"If you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did. Don't be the drive-by ‘send a random report with no real understanding’ kind of person. OK?"
Linus Torvalds' state of the kernel post for Linux 7.1 RC4
In his weekly "state of the kernel" update accompanying release candidate four for Linux 7.1, Linus Torvalds reported "fairly normal" progress toward the full release and pointed kernel developers to project documentation he said "might be worth highlighting." The technical status update served as the platform for a broader operational complaint about the project's security mailing list, which Torvalds said has been overwhelmed by a specific pattern of reporting.
Security mailing list "almost entirely unmanageable"
Torvalds declared that the security mailing list has become "almost entirely unmanageable" as "the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools." He described the day-to-day consequence: "People spend all their time just forwarding things to the right people or saying ‘that was already fixed a week/month ago’ and pointing to the public discussion." That workload, he said, amounts to "all entirely pointless churn."
On AI-detected bugs and the limits of private handling
Torvalds framed the problem as structural rather than purely behavioral: "AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved – and only makes that duplication worse because the reporters can't even see each other's reports." The implication was clear — automated tools tend to surface the same findings across many users, and when each reporter files the same private notification the result is repeated effort rather than efficient triage.
Torvalds' guidance to researchers: read, patch, and add value
Rather than forbidding AI tools, Torvalds urged reporters to add concrete value beyond automated output. "AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work," he wrote. "Feel free to use them, but use them in a way that is productive and makes for a better experience." He added that the project's documentation may be "a bit less blunt than I am," but reinforced the core message: read the documentation, supply a patch when possible, and avoid "drive-by" reports that show little understanding beyond the AI-generated finding.
Greg Kroah-Hartman's contrasting remarks and the FOSS community
Torvalds' blunt admonition sits alongside a more upbeat assessment from another senior maintainer. Greg Kroah-Hartman recently told The Register that AI has become an increasingly useful tool for the FOSS community. The two comments together underline a tension inside open-source maintenance: AI is a valuable capability, but its deployment and follow-through determine whether it helps or hinders collaborative processes.
What this means for kernel maintainers, researchers, and the FOSS community
- Kernel maintainers and security teams: Expect to spend time triaging repeated AI-origin reports and to rely more on documentation and clear contribution processes to reduce duplicate handling, since Torvalds described the current flow as producing "enormous duplication" and "pointless churn."
- Researchers and AI tool users: Torvalds' guidance is explicit — read the documentation, produce a patch where possible, and avoid submitting bare AI reports that replicate work others have already filed.
- The FOSS community: The split in tone — Torvalds' frustration versus Greg Kroah-Hartman's assessment that AI is increasingly useful — signals a working debate about how to integrate AI into collaborative security workflows without overwhelming public mailing lists.
Torvalds' message was both practical and pointed: AI can accelerate discovery, but without the discipline of reading project guidance and contributing fixes it risks turning a helpful capability into administrative noise. As Linux 7.1 moves through release candidate stages, the kernel community will be watching whether documentation and clearer expectations can reduce the "waste of time" Torvalds described, or whether more formal changes to reporting channels will be needed.




