SafetensorsがPyTorch Foundationに参加 Safetensors is Joining the PyTorch Foundation

Hugging Face has announced that Safetensors, its widely adopted tensor serialization format, is joining the PyTorch Foundation as a hosted project. The move places one of the most ubiquitous file formats in modern machine learning under open, vendor-neutral governance.

Safetensors was originally created to address a long-standing security concern with PyTorch's default serialization. The traditional .pt and .bin files rely on Python's pickle module, which can execute arbitrary code during deserialization — a real risk when downloading model weights from the internet. Safetensors replaces this with a minimal format consisting of a JSON header describing tensor shapes, dtypes and offsets, followed by a contiguous block of raw tensor bytes. Loading is purely a parse-and-mmap operation, with no code execution path.

Beyond safety, the format delivers tangible performance benefits. Zero-copy memory mapping means very large models can be loaded almost instantly, with pages faulted in on demand. This is particularly valuable in the era of multi-hundred-billion-parameter LLMs, where startup time and memory pressure matter operationally. These properties are a significant reason Safetensors became the default distribution format on the Hugging Face Hub, used by Llama, Mistral, Qwen, Stable Diffusion and countless fine-tunes.

The broader ecosystem has followed suit. Transformers, Diffusers, vLLM, TGI, llama.cpp tooling, ComfyUI and many others read or write Safetensors natively. In practice, if you download an open-weights model today, there is a good chance it ships in this format.

The PyTorch Foundation, operating under the Linux Foundation umbrella, has recently been broadening its scope beyond the core PyTorch framework to host adjacent infrastructure projects such as vLLM and DeepSpeed. Bringing Safetensors into this structure formalizes its status as shared infrastructure rather than a single-company project. Hugging Face is expected to remain a primary maintainer, but distributed governance should make it easier for contributors from other frameworks — JAX, MLX, candle, or hardware-vendor stacks — to participate in spec evolution and tooling.

It is worth noting how Safetensors fits alongside other formats. GGUF, popularized by llama.cpp, focuses on quantized inference with embedded metadata and tokenizer information, optimized for CPU and edge deployment. Safetensors, by contrast, remains the dominant container for full-precision and training-ready weights, where preserving exact dtypes and clean tensor layouts matters more than packaging an entire runnable model. The two are likely to continue coexisting, serving different points in the lifecycle.

The contribution also reflects a wider trend in open-source AI infrastructure: foundational components — model formats, inference engines, training libraries — are increasingly migrating to neutral foundations to encourage cross-vendor collaboration and long-term stability. For practitioners, the practical impact is mostly invisible in the short term: APIs and file compatibility will not change. Over a longer horizon, however, foundation stewardship may translate into a more formal specification, clearer versioning policies, and broader native support across runtimes and hardware backends, which would benefit the entire community building on open weights.