Secure AI General Public License SPDX: SAIL‑GPL‑1.0 (proposed) The Open Reality Initiative

Copyleft for AI models —
with security that can't be stripped.

A copyleft license for AI model artifacts in which cybersecurity is a condition of the grant: signed provenance, an AI Bill of Materials, a red‑team attestation, and a vulnerability‑disclosure contact must ship with every release — and travel with every fine‑tune.

"You may own the weights. You may not ship them unverifiable."

Why SAIL‑GPL

Open weights that no one can verify are not open. They are forgeable.

An AI model is a claim about how it was made. Yet most model licenses say nothing about whether that claim can be checked. The supply chain became the attack surface — and the license layer never caught up.

01 · TAMPER

Poisoned & swapped

Poisoned packages have compromised tens of thousands of AI pipelines. Malicious LoRA adapters and model‑source tampering ride into deployments unnoticed.

02 · NO PROVENANCE

Weights without origin

Model cards offer no guarantee of origin. Once a model is fine‑tuned, merged and re‑hosted a few times, its lineage — and its trust — collapses.

03 · VOLUNTARY ONLY

Good tools, no obligation

OMS signing, Sigstore transparency, CoSAI and SAIF are excellent — but optional. Nothing makes secure release the default at the licensing layer.

THE GAP

Ethics ≠ security

OpenRAIL propagates ethical‑use restrictions downstream. OpenMDW & Apache‑2.0 grant permissive freedom. Neither makes integrity, provenance and security a copyleft obligation.

THE FIX

Security as copyleft

SAIL‑GPL takes RAIL's proven propagation mechanism and points it at cybersecurity: what rides the model, rides every derivative. Strip the security, lose the license.

Principles

Five principles of SAIL‑GPL

01

Verifiable Origin

A model that cannot be cryptographically traced to its maker is untrusted by default. Unsigned is unsafe.

02

Inseparable Security

Security obligations are entangled with the weights. Fine‑tuning, quantizing, merging or re‑hosting cannot remove them — only renew them.

03

Independence from Infrastructure

You may own the GPUs, the cluster, the serving stack. You do not own an exemption. The duty attaches to the artifact, wherever it runs.

04

Transparency of Risk

Capability without disclosed limits is a liability. Known weaknesses, evaluations and intended‑use boundaries travel with the model.

05

Coordinated Resilience

Integrity must outlive one release: revisions are re‑signed, algorithms stay agile and post‑quantum‑ready, and vulnerabilities are disclosed, not buried.

Compare

Where SAIL‑GPL sits

All are licenses for model artifacts. They enforce different things. SAIL‑GPL is the only one that makes release‑time security a share‑alike obligation.

PropertyApache‑2.0 / OpenMDWOpenRAILLlama‑styleSAIL‑GPL v1.0
Primary subjectModel/weights as dataAI artifactModel/weightsAI Model Artifact
Weights‑as‑data / database rightsYes (OpenMDW)PartialPartialYes
Copyleft / share‑alikeNoBehavioral copyleftNoYes (security copyleft)
Mandatory signing & provenanceNoNoNoYes (OMS, §7.1)
AIBOM requiredNoNoNoYes (§7.2)
Adversarial / red‑team attestationNoNoNoYes, tiered (§7.4)
Coordinated vuln disclosureNoNoNoYes (§7.6)
Crypto‑agility / post‑quantum‑readyNoNoNoRequired agility, PQ for T3 (§7.5)
Ethical‑use restrictionsNoYesAcceptable‑useOptional annex (§9.3)
Patent grant and retaliationYesVariesLimitedYes (§10)

SAIL‑GPL complements, not replaces. Keep your training and inference source code under Apache‑2.0 or GPL, and release the model artifact it produces under SAIL‑GPL.

Section 7 · the core

Secure‑Release Metadata

Every distribution must ship a complete, verifiable SRM bundle. A release without it is a license violation (curable within 30 days). Obligations scale with capability tier.

§7.1

Signed provenance

An OpenSSF Model Signing (OMS) signature over a manifest hashing all files — weights, config, tokenizer, code. Keyless (Sigstore), PKI, or hybrid.

§7.2

AI Bill of Materials

Machine‑readable AIBOM: base model, datasets or data‑provenance statement, adapters, dependencies, pipeline. SPDX 3.0 AI / CycloneDX‑ML.

§7.3

Model card and risk

Intended use, out‑of‑scope use, known failure modes, security‑relevant evals — aligned to the NIST AI RMF.

§7.4

Adversarial attestation

Signed test results vs. OWASP LLM Top 10, MITRE ATLAS and the CoSAI Risk Map: prompt injection, data extraction, poisoning.

§7.5

Crypto‑agility

Declared algorithms, re‑signing on revision, and post‑quantum / hybrid signatures (ML‑DSA, FIPS 204) for long‑lived & frontier models.

§7.6

Coordinated disclosure

A published security contact and CVD policy (SECURITY.md) that propagates to every derivative.

§7.7

Open verification

The format and tooling to verify compliance must be open and re‑implementable — no single‑vendor, fee‑bearing checks.

§7.8

Re‑attest on derivation

Fine‑tune, merge or quantize, then re‑sign, update the AIBOM, refresh the card, and attest new risks. Security is renewed, never discharged.

Obligations scale with risk

T0
Research / not conveyed

Internal only — nothing triggered. Distribution moves you to at least T1.

T1
Open release, low capability

Signing, AIBOM, model card, CVD, open verification. Lightweight self‑attestation.

T2
General‑purpose / product‑embedded

All of §7, with the full minimum adversarial test set. Hybrid post‑quantum signing recommended.

T3
Frontier / high‑risk (EU AI Act Annex III‑type)

Strongest setting, with an independent red‑team. PQ/hybrid signatures and transparency‑log inclusion required.

Apply

Use SAIL‑GPL on your model

Attach the notice, ship the srm/ bundle, and verify with the reference CLI.

1 · The notice

AI MODEL ARTIFACT NOTICE
This Model Artifact is released under the Secure AI General
Public License (SAIL-GPL) v1.0 — Assured-Integrity Edition.

You may use, study, modify, and distribute this Model under
the terms of SAIL-GPL v1.0. Any distribution of this Model or
a Derivative Model MUST ship complete Secure-Release Metadata
(Section 7): signed manifest, AIBOM, model card, security
attestation, and a coordinated-vulnerability-disclosure contact.

Secure-Release Metadata for this distribution is provided in /srm.
SPDX-License-Identifier: SAIL-GPL-1.0
Security contact: security@your-domain.example

2 · The bundle

model/
├─ model.safetensors
├─ config.json
├─ tokenizer.json
├─ MODEL_CARD.md
└─ srm/
   ├─ manifest.json            # hashes of all model files (OMS)
   ├─ model.sig                # detached signature (ML-DSA / ECDSA / hybrid)
   ├─ aibom.spdx.json          # AI Bill of Materials (SPDX 3.0 AI / CycloneDX-ML)
   ├─ security-attestation.json# §7.4 adversarial test results, signed
   └─ SECURITY.md              # §7.6 CVD policy & contact

3 · The toolkit — one CLI, sail

A reference Python implementation lives in the repository. It builds, signs, and verifies the §7 bundle. Verification is open and re‑implementable (§7.7) — canonical JSON and SHA‑256, no proprietary tooling.

# install (Ed25519 / ECDSA, add [pq] for ML-DSA / hybrid, FIPS 204)
pip install -e ./sail            # or:  pip install -e './sail[pq]'

sail sign ./model/      # build the OMS manifest, sign it (Ed25519 / ECDSA / PQ-hybrid), write srm/
sail verify ./model/    # check signature, manifest completeness, AIBOM, attestation, CVD contact  [--pq-only --strict-issuer]
sail audit ./release/   # walk a directory tree, report artifacts missing compliant §7 SRM

A worked example

# sign the example model at tier T1 with a fresh key and a disclosure contact
sail sign ./example-model \
  --model-name sail-example --model-version 1.0.0 --tier T1 \
  --contact security@example.org --key ./signing.key

# verify it (add --pq-only at T2/T3, --strict-issuer to pin an issuer)
sail verify ./example-model

verify prints a per‑check PASS/FAIL report and returns COMPLIANT or NON‑COMPLIANT. The exit code reflects the result, so it drops straight into CI.

⚠ SAIL‑GPL v1.0 is a public draft proposal and engineering spec — not legal advice and not yet an OSI/SPDX‑registered license. Review with counsel before production use.

Ecosystem

A licensing layer, with company

SAIL‑GPL secures the model. QGPL secures the outputs. ResilQ measures the readiness. One signing root can cover all three.

Built on, and aligned with

OpenSSF Model Signing (OMS) · Sigstore Model Transparency · Coalition for Secure AI (CoSAI) · Google SAIF · NIST AI RMF · OWASP Top 10 for LLM Applications · MITRE ATLAS · SPDX 3.0 AI / CycloneDX‑ML · SLSA · FIPS 203/204/205 · EU AI Act · Cyber Resilience Act · NIS2 · ISO/IEC 42001.