During the release candidate cycle for Linux 7.0, Linus began noticing something weird. The number of bug reports for Linux 7.0 was higher than usual, but the issues found were pretty minor and not worth delaying the release. At the time, Linus suspected that the rise in reports was due to people using AI tools to scan for and identify bugs, and it turns out, he was right.

Now, as we move into what Linus calls "the new normal" with a larger-than-average number of bug reports, it turns out that people aren't properly reporting the issues their AI assistants find. And Linus is getting a little peeved over it.

Linux 7.1-rc4's release notes include some AI-based woes

Use AI responsibly, people

Linus Torvalds has just published a newsletter announcing Linux 7.1's fourth release candidate. These candidates are for testing and bug fixing, meaning it's prime season for maintainers to get a flood of bug reports to sort through.

Unfortunately, it seems that the rise of AI tools for finding bugs is causing real issues for developers. It turns out that people are siccing their AI assistants on the code, collecting all the found bugs in a document, and then shipping it to Linux's security list. This list is private because it's meant for serious bugs that could cause a ton of damage if they became public.

The problem is, not only are the AI-found bugs particularly system-breaking, but the private reporting means nobody else knows the bug has already been spotted. The end result is a tidal wave of bug reports as several AI assistants all find the exact same bug and then send the report over a private channel.

As Torvalds himself puts it:

...the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools. People spend all their time just forwarding things to the right people or saying "that was already fixed a week/month ago" and pointing to the public discussion.

Which is all entirely pointless churn, and we're making it clear that AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved - and only makes that duplication worse because the reporters can't even see each other's reports.

Torvalds explains that he doesn't want to dissuade people from using AI; he just wants them to use it intelligently. He goes on to say that, if an AI finds a bug, there's a very good chance that someone else has already found it with the exact same tool, and if people really wanted to be helpful, they could roll up their sleeves and code up a fix instead of just giving drive-by reports. Of course, if the same people use AI to generate the fix, they can't just shift blame onto their agent if something goes wrong.