supply-chain

SafeTensors did not survive fuzzing by luck. It survived because the format puts validation before allocation, keeps code out of the file, and treats model loading as an input-parsing problem.

Post-quantum signatures are entering supply-chain infrastructure. Any ML artifact signing profile that adopts ML-DSA should get one deployment detail right before it ships: randomized mode opens a 256-bit hidden command channel that no deployed verifier can inspect.

An ML attack is the composition of three things: a channel that carries information, a decoder that reads the channel, and a substrate that runs the decoder. Naming the shape changes how you think about both offense and defense.