theregister.com via Reddit

Linus Torvalds moves to block AI kernel spam

open source coding tools open-source coding-tools

Key insights

  • Torvalds cited AI code review tools as the direct cause of the kernel security mailing list becoming nearly unmanageable from duplicate findings.
  • Linux already has a formal 'Assisted-by' tag policy permitting AI-assisted contributions, meaning the issue is quality and timing, not a blanket ban.
  • The problem is structural: multiple contributors independently running identical AI tools produce redundant reports at scale across the same codebase.

Why this matters

AI code review tools are now generating enough automated output to overwhelm one of the most battle-hardened open source review processes in existence, which signals that the marginal cost of filing a bug report has collapsed to near zero while the marginal cost of reviewing one has not. For AI tooling founders, this is a direct product signal: bulk automated submissions without deduplication or relevance filtering will get policies written against them. For technical leaders evaluating AI-assisted development workflows, Torvalds' response is an early benchmark for how high-value maintainers will respond when AI-generated noise exceeds a maintainability threshold.

Summary

Linus Torvalds is drawing a harder line against AI-generated pull requests in the Linux kernel, warning that late-cycle automated churn has become a serious maintenance burden. In his Linux 7.1-rc5 weekly update, Torvalds said he will 'start being a bit more hardnosed' about pointless contributions, singling out AI code review tools as a primary driver of the problem. The kernel security mailing list has taken the worst of it. Torvalds described it as 'almost entirely unmanageable' due to mass duplication of bug reports generated by identical AI tools running over the same codebase and filing redundant findings at scale. The problem isn't one bad actor but a structural one: many contributors using the same automated tooling independently, flooding the list with overlapping noise. Essentially: (Linux kernel maintainers, AI code review tools) are on a collision course over contribution quality versus volume. - Linux does allow AI-assisted contributions under an official 'Assisted-by' tag policy, so the door isn't closed entirely. - Torvalds' objection is specifically to automated, late-cycle, low-signal submissions that consume reviewer time without advancing the codebase. - The kernel security list, which handles sensitive disclosures, is the highest-stakes venue to become overwhelmed by noise. Open source maintainer burnout from AI-generated contribution floods is now a documented, named problem rather than a theoretical risk.

Potential risks and opportunities

Risks

  • AI code review vendors (including startups positioning on automated security auditing) face reputational damage if their tools are identified as primary sources of kernel mailing list spam
  • Legitimate AI-assisted contributors with real findings risk having valid submissions rejected or deprioritized as Torvalds applies broader filters to reduce noise
  • If the kernel security list remains overwhelmed, genuine vulnerability disclosures could be delayed or missed, creating a window of exposure for downstream Linux distributions and enterprise users

Opportunities

  • Deduplication and signal-filtering layers built on top of AI code review tools (similar to what Snyk and Semgrep offer for alert triage) become a differentiator as raw output volume becomes a liability
  • Open source contribution workflow platforms (Gitea, GitHub, GitLab) could capture maintainer goodwill by building AI-submission rate-limiting or provenance-flagging features into pull request tooling
  • Enterprise Linux vendors (Red Hat, SUSE, Canonical) can strengthen relationships with kernel maintainers by publicly committing to human-review gates before submitting AI-flagged findings upstream

What we don't know yet

  • Whether Torvalds will codify rejection criteria into formal kernel contribution guidelines or enforce informally on a case-by-case basis
  • Which specific AI code review tools are generating the bulk of duplicate security list submissions, and whether their vendors are aware of the volume
  • Whether the 'Assisted-by' tag policy will be amended to require human validation steps before AI-flagged security findings can be submitted

Originally reported by theregister.com

Read the original article →

Original headline: Linus Torvalds Threatens to Reject AI-Generated Linux Kernel Pull Requests After Security List Becomes 'Unmanageable'