The Safetensors format is now part of the PyTorch Foundation, promoting secure and efficient loading of AI models. (Illustrative AI-generated image).
- Safetensors, a secure format for AI models, has become a contributed project of the PyTorch Foundation, enhancing its neutrality and community governance.
- The move addresses the critical security flaw in the widely used pickle format, which can execute hidden, potentially malicious code when models are loaded.
- Safetensors stores only model data (weights and biases), preventing arbitrary code execution and offering a safer alternative for loading AI models.
- The format is not only secure but also faster than pickle, which is beneficial for handling large AI models.
- This integration is part of a larger effort by the PyTorch Foundation to build a comprehensive AI stack, including edge deployment (ExecuTorch) and large-scale computing (Helion).
- For developers and enterprises, Safetensors offers increased trust, transparent governance, and easier integration, reducing supply chain risks and improving compliance.
Loading AI Models Can Run Hidden Code
When you download an AI model from platforms like Hugging Face or GitHub, you might think loading it into your code is straightforward. However, these model files can sometimes contain hidden instructions.
When loaded, your computer could execute these instructions without your knowledge. This could lead to data theft, file deletion, or even virus installation. This vulnerability stems from the traditional methods used for saving and loading AI models.
This is a significant security risk that has long concerned AI developers. The Safetensors project aims to address this by providing a secure way to load AI models. Recently, the PyTorch Foundation announced that Safetensors is joining as a contributed project, marking a crucial step towards enhancing AI safety.
The Danger of Pickle: An Unsafe AI Model Format
To understand the importance of Safetensors, it’s essential to grasp the problem it solves. For years, the standard method for saving AI models in Python was the pickle format.
Pickle is a Python library that serializes objects into a file and can deserialize them back into objects. While flexible and easy to use, it is inherently unsafe. Pickle doesn’t just store data; it stores instructions for reconstructing the object, which can include executing arbitrary code.
When you load a pickle file, Python executes any code embedded within it without any safety checks or sandboxing. This means you cannot verify the file’s safety before loading, making it akin to opening a potentially dangerous package.
Security experts have long warned about the risks of loading pickle files from untrusted sources, comparing it to giving your computer’s access to a stranger. Despite these warnings, pickle remained the default due to its convenience and the lack of a widely adopted, safer alternative.
Malicious actors have exploited this vulnerability by distributing harmful pickle files disguised as AI models. Loading such a file could grant attackers control over a user’s machine. For organizations running models in cloud environments or on servers, a single compromised pickle file could lead to a system-wide breach.
As AI models gained popularity and sharing became more common, the security risks escalated. The AI community urgently needed a secure alternative to pickle.
Introducing Safetensors: A Secure and Fast Alternative
Safetensors is a file format specifically designed for the secure storage of AI model weights and biases. Developed by Hugging Face, it was created to replace the insecure pickle format.
The core principle of Safetensors is simple: it stores only the raw numerical data of the model’s parameters. It does not contain any executable code. When you load a Safetensors file, the system reads the data without executing any instructions, preventing hidden code from running.
This is Safetensors’ primary advantage. Unlike pickle, where safety can only be confirmed after loading, Safetensors guarantees that loading the file will not execute any unintended code. The file contains only numerical data, which poses no threat to your system.
Beyond safety, Safetensors also offers speed benefits. Its simple, flat format allows for faster loading times compared to pickle, which is particularly advantageous when working with large AI models containing billions of parameters.
Safetensors has become the default format in Hugging Face’s popular Transformers library and is used by thousands of models on the Hugging Face Hub. It is already integrated into major frameworks like PyTorch.
Compared to other formats like ONNX or TensorFlow SavedModel, Safetensors has a more focused purpose. While ONNX is for model interchange and TensorFlow SavedModel is a comprehensive TensorFlow format, Safetensors concentrates solely on securely storing tensor data, making it a lightweight and easily adoptable solution.
Safetensors Joins the PyTorch Foundation: Enhanced Trust and Governance
Previously a project of Hugging Face, Safetensors is now a contributed project of the PyTorch Foundation. The PyTorch Foundation, part of the Linux Foundation, provides neutral governance for the PyTorch ecosystem, ensuring that no single company dictates its direction.
This move to the PyTorch Foundation is significant for several reasons:
- Vendor Neutrality: Safetensors gains a home independent of any single company. This fosters greater trust among developers and organizations, encouraging wider adoption of the format.
- Ecosystem Integration: As a first-class citizen within the PyTorch ecosystem, Safetensors will benefit from coordinated development, resources, and long-term stability.
- Community-Driven Development: The project transitions to a community model, allowing broader participation in its steering and evolution, moving away from a single-company control.
Hugging Face will continue to be a key contributor, but the project’s governance will now be community-led, promoting healthier open-source development.
A Comprehensive AI Stack: Safetensors, ExecuTorch, and Helion
The integration of Safetensors is part of a broader expansion of the PyTorch Foundation’s AI stack, which also includes ExecuTorch and Helion.
- ExecuTorch: A runtime for deploying AI models directly on edge devices like smartphones and embedded systems, enhancing privacy and enabling offline use.
- Helion: A high-performance computing platform designed for efficient execution of large-scale AI workloads in data centers and supercomputers.
Together, these three projects create a comprehensive AI pipeline: Safetensors ensures secure model loading, ExecuTorch enables efficient edge deployment, and Helion handles large-scale cloud computations. This holistic approach embeds security from the outset of the AI lifecycle.
Benefits for Developers and Enterprises
The move of Safetensors to the PyTorch Foundation offers practical advantages for both individual developers and large enterprises.
- Increased Trust and Security: Developers can be more confident in the safety of models loaded using Safetensors, reducing the risk of supply chain attacks.
- Transparent Governance: Open development under the PyTorch Foundation ensures transparency in decision-making, allowing community input on future features and security patches.
- Simplified Integration: Enhanced support and tighter integration within the PyTorch ecosystem make adopting Safetensors easier for developers.
For enterprises, Safetensors provides a secure and auditable method for loading AI models, crucial for core business functions and compliance in regulated industries. The neutral governance of the PyTorch Foundation adds another layer of trust and accountability.
The adoption of Safetensors has been growing, and its integration into the PyTorch Foundation is expected to accelerate this trend, particularly among enterprise users seeking robust security and governance.
The Future of Safetensors
As part of the PyTorch Foundation, Safetensors enters a new phase focused on stability, community-driven feature development, and broader education.
The immediate priority is ensuring the format remains stable and backward-compatible. Future development will be guided by community proposals, potentially including enhanced compression, faster loading speeds, and support for specialized hardware.
The PyTorch Foundation will also play a role in educating developers about the risks of pickle and the benefits of Safetensors, aiming to make secure model loading the industry standard, much like the transition from HTTP to HTTPS for web security.
The move to the foundation signifies a collective commitment to AI security. With the backing of the PyTorch Foundation and the development of complementary tools like ExecuTorch and Helion, Safetensors is well-positioned to become the universal standard for securely loading AI models.
This evolution is a positive step for anyone involved in building or using AI, paving the way for a safer and more secure AI ecosystem.
Frequently Asked Questions
What is Safetensors and why is it important?
Safetensors is a file format designed to securely store AI model weights and biases. It's important because it prevents the execution of hidden or malicious code, unlike the older pickle format, thus enhancing the security of AI model loading.
What was the security problem with the pickle format?
The pickle format in Python can serialize arbitrary Python objects, including executable code. When a pickle file is loaded, this code can run without any safety checks, posing a significant security risk like data theft or system compromise.
How does Safetensors solve the security problem?
Safetensors only stores the raw numerical data of the model's parameters. It does not include any executable code, meaning that when a Safetensors file is loaded, only data is read, and no unintended code can be run.
Why did Safetensors join the PyTorch Foundation?
Joining the PyTorch Foundation provides Safetensors with neutral governance, ensuring it's not controlled by a single company. This fosters broader community trust, encourages wider adoption, and integrates it more deeply into the PyTorch ecosystem.
What are the benefits of Safetensors for developers and enterprises?
Developers gain increased trust in model integrity and benefit from transparent, community-driven development. Enterprises gain a secure, auditable method for model loading, crucial for compliance and reducing supply chain risks.
What other projects are joining the PyTorch Foundation alongside Safetensors?
Alongside Safetensors, the PyTorch Foundation is also embracing ExecuTorch for edge AI deployment and Helion for high-performance computing, creating a more complete AI stack.
Do I need to convert my existing Safetensors models?
No, you do not need to convert existing Safetensors models. The move to the PyTorch Foundation is about governance and long-term support. Existing models will continue to work, and the format remains backward-compatible.
