Linux kernel just shipped ai code rules. the assisted-by tag is smarter than i expected
Posted by Electrical-Shape-266@reddit | ExperiencedDevs | View on Reddit | 77 comments
Been following the kernel mailing list discussions about AI generated code for months. they finally merged the policy into the docs and honestly its more thoughtful than most corporate AI policies ive seen.
The tldr: ai tools are fine to use, but you sign off on everything. no AI gets a Signed-off-by. theres a new Assisted-by tag that tracks what model and tools you used. and if your ai generated patch breaks something, thats on you, not the model vendor.
What i find interesting is the tag format itself. its not just "used chatgpt". its structured like Assisted-by: Claude:claude-3-opus coccinelle sparse. so you know the model version AND what analysis tools were paired with it. that level of traceability is actually useful for post-incident review.
Greg kroah-hartman said something interesting too. around february this year the quality of ai generated security reports flipped almost overnight. went from obvious slop to legitimate findings. nobody knows exactly why.
Ive been using ai tools for about a year now. verdent for planning refactoring tasks, claude for generation, copilot for autocomplete. the output quality varies wildly depending on context and review effort.
Last month an ai generated migration looked perfect. tests passed, types checked out. deployed to staging and it silently corrupted a json field because the model didnt understand our custom serialization layer. took two days to trace. exactly the kind of thing this policy tries to prevent.
The choice of Assisted-by over Generated-by was deliberate. most real usage is ai helping with parts of the work, not generating entire patches. that framing feels right.
Torvalds said he doesnt want the docs to become an "AI position statement". just treat it as a tool, document what you used, own the result. most places i know have either "no ai allowed" or "do whatever" with nothing in between. the kernel approach is a solid middle ground
Expert-Reaction-7472@reddit
not sure why the tool used is relevant.
I don't put "written in vscode" on stuff I write manually.
micseydel@reddit
Personally, I want to know the source of the hallucinations, which was not an issue before the LLM era.
tongboy@reddit
This keeps bouncing around in my head.
what would something like a commit sha for a model's turns actually look like? Like a PR view but for the model to see what went well and what went wrong.
an "open ai"(groan) vs "open source".
It's more than telemetry. It's different per harness/model provider.
micseydel@reddit
I have my own harness that centers personal knowledge management and code rather than AI.
Any reason markdown/json in git wouldn't work?
tongboy@reddit
There isn't enough context with a model/version to do any of that. Context window, prompt, environment, etc.
Until we have something like a commit sha that encapsulates the state of the model as well as the model to cite it's all pointless anyways.
The only thing that actually matters is the owner/blame and that's whomever is the commit author.
Expert-Reaction-7472@reddit
thanks for making my point more saliently than I was able to
PracticalMushroom693@reddit
It’s not at all the same though is it? Vs code is effectively a fancy text editor
Expert-Reaction-7472@reddit
LLMs are fancy text editors
Nexhua@reddit
Well vscode has no affect on the code you write. You would get the same code on any editor since you are writing it.. What a silly take
Any-Farm-1033@reddit
The assisted-by format is smart. i use verdent at work and it already tracks which models were involved in each task through its difflens thing. having that kind of audit trail built into the tool makes compliance way easier than manually adding tags to every commit
Plastic_Monitor_5786@reddit
Who else misses the days when every subreddit wasnt filled with LLM outputs.
candraa6@reddit
fr, this screams low effort AI generated post, I wonder why mod hasn't take this down.
These wording is a dead giveaway of AI generated post.
new2bay@reddit
a. Who cares? It's a good post on its own merits.
b. No, it isn't, unless they told the LLM to insert a shitload of typos and capitalization misses.
Plastic_Monitor_5786@reddit
The "incorrect" capitalization is very common trope on these AI posts.
CircumspectCapybara@reddit
It's not, because AI these days tends to get things word perfect in terms of spelling and grammar.
Plastic_Monitor_5786@reddit
Having perfect grammar or not having it can't tell you very much. LLMs are capable of writing in many different styles, including this 'how do you do fellow humans' one. The systematic miscapitalization seen in OP is extremely common with bot posts now.
candraa6@reddit
At least I care, these AI generated posts usually lack of depth and research, which could lead misinformation, they just copy-paste what the AI "deep-research" / "web-search" output and that's it (which we know AI prone to hallucination and outdated infos), no further verification done whatsoever. and most of them are just shill marketing.
Furthermore, when you interface / use AI extensively yourself, you became kinda fed up with these AI style writing, because you know how much these AI throws baseless arguments to your face, it somewhat triggers some "ick" to your brain, an unconscious alarm that tells you "these post should not be trusted", or "what bullshit tools this post would sell me today".
tbf, these some AI generated post that brings some value, and usually it comes from the author experience, not just from digested info from internet. And this post is the latter, sadly.
Pl4nty@reddit
it's a subtle ad for verdent, can tell because it's not the only one
mega_structure@reddit
Or they just spent 30 seconds inserting errors to try and make it look human-written
propostor@reddit
This sub has genuinely been ruined but AI/LLM spam and I am amazed the mods haven't done anything about it yet.
timabell@reddit
You really hit the nail on the head with that one —
lol, just kidding, took me while to find an em-dash to copy paste just for the lolz. Yeah it's a bit of an issue. I mind a little bit less real people tidying up their messy badly thought through thing with an ai, but it still ends up smelling of I don't know, plastic somehow?
new2bay@reddit
If you're on Linux, you can do ctrl+shift+u 2014 to get an em-dash — like this!
kRkthOr@reddit
And if you're on windows,
WIN + .for the emoji panel -> symbols tab -> first row.geft@reddit
Alt-0151 is faster.
kRkthOr@reddit
True, but I ain't gonna remember that :D
aeroverra@reddit
We have crossed I to a new era the kids will never experience.
EnderWT@reddit
And OP is part of the problem. Just one example post: https://www.reddit.com/r/OnlineIncomeHustle/comments/1r785ue/made_1200_in_a_month_after_realizing_most_side/
mega_structure@reddit
And all they do to try and "disguise" it is use less capitalization. It's so lazy that it's insulting
annoying_cyclist@reddit
You say that, and I say that, but posts like this pretty reliably get hundreds, sometimes thousands of upvotes and a lot of comments here (and on CSCQ and other SWE-adjacent subs). Either people actually do find the topics interesting in spite of the obvious AI generation and lack of participation from OP, people are very easily fooled by "ok make your writing look human by writing like you're gen Z typing into a phone", or there are a bunch of AI slop upvoting rings.
Downvoting is one of the most obvious ways we have as a community to reject stuff like this. If AI spam is reliably downvoted, one of the main incentives to post it goes away. Until then, we'll keep seeing it here.
engineered_academic@reddit
We do try to limit these to Wednesdays and Sundays UTC.
Izkata@reddit
People have often wondered why people in Star Trek liked low-tech things for entertainment, like poker or putting on a play or musical performances (particularly TNG-era), but it seems we're getting firsthand experience of it.
Grouchy-Sun-2039@reddit
CVPKR@reddit
Yet they expect you to ship 20x the code
410_clientGone@reddit
and they expect you to take ownership as well. if they tell to blame AI and move on, they would be expecting 100x not 20x
CVPKR@reddit
Right let's all magically be able to review at 20x speed and have context for everything
410_clientGone@reddit
skill issue. get a pr stamp from AI
Kapps@reddit
It’s never not the case. It’s common sense everybody knows. But it sounds provocative to the AI slop bot that posted this.
new2bay@reddit
I don't honestly think everybody does know, especially nontechnical people. That's a problem.
moreVCAs@reddit
i’m guessing this is a hedge when maintainers start taking privileges away from bad/naive actors.
Tenelia@reddit
I'm old enough to code the first time we had proper IDE and then later intelliSense coding... While wars were waged between C# and C++, even as the Python 2 community tried to resist Python 3...
Time and time again, the story's always the same. Instead of saying "X Tool Will Fix Everything!", wise leaders quietly flip the script back to accountability and responsibility. It is always: "You are the one fixing it. Not the Tool. If it goes wrong, it's on you." Always put humans first.
That's why we have entire training programmes for stuff like human-centric design, design thinking, multi-disciplinary coordination... NOT just allowing humans to shove off their choices to the tools and call it a day.
ThatSituation9908@reddit
Keeping track of developer’s tool as provenance data is kinda weird to me.
Why stop at AI? Shouldn’t you also want to know which IDE, LSP, etc I’m using?
Then also, who cares? We review every code as if you generated it.
The only thing this is useful for is to collect data about generated code vs organic code.
halting_problems@reddit
🤓☝️this is my random moment to nerd out. I'm a AppSec engineer, you hit on a topic very close to me and my pain.
the amount of times I had a need to know about what exactly was running in a IDE or a devs machine is high and these level of observability needed is only increasing as Supply Chain compromises are increasing.
Theres deffinitly a blind spot in most orgs where anything external to the source code and running on the host is expected to be observable by endpoint detection but they are always lacking to some extent. Like being able to see vscode running but nothing that installed in the IDE
but this is one of those thing that’s no one else really has a need for or cares about on a day to day basis besides security and governance.
As for tagging models, if the org is pro-ai I think it can be useful in facilitating discussion. Like if there is an influx of rejected PRs and they are all the same model.
Or if a model was poisoned with a backdoor, tracking down all code used with that model.
I think more could be gained by tagging mcp tool usage. basically for all the security reasons imaginable
ThatSituation9908@reddit
I didn’t think about *Sec, which you make a good point for businesses. Here I’m mostly focused on open source contribution which developers volunteers their tools and experiences. I don’t think we can mandate their dev environment despite our concerns about Sec.
Foreign_Addition2844@reddit
This - also should include the city/country of the coder. I would like to know if someone in China just added a line of code to the Kernal.
moreVCAs@reddit
for your bug, sounds like it was incorrect code that didn’t get properly tested/reviewed.
assuming I’ve understood that correctly, i have two genuine questions:
Signal_Run9849@reddit
I have the answer to this question. If you built it yourself you would have had to research first and you would have come across the serialization issue by virtue of exploration. AI does no such exploration but the assumption of that research is there when any senior dev puts up a PR, it is somewhat built in to our internalized assumptions that you can take some things for granted or else we would go insane reviewing PRs. knowing AI did something lets you put your guard back up and ask questions you would normally take for granted
moreVCAs@reddit
that doesn’t answer my question, that’s my point. but i think i did misunderstand. OP i guess is saying that had there been attribution on the migration changes, then those changes would have been the first place to look or would have carried more weight in review.
but that still leaves the second question - they are saying that the migration “looked perfect”, but it isn’t clear by what standard.
kRkthOr@reddit
It's just AI slop. You're wasting way too much time on trying to understand. The whole paragraph about "the bug" is extremely obviously written by an LLM.
moreVCAs@reddit
yeah fair. so fucking sick of this shit.
itb206@reddit
Right my question here is how did it "look perfect" if the serialization layer was broken. Either they read the code and also didn't understand their own serialization layer enough to catch that, or they didn't read that bit.
Either is kind of problematic in different ways and in the first case if it was handwritten maybe the same bug would have been produced.
new2bay@reddit
It's pretty common for LLM code to look plausible and be subtly wrong.
moreVCAs@reddit
100%. nothing stochastic here. if you can have a “perfect” diff that breaks serde in production, your “perfect” detector is busted.
_vec_@reddit
It's usually a bit of both, though, right? Someone who does probably understand the serialization layer well enough if you gave them a few minutes to re-read the documentation or cross check a few examples skimmed over code that looked close enough to right for them not to notice and double check. That's could just as easily happen for a purely organic bug, but I think it's still an open question whether we need to use the same mitigation strategies for both cases.
DaRadioman@reddit
I mean tests should cover it. Clearly their test coverage is lacking is the serialization takes understanding and that understanding should always be validated by a test.
If a human coder could 100% make the same mistake and humans signed off on the code review, then you have a test coverage or process problem, not an AI problem. You just discovered it via AI (and potentially have been getting lucky so far)
_vec_@reddit
Well, yeah. I mean, wholly perpendicular to the AI question, this specific class of bug is one of the big reasons why you don't want to do anything except schema changes in your migrations if you can possibly help it. The test suite usually runs migrations against a mostly empty database, so it falls through the cracks in a way that's pretty cumbersome to prevent.
CandidateNo2580@reddit
Not OP but I would just be interested to track what tools are being used by the kernel developers over time - I would imagine regular contributors to the Linux kernel are a cut above the rest of us in terms of knowledge and skill, and knowing something is helping them consistently is as good a signal as you can get that a tool is solid under all conditions.
Separately, ironically, I think the "AI shipped this bad code" comment is what the Linux policy is targeted at dispelling. The entire point of this policy is that no one is allowed to, in retro, say "oh well that wasn't me, that was AI." You now have to be explicit about AI use in a way that prevents you from blaming the bug on AI. It was always your bug, but now they're making you claim it as yours formally because the "the AI didn't understand and shipped a bug, I would've caught it" sentiment is at best laziness and at worst outright incompetence.
aeroverra@reddit
Honestly not a bad idea to implement this for my team...
VastEnd8538@reddit
How can i test it
Ibuprofen-Headgear@reddit
So business as usual? I don’t get what’s particularly interesting about this. You’re responsible for your contribution, using a hammer to bludgeon someone doesn’t make estwing liable either. And as to the assisted-by stuff, you could just like not add that… Seems pretty straightforward to have some tool do some work then submit changes as normal (what I mean is, that’s “unenforceable”, so I have to presume they’re using that for some other reason)
kRkthOr@reddit
The AI that wrote this post doesn't know the "assisted-by" can be avoided by just pushing the code yourself so it thought this was ground-breaking.
coredweller1785@reddit
How is this Assisted By generated? Is there a tool or skill? Could they fake it?
Want to try it out
DanLynch@reddit
It's just some words in the commit message, not magic. You can type it by hand or generate it however you want. You can easily fake it if you want, but that would be dishonest.
curiouscuriousmtl@reddit
> and if your ai generated patch breaks something, thats on you, not the model vendor.
Honestly how did you think this was going to go? Isn't this the obvious way to do it? Do you think you can present code and then just tell them to call OpenAI if it doesn't work?
PeachScary413@reddit
It doesn't think.. it's a clanker.
viral3075@reddit
it's something but how could you possibly claim it's the "middle" ground? this is just a reasonable start. it's so easy that this was my my thinking 2 years ago. it should already be in git and everywhere there is an "author" field or other metadata. tagging isn't a new thing
fallingfruit@reddit
thanks for your llm spam
FlynnsAvatar@reddit
This has been our approach from the beginning. Any code generated by Ai is decorated. All code undergoes review just like any other code in a PR…and you sure as hell better understand it as you are held accountable for it in the PR.
IAmQueeg500@reddit
This. Absolutely no idea in what world the dev instructing the ai tool and doing the final commit isn’t accountable for behaviour and quality.
manticore26@reddit
The intention is good, but wondering what exactly they mean by accountability here, being forbidden to contribute moving forward while someone else clean the mess?
I’d say this is one of the biggest problems that surfaced with AI, when the process was exclusively human, there was the implication that author of a PR needed to do quality work so that reviewers would be able to properly review things and possibly catch issues.
Now the onus and responsibility shifts completely to reviewers, as quality decreases and context increases (as after all, code is “cheap” now). IMO there is a need to rethink the whole industry, not just policies, but it will be interesting to see how all of this will play out for them.
Hziak@reddit
To be fair, the industry has always been like this. Poor quality contributors getting “must wins” in despite failing code reviews and the rest of us having to clean up the mess later. The only difference is now that they can create 20k LoC PRs in an afternoon. In my opinion, the struggle is more from the lack of window that seniors and leads have to ideate/solution with devs while they’re working and doing practical discovery. Before, I’d have at least 2-3 daily stands with a dev before they’d finish any task with appreciable complexity to hear about and critique their approach. Now, I just get sloppy PRs after a day or two and tell them I don’t like their concept during review leaving them to start over.
manticore26@reddit
For sure, that’s part of the reason why I say that we need to rethink the industry. We already had a lot of issues derived from transforming bad metrics into goals (looking at you sprint speed). And now things will only get more messy as companies will start to use the stick since carrots didn’t go far.
Only-Fisherman5788@reddit
the Assisted-by tag solves the provenance problem, which is half the puzzle. the other half is harder: knowing whether the assisted code is actually right for the specific change it was meant to make, not just whether the pattern looks plausible to a reviewer at 11pm.
greg's observation about security reports flipping in february tracks with something a lot of teams have been seeing. the floor on ai output rose fast, which is exactly when "looks legitimate" and "is legitimate" start diverging dangerously. pre-flip you could reject obvious slop. post-flip the code compiles, passes basic checks, and reads fluently, but can still be wrong on the exact thing the patch was meant to do.
the accountability clause is what forces the review discipline. the policy basically reads: "the tool is cheap, the judgment is still expensive."
RustOnTheEdge@reddit
The issue remains. With code, you can read “between the lines”, you see the codification of human intent. With AI generated code, you don’t get that. You get “soulless” code, there is no intent. It may work and it may be perfect, but as a reviewer it is just horrifically difficult to assess if the submitter actually thought this through or not. I am not saying AI can’t produce good code.
It’s the same with fake news: there is just too much of it and combatting it takes too much time; it’s easier to produce than to debunk. The same with ai generated PRs; it takes a lot more time to ask questions as to “what trade offs did you make” or “why did you place this here and not there” than it is to write four sentences in Claude and submit that PR for internet (or resume) points.
I don’t have the solution, but if either the submitter or the reviewer is fully relying on AI, we are going to stop learning from one another, and the world will be a worse place for it.
Routine_Internal_771@reddit
This is pretty standard within the open source world. Linux is following a well-trodden path here (not that it's wrong, it's just not groundbreaking).
69f1@reddit
Do you mean this three months old doc? https://github.com/torvalds/linux/blob/master/Documentation/process/generated-content.rst
HobbyProjectHunter@reddit
I believe the mega rewrites that AI coding tools to when they go off the rails are a problem. If AI assisted coding is following the usual LKML guidelines,
When you merge thousands of lines of AI generated code, and there’s really no reason for the generated code to follow the projects guidelines.
CaffeinatedT@reddit
Hopefully when the AI use targets go the same way as Lines of Code metrics this is about what the industry is left with of AI as a tool and people are still accountable.