Linux lays down the law on AI-generated code, says yes to Copilot, no to AI slop, and humans take the fall for mistakes — after months of fierce debate, Torvalds and maintainers come to an agreement

A screenshot of a Linux directory listing with a picture of Tux, the Linux mascot, in the corner; a person is walking in the reflection on the screen. — (Image credit: Pexels / OpenClipArt)

The open-source community's long-simmering identity crisis over artificial intelligence just got a much-needed dose of pragmatism. This week, the Linux kernel project finally established a formal, project-wide policy explicitly allowing AI-assisted code contributions provided that developers follow strict new disclosure rules. The new guidelines mandate that AI agents cannot use the legally binding "Signed-off-by" tag, requiring instead a new "Assisted-by" tag for transparency. Ultimately, the policy legally anchors every single line of AI-generated code and any resulting bugs or security flaws firmly onto the shoulders of the human submitting it.

Go deeper with TH Premium: AI and data centers

Microsoft data center in Mount Pleasant, Wisconsin — (Image credit: Microsoft)

Torvalds' stance, which forms the philosophical backbone of this new policy, is remarkably straightforward: AI is just another tool. Bad actors submitting garbage code aren't going to read the documentation anyway, so the kernel should focus on holding human developers accountable rather than trying to police the software they run on their local machines. It's a highly reasonable, pragmatic approach, especially when contrasted with the panic that has gripped other corners of the open-source ecosystem.

Article continues below

A screenshot of the Linux Kernel Project's GitHub repo, showing the new AI policy. — (Image credit: Linux Kernel Project)

Until now, major projects have taken wildly different approaches to the AI question. Over the last two years, prominent Linux distributions like Gentoo, as well as venerable Unix distribution NetBSD, moved to outright ban AI-generated submissions. NetBSD maintainers famously described LLM outputs as legally "tainted" due to the murky copyright status of the models' training data.

The core of this panic revolves around the Developer Certificate of Origin (DCO). As Red Hat pointed out in a thorough analysis late last year, the DCO requires humans to legally certify they have the right to submit their code. Because LLMs are trained on massive datasets of open-source code that often carries restrictive licenses like the GNU General Public License, developers using Copilot or ChatGPT can't genuinely guarantee the provenance of what they are submitting. Red Hat warned this could inadvertently violate open-source licenses and shatter the DCO framework entirely.

Legal headaches aside, project maintainers have also been fighting a losing battle against sheer volume. The open-source world is currently drowning in what the community has dubbed "AI slop." The creator of cURL had to close bug bounties after being flooded with hallucinated code, whiteboard tool tldraw began auto-closing external PRs in self-defense, and projects like Node.js and OCaml have seen massive, >10,000-line AI-generated patches spark existential debates among maintainers.

The cultural friction of undisclosed AI code has been even more volatile. Late last year, NVIDIA engineer and kernel maintainer Sasha Levin faced massive community backlash after it was revealed he submitted a patch to kernel 6.15 entirely written by an LLM without disclosing it, including the changelog. While the code was functional, it include a performance regression despite being reviewed and tested. The community pushed back hard against the idea of developers slapping their names on complex code they didn't actually write, and even Torvalds admitted the patch was not properly reviewed, partially because it was not labeled as AI-generated.

A screenshot of the ZDoom website's download page, showing GZDoom as a &quot;Historical&quot; project now. — GZDoom, the over-20-year-old 3D accelerated source port of Doom, has been relegated to "Historical" status now after a battle over AI-generated code last year. (Image credit: Future)

The Linux kernel isn't the only community dealing with the fallout of undisclosed AI assistance. Over in the gaming sphere, the legendary (and still quite-alive) Doom modding community was cleaved in two last year as Christoph "Graf Zahl" Oelckers, the longtime lead developer of the mega-popular GZDoom source port, was caught using undisclosed AI-generated patches. When community members called him out on the lack of transparency, Oelckers took a remarkably cavalier attitude, essentially telling his critics to "feel free to fork the project." The community called his bluff, resulting in the birth of the new UZDoom source port as the overwhelming majority of contributors to GZDoom fled to the new fork.

The GZDoom incident and the Sasha Levin backlash highlight exactly why the Linux kernel's new policy is so vital. Most of the developer community is less angry about the use of AI and more frustrated about the dishonesty surrounding it. By demanding an Assisted-by tag and enforcing strict human liability, the Linux kernel is attempting to strip the emotion out of the debate. Torvalds and the maintainers are acknowledging reality: developers are going to use AI tools to code faster, and trying to ban them is like trying to ban a specific brand of keyboard.

The bottom line is, if the code is good, then it's good. If it's hallucinatory AI slop that breaks the kernel, the human who clicked "submit" is the one who will have to answer to Linus Torvalds. In the open-source world, that's about as strong a deterrent as you can get.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

TOPICS

Zak is a freelance contributor to Tom's Hardware with decades of PC benchmarking experience who has also written for HotHardware and The Tech Report. A modern-day Renaissance man, he may not be an expert on anything, but he knows just a little about nearly everything.

42 Comments Comment from the forums

bit_user

The title said:
... says yes to Copilot ...
Where in the article does it say that?? The only mention of CoPilot is where it talks about LLM-generated code having unverifiable provenance.
Reply
Math Geek

i think the "yes to copilot" is in reference to using it as a tool to help write code. could be clearer for sure, but i believe that's the reference made.

the article does sum it up well though. overall, it's probably the best policy they can come up with. banning something and having no way to enforce it, would be rather pointless.

but holding the human accountable for what they submit is a solid way to address it. use tools available to you, but in the end make sure what you create actually works and is secure.
Reply
bit_user

Math Geek said:
i think the "yes to copilot" is in reference to using it as a tool to help write code. could be clearer for sure, but i believe that's the reference made.
If the author was simply using Copilot as a proxy for all LLMs, that's lazy and misleading. Or, perhaps simply ignorant - however, the rest of the article seems knowledgeable enough that I doubt this explanation.
Reply
Math Geek

oh yah, it is rather misleading. i don't think we're far enough into the AI world for one brand to get the nod as a generic catch all.

took a while for klee-nex, band-aid and others to get that ability. not there yet for AI world.

think i'd title it "Linux developers say AI tools ok, but the submitter will be held accountable for any and all AI slop submitted."

mainly due to my love of the phrase AI slop :)
Reply
bit_user

Math Geek said:
think i'd title it "Linux developers say AI tools ok, but the submitter will be help accountable for any and all AI slop submitted."

mainly due to my love of the phrase AI slop :)
I'd go with:
"Linux maintainers to allow clanker-assisted submissions, but developers will take the fall for any errors and no AI slop".
mainly due to my love of the term "clankers".
: D
Reply
bill001g

How do they think they can hold the human responsible on something they are not being paid for. They get a ban on being able to submit code? That will not fix the mess they made and someone else had to fix or at least discover.

The only place I have seen the human held responsible for the AI mess up are the handful of lawyers who have gotten they law license suspended. These guys will have no income for some period of time and even if they regain their license there are many judges and lawyers who will remember and be suspect of anything the submit.
Reply
USAFRet

bill001g said:
How do they think they can hold the human responsible on something they are not being paid for. They get a ban on being able to submit code? That will not fix the mess they made and someone else had to fix or at least discover.

The only place I have seen the human held responsible for the AI mess up are the handful of lawyers who have gotten they law license suspended. These guys will have no income for some period of time and even if they regain their license there are many judges and lawyers who will remember and be suspect of anything the submit.
Well, yes.
That person being banned. It happens all over.

And not everything submitted makes it to the actual codebase and release.
Reply
Math Geek

i assume there is some kind of peer review process and vetting before anything submitted is used. obviously i am not part of it nor have any first hand knowledge.

we are not talking about niche distros here but the actual underlying kernal and such for the OS. just based on how often it happens, it seems MS spends very little time vetting anything, hence all the update issues for windows. but we don't see very many problems on the linux side like that. so i assume everything is gone over rather well before going live.
Reply
bit_user

bill001g said:
How do they think they can hold the human responsible on something they are not being paid for.
Most Linux Kernel patch submissions are from full-time employees paid by their employer to work on the Linux Kernel. Most are either from hardware companies, big cloud providers, or Linux distro vendors. There are also some academics and an assortment of others, but the vast majority of patches come from the full-timers.

The mechanisms of holding them responsible include:
Rejecting their patch submissions.
De-prioritizing future patch submissions.
Banning from the mailing list (where patches are submitted).
Reply
palladin9479

bill001g said:
How do they think they can hold the human responsible on something they are not being paid for. They get a ban on being able to submit code? That will not fix the mess they made and someone else had to fix or at least discover.

The only place I have seen the human held responsible for the AI mess up are the handful of lawyers who have gotten they law license suspended. These guys will have no income for some period of time and even if they regain their license there are many judges and lawyers who will remember and be suspect of anything the submit.

It's simple, you remove them from the project and revert any code submissions they made erroneously. SCM makes this trivial to do since all code submissions are tagged and tracked by individual contributor.
Reply

Show more comments

Unparalleled insights. Industry analysis. Insider access.