A copyleft license for AI model artifacts in which cybersecurity is a condition of the grant: signed provenance, an AI Bill of Materials, a red‑team attestation, and a vulnerability‑disclosure contact must ship with every release — and travel with every fine‑tune.
Why SAIL‑GPL
An AI model is a claim about how it was made. Yet most model licenses say nothing about whether that claim can be checked. The supply chain became the attack surface — and the license layer never caught up.
Poisoned packages have compromised tens of thousands of AI pipelines. Malicious LoRA adapters and model‑source tampering ride into deployments unnoticed.
Model cards offer no guarantee of origin. Once a model is fine‑tuned, merged and re‑hosted a few times, its lineage — and its trust — collapses.
OMS signing, Sigstore transparency, CoSAI and SAIF are excellent — but optional. Nothing makes secure release the default at the licensing layer.
OpenRAIL propagates ethical‑use restrictions downstream. OpenMDW & Apache‑2.0 grant permissive freedom. Neither makes integrity, provenance and security a copyleft obligation.
SAIL‑GPL takes RAIL's proven propagation mechanism and points it at cybersecurity: what rides the model, rides every derivative. Strip the security, lose the license.
Principles
A model that cannot be cryptographically traced to its maker is untrusted by default. Unsigned is unsafe.
Security obligations are entangled with the weights. Fine‑tuning, quantizing, merging or re‑hosting cannot remove them — only renew them.
You may own the GPUs, the cluster, the serving stack. You do not own an exemption. The duty attaches to the artifact, wherever it runs.
Capability without disclosed limits is a liability. Known weaknesses, evaluations and intended‑use boundaries travel with the model.
Integrity must outlive one release: revisions are re‑signed, algorithms stay agile and post‑quantum‑ready, and vulnerabilities are disclosed, not buried.
Compare
All are licenses for model artifacts. They enforce different things. SAIL‑GPL is the only one that makes release‑time security a share‑alike obligation.
| Property | Apache‑2.0 / OpenMDW | OpenRAIL | Llama‑style | SAIL‑GPL v1.0 |
|---|---|---|---|---|
| Primary subject | Model/weights as data | AI artifact | Model/weights | AI Model Artifact |
| Weights‑as‑data / database rights | Yes (OpenMDW) | Partial | Partial | Yes |
| Copyleft / share‑alike | No | Behavioral copyleft | No | Yes (security copyleft) |
| Mandatory signing & provenance | No | No | No | Yes (OMS, §7.1) |
| AIBOM required | No | No | No | Yes (§7.2) |
| Adversarial / red‑team attestation | No | No | No | Yes, tiered (§7.4) |
| Coordinated vuln disclosure | No | No | No | Yes (§7.6) |
| Crypto‑agility / post‑quantum‑ready | No | No | No | Required agility, PQ for T3 (§7.5) |
| Ethical‑use restrictions | No | Yes | Acceptable‑use | Optional annex (§9.3) |
| Patent grant and retaliation | Yes | Varies | Limited | Yes (§10) |
SAIL‑GPL complements, not replaces. Keep your training and inference source code under Apache‑2.0 or GPL, and release the model artifact it produces under SAIL‑GPL.
Section 7 · the core
Every distribution must ship a complete, verifiable SRM bundle. A release without it is a license violation (curable within 30 days). Obligations scale with capability tier.
§7.1An OpenSSF Model Signing (OMS) signature over a manifest hashing all files — weights, config, tokenizer, code. Keyless (Sigstore), PKI, or hybrid.
§7.2Machine‑readable AIBOM: base model, datasets or data‑provenance statement, adapters, dependencies, pipeline. SPDX 3.0 AI / CycloneDX‑ML.
§7.3Intended use, out‑of‑scope use, known failure modes, security‑relevant evals — aligned to the NIST AI RMF.
§7.4Signed test results vs. OWASP LLM Top 10, MITRE ATLAS and the CoSAI Risk Map: prompt injection, data extraction, poisoning.
§7.5Declared algorithms, re‑signing on revision, and post‑quantum / hybrid signatures (ML‑DSA, FIPS 204) for long‑lived & frontier models.
§7.6A published security contact and CVD policy (SECURITY.md) that propagates to every derivative.
§7.7The format and tooling to verify compliance must be open and re‑implementable — no single‑vendor, fee‑bearing checks.
§7.8Fine‑tune, merge or quantize, then re‑sign, update the AIBOM, refresh the card, and attest new risks. Security is renewed, never discharged.
Internal only — nothing triggered. Distribution moves you to at least T1.
Signing, AIBOM, model card, CVD, open verification. Lightweight self‑attestation.
All of §7, with the full minimum adversarial test set. Hybrid post‑quantum signing recommended.
Strongest setting, with an independent red‑team. PQ/hybrid signatures and transparency‑log inclusion required.
Apply
Attach the notice, ship the srm/ bundle, and verify with the reference CLI.
AI MODEL ARTIFACT NOTICE This Model Artifact is released under the Secure AI General Public License (SAIL-GPL) v1.0 — Assured-Integrity Edition. You may use, study, modify, and distribute this Model under the terms of SAIL-GPL v1.0. Any distribution of this Model or a Derivative Model MUST ship complete Secure-Release Metadata (Section 7): signed manifest, AIBOM, model card, security attestation, and a coordinated-vulnerability-disclosure contact. Secure-Release Metadata for this distribution is provided in /srm. SPDX-License-Identifier: SAIL-GPL-1.0 Security contact: security@your-domain.example
model/ ├─ model.safetensors ├─ config.json ├─ tokenizer.json ├─ MODEL_CARD.md └─ srm/ ├─ manifest.json # hashes of all model files (OMS) ├─ model.sig # detached signature (ML-DSA / ECDSA / hybrid) ├─ aibom.spdx.json # AI Bill of Materials (SPDX 3.0 AI / CycloneDX-ML) ├─ security-attestation.json# §7.4 adversarial test results, signed └─ SECURITY.md # §7.6 CVD policy & contact
sailA reference Python implementation lives in the repository. It builds, signs, and verifies the §7 bundle. Verification is open and re‑implementable (§7.7) — canonical JSON and SHA‑256, no proprietary tooling.
# install (Ed25519 / ECDSA, add [pq] for ML-DSA / hybrid, FIPS 204) pip install -e ./sail # or: pip install -e './sail[pq]' sail sign ./model/ # build the OMS manifest, sign it (Ed25519 / ECDSA / PQ-hybrid), write srm/ sail verify ./model/ # check signature, manifest completeness, AIBOM, attestation, CVD contact [--pq-only --strict-issuer] sail audit ./release/ # walk a directory tree, report artifacts missing compliant §7 SRM
# sign the example model at tier T1 with a fresh key and a disclosure contact sail sign ./example-model \ --model-name sail-example --model-version 1.0.0 --tier T1 \ --contact security@example.org --key ./signing.key # verify it (add --pq-only at T2/T3, --strict-issuer to pin an issuer) sail verify ./example-model
verify prints a per‑check PASS/FAIL report and returns COMPLIANT or NON‑COMPLIANT. The exit code reflects the result, so it drops straight into CI.
Ecosystem
SAIL‑GPL secures the model. QGPL secures the outputs. ResilQ measures the readiness. One signing root can cover all three.
Quantum‑Safe Copyleft for Observation Outputs — post‑quantum release integrity for data, AI outputs and calculations.
RISK & READINESSTechnical post‑quantum risk assessment — cryptographic inventory, exposure scoring and migration roadmaps.
AUTHORMaintainer of the SAIL‑GPL & QGPL specifications under The Open Reality Initiative.
OpenSSF Model Signing (OMS) · Sigstore Model Transparency · Coalition for Secure AI (CoSAI) · Google SAIF · NIST AI RMF · OWASP Top 10 for LLM Applications · MITRE ATLAS · SPDX 3.0 AI / CycloneDX‑ML · SLSA · FIPS 203/204/205 · EU AI Act · Cyber Resilience Act · NIS2 · ISO/IEC 42001.