AI Bug Reports Have Made Linux Security List Unmanageable, Creator Says

Source Domain: tech.yahoo.com

Linux creator and lead developer Linus Torvalds warns that the Linux kernel’s security mailing list has become “almost entirely unmanageable” due to a flood of AI-generated bug reports. In his Linux 7.1-rc4 update, he notes that AI-powered bug hunters now produce a high volume of reports that are often duplicates of each other or of issues that human developers have already fixed.

Torvalds says many researchers run the same AI and automated tools on the public kernel code, then send their findings to the confidential security list. This leads people to report the same bugs repeatedly, even after they have been patched.

It’s “all entirely pointless churn,” Torvalds writes. “AI-detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved—and only makes that duplication worse because the reporters can’t even see each other’s reports.”

His post also argues that most of these reports should not go to the private security list at all. Instead, they should enter normal public workflows, like subsystem mailing lists and maintainers’ addresses, where the community can discuss and fix them in the open.

Kernel documentation now stresses that AI-assisted reports should go through public channels and should include concise, plain-text descriptions and a verified reproducer.

Unfortunately, this problem isn’t exclusive to Linux. Other open-source projects report similar quality issues stemming from generative AI: The team behind the PS3 emulator RPCS3 has asked contributors to stop sending “AI slop” pull requests that they do not understand or test, and “vibe-coded” apps are clogging the iOS App Store’s review process.

Source