Speaking at the Linux Foundation's Open Source Summit North America, Linux creator Linus Torvalds offered a candid assessment of how modern AI tools are reshaping kernel development while cautioning against overhyped claims and irresponsible security disclosures. Torvalds insisted that AI is a great tool but remains a tool, not a wholesale replacement for programmers. The comments come amid a wave of tech layoffs that have fueled anxiety about the future of software development careers.
How AI disrupted 20 years of kernel releases
Torvalds, joined by Dirk Hohndel, head of Verizon's Open Source Program Office and a Linux kernel maintainer, noted that the kernel's release process had been stable for exactly 20 years since the move to Git. That trend broke about six months ago as AI coding tools gained traction. 'In the last six months, we've seen a lot more commits,' Torvalds said, estimating that the last two releases saw about 20 percent more commits than previous releases over many years.
Initially, Torvalds misread the spike as excitement around a major version change, but he soon realized the real driver was AI tools becoming good enough for a broad range of contributors. He acknowledged that these tools lower the barrier for entry, echoing Hohndel's observation that the tooling does a big chunk of the work. However, Torvalds emphasized that the most significant impact is social rather than technical. 'The big pain points in Linux, traditionally, and I suspect in most projects, have not been so much the code itself, but when you are forced to change how you work,' he said.
AI and security disclosures
One of the biggest flashpoints has been the Linux kernel security mailing list. Torvalds reported that the list was recently 'overrun by duplicate reports' generated with AI. People finding bugs with AI often immediately send them to the security list without verifying whether the bug is unique or even a genuine security issue. The result, on a deliberately small, confidential list, was that maintainers spent all their time just forwarding reports to relevant developers.
To cope, Torvalds announced new guidelines for disclosing AI-found security bugs: 'If you find a security bug with AI, you should basically consider it to be public, just because if you found it with AI, 100 other people also found it with AI.' He urged researchers not to publish working exploits, warning against seeking attention at the expense of responsible disclosure. 'Don't be that guy who then crows about it publicly and says, “Look, I could bring down this big company.”'
Torvalds linked the disclosure debate to broader shifts in security analysis. In the past, the kernel community would quietly notify distributions and ask them to upgrade without detailing the vulnerability. Now, with AI-accelerated analysis, bug fixes are often dissected within hours. Torvalds noted that last week a bug was fixed and within three hours there was a blog post about its implications. He argued against closing source code, stating that closed source is even worse because AI can still find problems but cannot help fix them.
Hohndel also criticized vendors who hype vulnerabilities without coordinating fixes. He cited four recent local privilege escalation bugs in the kernel, two of which were disclosed with branded names, domains, and logos before maintainers were contacted. 'My response is always, here is a company I never want to work with, because if you do that to the Linux kernel, you do this to anyone,' Hohndel said.
Love, hate, and AI
Torvalds admitted to a love-hate relationship with AI. 'I actually really like it from a technical angle. I love the tools. I find it very useful and interesting, but it is definitely causing pain points,' he said. On the positive side, he framed AI-discovered bugs as short-term pain with long-term benefits. 'When AI finds a bug in any source code… long term is you found a bug, we fixed it, that the end result is better for it… I think finding bugs is great, because the real problem is all the bugs you didn't find.'
However, he warned of social choke points as AI pours traffic into already overstretched communities, especially in the thousands of random projects maintained by small teams or solo maintainers. Flood-style AI bug reports can cause real burnout, especially when submitters perform drive-by reporting and do not respond to follow-up questions. Torvalds noted that maintenance is increasingly about people rather than code. 'For me, as a top-level maintainer, I don't do a lot of coding. My job is working with people, and I do not use AI to work with people. Thank you. And I should suggest you don't do that either.'
The future of AI and programming work
Stepping away from Linux, Torvalds addressed doom-and-gloom forecasts that all code will be written by AI. He pushed back hard on marketing claims. 'My opinion has always been that AI is a great tool, but it's a tool, and when I see people saying, “hey, 99% of our code is written by AI,” I literally get angry.' He contrasted those claims with the reality that 100% of their code is written by compilers, tracing his own path from hand-entered machine code to assemblers, then compilers, and now AI helpers.
Torvalds recalled writing machine code as numbers, calculating offsets for branches by hand. He eventually learned about assemblers and later compilers. Now he sees AI as the next step. 'I'm personally 100% convinced that AI is changing programming, but it's not changing the fundamentals.' Just as compilers increased productivity by a factor of 1000, he estimates AI will increase productivity by a factor of 10, but insists AI is not changing programming. Instead, he sees a layered abstraction: 'A lot of people will use AI to generate the code that the compilers use to generate the code that the assemblers then use to generate the machine code. This is revolutionary in the same sense that we've seen revolutions before.'
Crucially, Torvalds said would-be developers still need to understand what their tools produce. 'You do want to understand how it all works in the end. Even when I use AI for my pet toy projects, I will use AI to generate code, I will look at that code, I will actually still look at the assembly language… because it's what I grew up with.' For any serious, long-lived system, he warned, 'you need to understand not just your prompts, but you need to understand the end result too, because that's the only way you can maintain it long term.' Throughout the session, Torvalds returned to a consistent theme: open source and now AI tools are powerful ways to manage software complexity, but they do not replace the need for human judgment, community norms, and a deep understanding of the systems being built.
Source: ZDNET News