If the many eyes of open source made all software bugs shallow, as it’s been famously asserted, then all the bugs are now being outright exposed, thanks to an all-seeing AI.
This is the new reality and it is up to us to adjust, Linux creator and chief maintainer Linus Torvalds told a keynote audience at the Linux Foundation’s Open Source Summit, being held in Minneapolis this week.
Torvalds discussed the impact that AI is having on the core development community for the world’s largest software project, Linux. Given his historically curmudgeonly views on things, Torvalds was surprisingly positive about AI, though he admits that it will require major changes in how software is developed, and how we manage that process.
“The conflict is not that AI is bad,” he said. But coders may feel uncomfortable with AI because it comes with “social pain points.”
The Year AI Broke
The AI revolution didn’t really impact the Linux kernel community until about six months ago, and now it is changing everything, he said.
The core development team has had pretty much the same release process for the past two decades or so. “I used to say that it’s all working fine, and it’s smooth sailing, and it’s steady progress,” he told the audience.
Late last year, as the team prepared for the 7.0 release, they noticed a sizable increase in commits. Initially, Torvalds assumed it was because contributors wanted to be part of the 7.0 release. But “the real change that happened in the last six months was the AI tools actually got good enough for a lot of people.”
The barrier to entry for writing a kernel patch had all but collapsed. The AI “tooling does a big chunk of the work,” Torvalds told interviewer Dirk Hohndel. Submissions jumped by 20% and many were actually solid. As a result, the project just updated its security disclosure guidelines for AI. It asked users to manually verify any bugs that AI found, and, ideally, provide a patch.
Linux Is in a Situationship With AI
“I have a love-hate relationship with AI. I actually really like it from a technical angle, I love the tools, I find it very useful and interesting, but it is definitely causing pain points,” Torvalds admitted.
The chief challenge with AI is that it forces people to change how they work, he found. People get into a rut, and AI challenges their norm.
The Linux security mailing list got the brunt of this new wave of AI-generated commits. Not all bugs are security issues, but when “people think that when they find a bug with AI, the first reaction seems to sometimes be let’s send it to the security list, because this may have security implications,” Torvalds said.
As a result, the security list — watched over by a small group of maintainers — was overrun by duplicate entries. Multiple contributors were finding the same bug, and often with the same AI tool, though the AI frequently presented it with slightly different results, muddying the waters even further.
It changed Torvalds’ thinking about the nature of bugs.
“If you find a security or any bug with AI, you should basically consider it to be public,” Torvalds said. If you used AI to find a bug, then it’s pretty likely that dozens of others have found it as well.
There is a behavioral reward for alerting an open source project about a new security flaw, especially for software companies that could reap attention from the trade press for being the first to discover the flaw. “Don’t be that guy,” he said.
For serious software security issues, the responsible thing to do is not make your finding public, as it puts users at risk, and forces the maintainers to deal with the issue immediately.
This has happened twice recently with the Linux kernel. The kernel developers learned about an issue at the same time as the public at large — including malicious attackers.
In this case, “You have no opportunity to fix this. You have no opportunity to get patches ready. You have no opportunity to actually help the people who run the code,” Torvalds said.
Bug Spotting Is Good
Nonetheless, Torvalds sees AI as largely a good thing. It’s a short-term pain, but the end result is that more bugs are fixed.
Linux has about 35 million lines of code, and much of it dates back decades or more. It’s managed by about 1,000 maintainers in various roles. So, understandably, bug reports are a daily occurrence for the project.
“I’m actually very positive about this whole thing. I think finding bugs is great, because the real problem is all the bugs you didn’t find,” he said.
If not managed correctly, however, this new source of errors will lead to maintainer burnout, he noted. The Linux project learned to manage the bug influx with a set number of tools to sort out and deprioritize the obvious drive-by reports (ones where the person submitting the report won’t even answer any questions). One tool, Sashiko, reviews all the patches submitted on the mailing list.
“Sometimes the review is not great, but quite often it finds issues and it asks questions and says, ‘Hey, what about this issue?'” he said.
New Tool in the Shed
Despite the hyperbole, AI is essentially just another tool, Torvalds stressed. Its impact, at least as far as coding goes, is similar to that of the compiler, when that was first invented. Like AI, compilers also improved programmer productivity many times over.
“When I see people saying ‘99% of our code is written by AI,’ I literally get angry, because those same people I pretty much guarantee that 100% of their code is written by compilers,” he said.
Torvalds himself grew up writing machine code.
“And when I say machine code, I don’t mean assembly language, I mean the numbers,” he said. “It leaves an imprint on you.”
So the assembler was a step up in ease for programmers, just as the compiler was, as it eliminated the need for understanding assembly language. Likewise, AI is similarly revolutionary.
“AI is changing programming, but it’s not changing the fundamentals,” he said. “I’m still writing the code, I’m just not doing it the same way I did when I was basically typing in numbers in data statements,” he said.
AI won’t eliminate the need for programmers, Torvalds said. AI is great for vibecoding a temporary application, but serious long-term projects will need more care.
“If you want to make something serious, you’re going to have to maintain it for 35 years,” Torvalds said. “It’s a lot more than just writing the prompts to make somebody else generate the code.”
