NYU Shanghai Library > RITS Home > *

Safetensors Joins the PyTorch Foundation as a Vendor-Neutral Standard

April 9, 2026Provided by Utku Ege Tuluk

On April 8, 2026, the PyTorch Foundation announced that Hugging Face’s safetensors — the secure model serialization format used by tens of thousands of AI models — has joined the foundation as an officially hosted project under the Linux Foundation. The move gives safetensors a vendor-neutral home alongside PyTorch, vLLM, DeepSpeed, and Ray.

General Audience

Safetensors joins PyTorch Foundation announcement graphic
Image credit: Hugging Face

Why Safetensors Exists

Safetensors was created to solve a critical security problem: the standard way of saving model weights in Python can execute arbitrary code when a file is loaded. As model sharing exploded through platforms like the Hugging Face Hub, this became a serious vulnerability — anyone downloading and loading a model was potentially running untrusted code.

Safetensors replaces the legacy format with a deliberately simple design: a JSON header (capped at 100MB) followed by raw tensor data. It supports zero-copy loading through direct disk-to-memory mapping and lazy loading of individual weights without full deserialization. No code execution, ever.

What the Move Means

By joining the PyTorch Foundation, safetensors gains:

  • Vendor neutrality — the trademark, repository, and governance now sit with the Linux Foundation rather than any single company
  • Formalized governance — new GOVERNANCE.md and MAINTAINERS.md documents open a clear path for community maintainers
  • Long-term stability — community-driven governance ensures the format won’t be abandoned or changed unilaterally

Hugging Face emphasized that nothing breaks: existing format, APIs, and Hub integration remain identical.

What’s Coming Next

The safetensors roadmap includes several features designed for modern multi-GPU AI infrastructure:

  • Device-aware loading: Load tensors directly to CUDA or ROCm without staging through CPU
  • Parallel loading: First-class APIs for Tensor Parallel and Pipeline Parallel deployments where each rank loads only needed weights
  • Quantization support: FP8, block-quantized formats (GPTQ, AWQ), and sub-byte integer types
  • PyTorch core integration: Working with the PyTorch team to use safetensors as the serialization system in torch itself

Sources

Categories:
AI
Tags:
AI, huggingface, Level: General Audience, open source, PyTorch, security
Footer Logo

Connect with NYU Shanghai

New York University

Equal Opportunity and Non-Discrimination at NYU - New York University is committed to maintaining an environment that encourages and fosters respect for individual values and appropriate conduct among all persons. In all University spaces—physical and digital—programming, activities, and events are carried out in accordance with applicable law as well as University policy, which includes but is not limited to its Non-Discrimination and Anti-Harassment Policy.

沪ICP备15010846号-2beian沪公网安备31011502017015号

© 2025 All rights reserved.Powered by NYU Shanghai RITS