Safetensors, the file format that most large AI models now use to distribute their weights, is moving out of Hugging Face's direct ownership and into the PyTorch Foundation. As of April 8, the trademark and GitHub repository are held by the Linux Foundation under neutral governance - the same arrangement covering PyTorch, vLLM, DeepSpeed, and Ray.
For anyone running models locally or pulling from the Hugging Face Hub, nothing changes today. The format, APIs, and Hub compatibility are all unchanged. Hugging Face's Lysandre Debut confirmed this in the announcement.
Safetensors was created to fix a specific security problem. The old standard for storing model weights - Python's pickle format - executes arbitrary code when loaded, meaning a model downloaded from an untrusted source could run malicious code on your machine. Safetensors stores only the raw tensor data (the numerical values that define a model's behavior), nothing executable. It became the default for most major models on the Hub because of this.
The governance change matters less for day-to-day use and more for organizations building tooling on top of it. No single company controls the spec now. No one can quietly change the format, add licensing terms, or deprecate it to push a replacement. For hardware vendors and inference framework developers making long-term investments in this format, that's a meaningful assurance - the same kind of stability guarantee that comes with PyTorch itself.
Safetensors has reached near-universal adoption for model distribution on the Hub. Transferring governance now, when the format is already the standard rather than still competing for adoption, means the transition carries almost no friction for current users and considerable long-term benefit for everyone building on it.