issue, start a discussion, or contact the maintainer directly. A project always belongs to the community that uses it. This is also reflected in our current governance.
