40 comments

[ 87.9 ms ] story [ 611 ms ] thread
"Torvalds' remarks contrast with recent comments from fellow kernel maintainer Greg Kroah-Hartman, who recently told The Register that AI has become an increasingly useful tool for the FOSS community."

Does it? Both points can be true at the same time.

yeah reading the original post linus seems to be pretty constructive in his words and open to AI in a common-sense way.
Isn't it mostly the medium that's problematic? With an issue tracker it's easier to close as duplicate
AI (read: LLM technology) is the most powerful spam weapon ever invented.
Here's the actual mailing list post: https://lore.kernel.org/lkml/CAHk-=wi+JvcuKF2NaD_rGiYrwkR6rx...

Actual context: Linux 7.1-rc4 release, Linus remarked on a specific documentation change.

The Register somehow turned this into an "article" that says a lot less with roughly the same number of words, and provides "context" by linking to a number of unrelated articles.

The Register has always been a... weird 'news' source, but they've gotten significantly worse over the last year or two.
Fun fact (or not so fun if you're a subscriber):

Somebody is spamming kernel mailing lists under the name Marian Corcodel with a 26 MByte message multiple times per day containing a collection of nonsensical patches. Looks AI-generated, perhaps with the intention to poison LLMs. This has been going on for a few days now.

https://lore.kernel.org/all/CAGg4U=GNtCObd_Nbm_1Rr5FEvPb69Yz...

> perhaps with the intention to poison LLMs

How does that work?

Why can't they block the people doing this? Bring on the ban hammer.
I like to imagine that LLM's ability to optimize code is like an extension of the training-loop in deep learning. The loss function is some kind of metric representing security and/or performance (or the lack of it) of the code and we use the LLM as the gradient/diff generator to iterate in batches over the code and fine tune it.

Imagine the current state being for the most part a collection of local maxima in security. To push the system in a more optimal state, you either need skilled people and time to overcome the barrier to a new local maximum or you throw AI at it and evaluate whether you land in a more optimal state.

I think after some time of turbulent exploit/patch cycles we will reach a stable state again, where the code converges against a new local minimum that even with AI requires significant effort (time and tokens) to overcome. Or ideally a global maximum.

With time, the LLMs improve, so the diffs/gradients get better and we will be able to reach optimal points for any software faster.

My problem with the idea is that apparently it is assumed that OSS contributors and especially maintainers will generously donate their time to get this machinery into a state that makes the optimization loop work well - just for the AI labs to turn around and sell access to the optimized models for increasingly larger amounts of money.

AI generated code can be great. Hand rolled code can be bad. The rules are the same in both cases. Make sure your code changes are focused (no random changes just because you happen to be in the file/dir or notice something) and make sure you don't break anything else along the way.

> Torvalds' remarks contrast with recent comments from fellow kernel maintainer Greg Kroah-Hartman, who recently told The Register that AI has become an increasingly useful tool for the FOSS community

Thats kinda a misrepresentation. They are talking about two different things. Linus is trying to point out incorrect use of a tool while GKH is praising a correct use. This sentence felt weird at the end of the article, kind like rage bait. And I took it :P.

I think it's time the report-only intake should stop. If a reporter can't reproduce at least one use case or can't summarise it in two sentences, it should be classified as spam. LLMs write beautiful reports, it's just that sometimes it doesn't bear anything resembling the truth.
(comment deleted)
So ... who, exactly, is AI supposed to be "helping"???
The "security researches" who post those bugs. Their goal being self promotion.
The bug reports are helpful! Many Linux developers including Linus, Greg Kroah-Hartman, Andrew Morton, Chris Mason, and Willy Tarreau have all commented positively on all the legitimate problems that are being found with LLM. Here is just one example article[1].

This is just a workflow issue. In the past it was very rare for multiple people to find and report a security vulnerability at once, so it made sense to keep the discussion private until they were ready to release a fix. With AI that is happening all the time, so it makes more sense for the discussion to be in public to avoid duplication. So they changed the policy accordingly. That is it.

[1]https://lwn.net/Articles/1066581/

Will never understand why some people prefer mailing lists to do development, it always feels like the most convoluted way to hold a discussion, especially if there are multiple topics at the same time.

It probably doesn't really change that much in this scenario but with a forum or any other topics-based platform you can at least just close and ignore these things without it affecting everyone else.

old people like the old tools that they grew up using
Show me a forum or topics based platform that handle threads as good as proper mail clients? Don’t mistake the poor HTML view for how managing threads with thousands of replies look like.

Local filtering is the key to ignoring threads you are not interested in. Depending on the client with 2 or 3 keystrokes you are ignoring the whole thread or this particular sub branch of it and automatically jumping to the next interesting, unread message.

Because ther don't have to keep switching from discussion client to discussion client or whatever tools the use for each project they are involved with, at the same time being distracted by adverts, geegaws, random emojis and other kinds of nonsense.

They are simply more efficient and more importantly censoring is done by the user themselves, not by politically motivated admins who ban discussions based on their ideologies and whims.

Usenet is probably better, but to a rough approximation, nobody has access to a usenet feed anymore.

Mailing lists allow people to use threads if they want (assuming nobody thrashes the threads headers by using terrible email software from Microsoft/Google), and also allows people to read from the firehose if the want. And there's plenty of threaded web views of mailing lists available for lurkers.

"Will never understand why some people prefer mailing lists to do development ..."

The people who have this preference are processing the mailing lists with a highly specialized mailtool, not a web browser.

If you have only ever accessed email with a web browser it is not surprising that you find the mailing list format weird.

It’s an open format and with basic tools, you can create a very good pipeline to consume the information. There’s no ceiling on the convenience and automation. Gmail and other webmail client are not a representation of good email workflow.
its battle tested and you can use it even with outdated computer by 20 years. no JavaScript needed hehe

easy to archive and open format too

It seems like LLMs are actually pretty good at the sorts of things needed to manage a high-volume mailing list (summarizing, looking for dupes, sentiment, flagging things, etc), even if only as augmentation for human eyes.

That said, I get why this would rankle a lot of the folks involved.

That's just a security/protection racket with extra steps: "Someone is paying us to hurt your business/site; pay us money to defend your site against our attacks".
Maybe it's time to require public zero-knowledge proofs of a working exploits before privately-delivered exploit details can be considered.
So ... first, AI slop is killing mankind slowly. Skynet is winning here.

On the other hand ... IF the bug report is real, and let's assume that AI slop reports at the least a few bugs that are indeed real, then I really think it should not make a difference WHO or WHAT reports these bugs. I would not disagree on fake bugs or bogus bug reports wasting time of humans, but this is a quality difference then. Surely people can tweak AI models to be better at finding bugs too. Besides, they should auto-fix that. Is AI still too stupid to fully replace humans? Other than killing them with spam, as it does right now.

I'd really like maintainers to get their hands dirty with AI agents as well to help speed up the reviews.

Over the last year there have been way too many stories and Twitter posts like these.

Yes, maintainers are overloaded, but that's only because we haven't yet built the tools to support them.

Other than such statements, I would, as a builder like to hear the sorts of tools and requirements maintainers are looking for which would make their work easier!

We need to move fast without breaking things.

I think this will sort itself out over time, as people realise that it’s no longer impressive whatsoever to land an AI-assisted PR to the Linux kernel.
Make it anonymous and the problem will go away.

The problem is people trying to get individual credit for merely running a script that spams a mailing list. Many of those people are likely not even C programmers or programmers at all.

Without the immense personal reward and recognition and job offers as a motivation, the problem will disappear.

The problem will also disappear with time as the people lauding and celebrating and hiring security researchers of the past will quickly abandon LLM generated spam as a positive signal; running a prompt that sends spam is, if anything, a strong negative indicator of infosec ability and skill.

LLMs are a tool. Like all tools, most people can't or won't use them responsibly or profitably although they are useful in the correct hands.

Nonsense advice, he's just asking for duplicate slop patches too this way.

It's a catch 22. Why not make a separate list for AI generated reports that can be subscribed to instead? If the claim is that these are not private anyhow, no reason not to, and then a reasonable expectation could be held against submitters to check against existing reports.

That is unless it is still absolutely sensitive, in which case the only way forward that I see is to start using AI for triaging and duplicate detection as well.

I feel like the ability to speed up finding bugs will exceed your ability to fix them and/or review ai PRs

It will almost likely find issues that require fundamental design changes to even fix some of these

Dangerous waters ahead for data security and vital infrastructure

I hate to be "that guy" but there's a reason why most of the industry stopped using mailing lists for things like this. Extremely impressive that Linux lasted this long.
Mailing lists are a bad fit for this problem once spam starts taking over. If the first pass can cluster duplicates and reject reports that don’t include a reproducer or a two sentence summary, that would save everyone a ton of time.