On 28/5/26 09:34, Paolo Bonzini wrote:
Until now QEMU's code provenance policy declined any contribution
believed to include or derive from AI-generated content. A blanket ban
was easy to maintain while LLM output was rarely usable on its own, but
as the tools improved an absolute prohibition has become harder to
justify.
The concern that motivated the policy is unchanged, and it is worth
stating precisely: the DCO is about whether the submitter has the legal
right to contribute the code, not about "creative expression". The
copyright and license status of LLM output remains unsettled, so that
question is still open. What has shifted is the balance of risk:
- projects accepting AI-assisted content have not run into serious
legal trouble so far, which suggests the probability of the risk
materializing is not high;
- other organizations, such as Red Hat[1], have assessed the risk as
acceptable -- though a community of individual developers does not
have the legal backing of a company, and even an unfounded dispute
would be a long-lasting distraction from work on QEMU.
Revise the policy to permit AI assistance where the ramifications of
copyright violations are at least easy to revert and unlikely to spread:
tests, documentation, mechanical changes, and small bug fixes. Core code
that other things depend on, and that cannot simply be thrown away once
a problem is noticed long after the fact, stays off-limits without prior
agreement from a maintainer.
Related to this, and already visible in the incredible uptick in
security requirements, is the question of maintainer burnout and the
shift in effort from the author to the reviewer of the code. AI lowers
the cost of producing a patch but does nothing to lower the cost of
understanding and reviewing one; if anything it raises it, since a
reviewer can no longer assume that the submitter has reasoned through
every line. The limits above work just as much to keep the volume of
review work sustainable.
Furthermore, introduce "AI-used-for:" as a trailer to record where AI
was used, and include other suggestions that help reviewers judge
the result. The standard is slightly different from the more usual
"Assisted-by", which doubles as a check that the author has read the
policy.
In any case, use of AI does not relax any other contribution requirement:
authors still comply with the DCO and take responsibility for the whole
patch via Signed-off-by.
[Commit message largely based on
https://lore.kernel.org/qemu-devel/[email protected]/, by
Kevin Wolf. - Paolo]
[1]
https://www.redhat.com/en/blog/ai-assisted-development-and-open-source-navigating-legal-issues
Cc: Alex Bennée <[email protected]>
Cc: Alistair Francis <[email protected]>
Cc: Daniel P. Berrangé <[email protected]>
Cc: Kevin Wolf <[email protected]>
Cc: Michael S. Tsirkin <[email protected]>
Cc: Peter Maydell <[email protected]>
Cc: Warner Losh <[email protected]>
Link:
https://lore.kernel.org/qemu-devel/[email protected]/T/
Signed-off-by: Paolo Bonzini <[email protected]>
---
docs/devel/code-provenance.rst | 123 ++++++++++++++++++++-------------
1 file changed, 75 insertions(+), 48 deletions(-)
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
And with
https://lore.kernel.org/qemu-devel/[email protected]/:
Tested-by: Philippe Mathieu-Daudé <[email protected]>
