A.I. News AI bug reports went from junk to legit overnight, says Linux kernel czar

[Miravi]

Content source

https://www.theregister.com/2026/03/26/greg_kroahhartman_ai_kernel/

I was at a press luncheon at KubeCon Europe this week when, to my surprise, who should sit down next to me but long-term Linux kernel maintainer Greg Kroah-Hartman. Greg, who lives in the Netherlands these days, was there to briefly comment on AI, Linux, and security. We spoke about how, over the last month, AI-driven activity around Linux security and code review has "really jumped" in a way no one in the open source world saw coming.

"Months ago, we were getting what we called 'AI slop,' AI-generated security reports that were obviously wrong or low quality," he said. "It was kind of funny. It didn't really worry us." Of course, there are many Linux kernel maintainers, so for them, AI slop isn't as burdensome as it is for, say, Daniel Stenberg, founder and lead developer of cURL, where AI slop reports caused the cURL team to stop paying bug bounties.

Things have changed, Kroah-Hartman said. "Something happened a month ago, and the world switched. Now we have real reports." It's not just Linux, he continued. "All open source projects have real reports that are made with AI, but they're good, and they're real." Security teams across major open source projects talk informally and frequently, he noted, and everyone is seeing the same shift. "All open source security teams are hitting this right now."

Linux kernel czar says AI bug reports aren't slop anymore

Interview: Greg Kroah-Hartman can't explain the inflection point, but it's not slowing down or going away

www.theregister.com

 

[Halp2001]

Greg Kroah-Hartman’s recent report marks a curious milestone in the relationship between AI and software security: bug reports that were previously dismissed as "garbage" or "slop" are now starting to be taken seriously. This doesn't seem like a minor shift, but rather a shared evolution:

• Technical Progress: AI models have improved enough to detect real-world vulnerabilities, leaving behind the trivial errors that used to overwhelm maintainers.
• Practical Adaptation: Those working with these tools have refined their vetting workflows, learning how to filter and present findings with much better judgment.
• A New Open Source Dynamic: AI is beginning to be seen as a useful audit assistant, provided there is a human-in-the-loop for final verification.

The Ongoing DebateA healthy dose of skepticism is still necessary. Relaxing manual validation could open the door to critical bugs under a false sense of efficiency. Transparency and traceability remain key: it must be clear which part of the analysis comes from automation and which was verified by an expert.

Ultimately, this isn't about blind AI adoption, but recognizing a double evolution: the technology is gaining precision, and at the same time, human processes are becoming more adept at leveraging it without compromising code integrity.

 

[ForgottenSeer 123960]

The leap from 'slop' to actionable intelligence isn't just about the underlying models magically getting smarter overnight; it's entirely about how these tools are now being engineered and constrained.

The initial wave of AI bug reports failed because of the classic 'garbage in, garbage out' principle. Throwing entire, unstructured repositories at an open-ended prompt is a guaranteed recipe for hallucinations and false positives.

What we are seeing now with the Linux kernel's infrastructure, and tools like Sashiko, is the result of proper security pipeline design. Developers have figured out how to actually build instruction sets with strict guardrails and stipulations. Instead of asking an AI to broadly "find bugs," the tools are now forcing the models to look for specific vulnerability classes, map exact execution paths, and adhere to strict memory management rules. If the AI's internal logic can't satisfy those strict parameters, the report is dropped before a human ever has to waste time reviewing it.

We've stopped treating AI as a magic oracle that just guesses at problems, and started integrating it as a highly structured, heavily restricted review assistant. The human-in-the-loop is still absolutely necessary for final verification, but the quality of the initial triage has fundamentally changed for the better.