Linus Torvalds (photo) has harshly criticized the growing flood of AI-generated bug reports within the Linux kernel community. According to the creator of Linux, automated analyses are increasingly resulting in duplicate reports and extra work for developers, without providing any substantive added value.
Torvalds made his comments upon the release of Linux 7.1-rc4, the latest release candidate of the kernel. He describes the technical progress of that version as largely normal. About half of the changes consist of driver updates, with GPU code again accounting for a large share. In addition, the update includes changes to network functionality, the kernel core, filesystems, and architecture-specific components.
AI alerts disrupt security process
More striking was his detailed explanation of the growing impact of AI tools on the security process surrounding Linux. According to Torvalds, the security mailing list is becoming increasingly difficult to manage because different researchers are using the same AI tools to identify identical vulnerabilities and report them separately.
As a result, he says, developers spend a lot of time forwarding reports, responding to duplicate reports, and explaining that certain issues have already been resolved. In many cases, he adds, these are known or previously publicly discussed bugs.
Torvalds argues that AI-generated vulnerabilities can hardly be considered confidential in practice. When an AI tool can detect a problem, he believes there is a high probability that several others will discover the same problem almost simultaneously. For that reason, he finds it pointless to continue handling such reports through private security channels.
Torvalds does not reject AI
At the same time, the Linux creator emphasizes that he does not reject AI tools. According to him, such systems can actually be useful when they help developers analyze problems or improve code more quickly. His criticism is mainly directed at people who submit automatically generated bug reports without further analysis.
According to Torvalds, such reports add little value when the submitter shows no understanding of the codebase and does not provide a solution or patch. He therefore calls on developers to read the documentation, understand the context of an error, and add their own technical value on top of what AI tools identify.
In doing so, Torvalds makes it clear that he expects more from developers than just forwarding AI output. According to him, anyone who truly wants to contribute to the Linux kernel should also help analyze and resolve the issues found.
The comments underscore a broader discussion within open-source projects about the role of AI in software development. Automated analysis tools make it easier to detect bugs and vulnerabilities on a large scale, but at the same time cause a sharp increase in reports that must be manually reviewed.
Also read: It’s raining Linux vulnerabilities: what’s going on?