The Mailing List Is Drowning
According to Torvalds, AI-assisted bug reporters have made the Linux security mailing list “almost entirely unmanageable.” The core problem isn’t the AI. It’s the workflow around it.
Multiple researchers are running the same tools against the same codebase, generating near-identical reports, and firing them off independently — with no awareness of each other and no real understanding of what they’ve found. The result is a wall of noise that maintainers have to wade through, triage, and largely ignore.
Torvalds called it “all entirely pointless churn.”
Why Private Reports Make It Worse
There’s a structural irony here worth noting. AI-detected bugs are, almost by definition, not secret. If your tool found it, someone else’s tool found it too.
Yet these reports keep landing in private security channels — which means reporters can’t even see the duplicates piling up around them. The confidentiality intended to protect responsible disclosure is instead amplifying the redundancy. Everyone’s whispering the same thing into separate ears.
What Torvalds Actually Wants
He’s not anti-AI. He’s anti-lazy.
His ask is straightforward: if you used an AI tool to find a bug, do the next step. Read the documentation. Write a patch. Add something a human actually had to think about.
“Don’t be the drive-by ‘send a random report with no real understanding’ kind of person,”
he wrote, with characteristic bluntness.
The documentation, he noted, says the same thing — just with fewer sharp edges.
A Split in the Kernel Community
Not everyone in the Linux world shares Torvalds’ frustration. Fellow kernel maintainer Greg Kroah-Hartman has described AI as an increasingly useful tool for the FOSS community — a notably warmer take from someone equally embedded in the day-to-day grind of kernel maintenance.
The contrast is telling. AI’s value in open-source development isn’t settled. It depends heavily on how it’s used, not just that it’s used.
What This Means If You’re Building With AI Tools
If you’re evaluating AI code analysis or security scanning tools for your own workflow, Torvalds’ rant is actually useful signal.
The tools themselves aren’t the problem — static analysis and AI-assisted code review can surface real issues. The failure mode is treating AI output as a finished product rather than a starting point. A report without a patch, without context, without ownership, is just noise with extra steps.
The bar Torvalds is setting isn’t high. It’s just higher than zero. Use the tool, understand what it found, and add something only you could add. That’s not an AI limitation — that’s just good engineering.
Comments (0) No comments yet
Want to join this discussion? Login or Register.
No comments yet. Be the first to share your thoughts!