The topic Linux developers are getting bombarded with AI-generated bug reports, and Linus… is currently the subject of lively discussion — readers and analysts are keeping a close eye on developments.
This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.
During the release candidate cycle for Linux 7.0, Linus began noticing something weird. The number of bug reports for Linux 7.0 was more than usual, but at the same time, the bugs being found were pretty minor and not worth delaying the release. At the time, Linus suspected that the rise in reports was due to people using AI tools to scan for and identify bugs, and it turns out, he was right.
Now, as we move into what Linus calls “the new normal” with a larger-than-average number of bug reports, it turns out that people aren’t properly reporting the issues their AI assistants find. And Linus is getting a little peeved over it.
Unfortunately, it seems the rise of AI tools in finding bugs is causing some real issues with the developers. It turns out that people are siccing their AI assistants onto the code, collecting all the found bugs into a document, and then shipping it over Linux’s security list. This list is private, as it’s meant for serious bugs that would cause a ton of damage if they became public knowledge.
The problem is, not only are the AI-found bugs particularly system-breaking, but the private reporting means nobody else knows the bug has already been spotted. The end result is a tidal wave of bug reports as several AI assistants all find the exact same bug and then send the report over a private channel.
…the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools. People spend all their time just forwarding things to the right people or saying “that was already fixed a week/month ago” and pointing to the public discussion.
Which is all entirely pointless churn, and we’re making it clear that AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved – and only makes that duplication worse because the reporters can’t even see each other’s reports.
Torvalds does explain that he doesn’t want to dissuade people from using AI; he just wants people to use it intelligently. He goes on to say that, if an AI finds a bug, there’s a very good chance that someone else has already found it with the exact same tool, and if people really wanted to be helpful, they could roll up their sleeves and code up a fix instead of just giving drive-by reports. Of course, if the same people use AI to generate the fix, they can’t just shift blame onto their agent if something goes wrong.