Three years ago, loading an AI model meant downloading a Python pickle file and trusting that whoever uploaded it hadn't embedded malicious code in the process. Safetensors was built to fix that - it stores only a model's numerical weights, nothing executable - and it's now moving from Hugging Face's ownership to neutral governance under the PyTorch Foundation.
The mechanics: the trademark and GitHub repository transferred to the Linux Foundation on April 8, joining PyTorch, vLLM, DeepSpeed, and Ray under the same governance umbrella. For local inference users, nothing changes. Same format, same APIs, same compatibility with the Hugging Face Hub. Hugging Face's Lysandre Debut, announcing the move, was explicit about this.
What changes is long-term trust. Under Hugging Face's ownership, a business decision, acquisition, or shift in strategy could push the format in a direction that suits one company's interests. Under neutral foundation governance, changes go through an open process with community input. Organizations building storage systems, inference servers, or deployment tooling on top of Safetensors now have the kind of foundational stability they'd expect from PyTorch itself.
Safetensors has become near-universal for model distribution on the Hub - most models over a few hundred million parameters now default to it. Transferring governance at this point, when the format is already deeply embedded in the toolchain rather than still fighting for adoption, means there's almost no downside risk and a clear upside for anyone whose work depends on format stability.