Speaking at the Linux Foundation's Open Source Summit North America, Linux creator Linus Torvalds offered a nuanced view of artificial intelligence's role in software development. He described modern AI tools as both a boon and a burden for the kernel community, driving up contribution volume while exposing new social and security stresses. Despite the disruptions, Torvalds insisted that AI remains a tool, not a wholesale replacement for human programmers.

During a conversation with Dirk Hohndel, head of Verizon's Open Source Program Office and a longtime friend and Linux kernel maintainer, Torvalds reflected on how AI has disrupted decades of established processes. He noted that the kernel's release cycle had been stable for nearly 20 years since the move to Git, but that trend broke about six months ago as AI coding tools gained traction. The result: a surge in contributions. “In the last six months, we've seen a lot more commits,” Torvalds estimated, “about 20% more than we had in previous releases over many years.”

At first, Torvalds misinterpreted the spike as enthusiasm for a major version number change. “I thought people were excited about the 7.0 release because I changed the major number every once in a while,” he said. “It turns out I was wrong. The real change was that AI tools got good enough for a lot of people.” The tools lowered the barrier to entry, enabling more developers to contribute patches. However, Torvalds emphasized that the most significant impact has been social rather than purely technical. “The big pain points in Linux, traditionally, have not been so much the code itself, but when you are forced to change how you work,” he explained.

One acute pain point has been the Linux kernel security mailing list. Torvalds revealed that the list had recently been “overrun by duplicate reports” generated with AI. Well-intentioned researchers, upon finding bugs using AI tools, immediately send them to the confidential security list, flooding a small group of maintainers. “We were flooded by people sending bugs, and then you have this list with very few people on it, and we spent all our time just forwarding these reports to developers who knew that area better,” Torvalds recounted.

To address the deluge, Torvalds announced new AI security disclosure guidelines with a blunt rule: “If you find a security bug with AI, you should basically consider it to be public, just because if you found it with AI, 100 other people also found it with AI.” He urged researchers to avoid publishing working exploits. “Don't be that guy who crows about it publicly and says, ‘Look, I could bring down this big company.’”

Torvalds linked the disclosure debate to broader shifts in the security ecosystem. In the past, the kernel community would quietly notify distributions about a bug and ask them to upgrade without detailing the vulnerability. “Most of the time, nobody would figure out what happened,” he said. Now, with AI-accelerated analysis, transparency has become unavoidable. He recalled a recent fix: “Last week, we fixed the bug; within three hours, there was a blog post about the implications, because security people love getting attention.”

Despite the challenges, Torvalds argued against closing source code. “I don't think the solution is to not do open source,” he said. “If you think AI can't reverse-engineer closed source, you're in for a surprise. Closed source is even worse: the AI can't help you fix the problems, but it sure can help find them in the first place.” He noted that Windows also faces rising vulnerability counts due to AI. Dustin Childs of Trend Micro's Zero Day Initiative recently observed that Microsoft patched 1,139 CVEs in 2025, the second-highest total, and expects numbers to climb further in 2026 as AI-generated bugs become more prevalent.

Hohndel criticized vendors who hype vulnerabilities without responsible coordination. He cited four recent local privilege escalation bugs in the kernel, “two of which were disclosed exactly” with branded names, domains, and logos before maintainers were contacted. “My response is always, here is a company I never want to work with,” Hohndel said. “If you do that to the Linux kernel, you do this to anyone.”

Torvalds admitted to having a love-hate relationship with AI. “I actually really like it from a technical angle. I love the tools. I find them very useful and interesting, but it is definitely causing pain points,” he said. He framed AI-discovered bugs as “short-term pain” with long-term benefits. “When AI finds a bug in any source code, long term it's a bug found and fixed, and the end result is better for it. I think finding bugs is great, because the real problem is all the bugs you didn't find.”

However, he warned of “social choke points and social pain points” as AI pours traffic into already overstretched communities, especially in the “10s of 1,000s of random projects that people maintain that are not the Linux kernel.” For small teams or solo maintainers, flood-style AI bug reports can cause real burnout, especially when “it's a bug report, and when you ask for more information, the person has done a drive-by and doesn't even answer your questions anymore.”

Torvalds added that maintenance is increasingly about people rather than code. “For me as a top-level maintainer, I don't do a lot of coding. My job is working with people, and I do not use AI to work with people. Thank you. And I suggest you don't do that either.” This marks a notable evolution in Torvalds's approach, contrasting with his earlier reputation for harshly critiquing poor code.

Stepping away from Linux, when asked what advice he would give to someone at the beginning of their career amid forecasts that “all code will be written by AI,” Torvalds pushed back hard on marketing claims. “My opinion has always been that AI is a great tool, but it's a tool. When I see people saying 99% of our code is written by AI, I literally get angry.” He contrasted those claims with the reality that “100% of their code is written by compilers,” tracing his own path from hand-entered machine code to assemblers, then compilers, and now AI helpers.

“I grew up writing machine code—not assembly language, the numbers,” Torvalds recalled. “It took me a while to understand that writing down the numbers and calculating offsets for branches is kind of stupid, and people had come up with this tool called an assembler. Then later I figured out compilers are good too. These days, I'm figuring out AI tools are good too.”

Torvalds argued that AI is changing programming but not its fundamentals. Just as compilers increased productivity “by a factor of 1000,” he estimates that “AI will increase your productivity by a factor of 10,” but insists “AI is not changing programming.” He described the layered evolution: “A lot of people will use AI to generate the code that the compilers use to generate the code that the assemblers then use to generate the machine code. This is revolutionary in the same sense that we've seen revolutions before.”

Crucially, Torvalds said would-be developers still need to understand what their tools produce. “You do want to understand how it all works in the end. Even when I use AI for my pet toy projects, I use AI to generate code, I look at that code, and I still actually look at the assembly language because it's what I grew up with.” For any serious, long-lived system, he warned, “you need to understand not just your prompts, but also the end result, because that's the only way you can maintain it long term.”

Throughout the session, Torvalds returned to a consistent theme: open source and AI tools are powerful ways to manage software complexity, but they do not replace the need for human judgment, community norms, and deep understanding of the systems being built. “Software is very complicated,” he said, “and the only really good way to manage the complexity of a complex infrastructure is open source,” with AI now layered in as one more tool in the programmer's toolbox.

Source: ZDNET News