On Tue, Jun 16, 2026 at 07:06:23PM +0200, Christian Borntraeger wrote: > Am 29.05.26 um 11:46 schrieb Paolo Bonzini: > > -Exceptions do not remove the need for authors to comply with all other > > -requirements for contribution. In particular, the "Signed-off-by" > > -label in a patch submission is a statement that the author takes > > -responsibility for the entire contents of the patch, including any parts > > -that were generated or assisted by AI tools or other tools. > > +.. code-block:: none > > + > > + AI-used-for: tests, docs > > + AI-used-for: code > > + AI-used-for: code (refactoring) > > + AI-used-for: code (prototype) > > + AI-used-for: research > > + > > +``AI-used-for`` should not be included for "background" usage such as > > +autocomplete or obtaining a pre-review of the patch. > > So what about using AI for security scanning? So how do we want to treat > a patch from a human that is based on an AI report. > And if ok, would we then add something like > > Reported-by: Claude, chatgpt whatever?
I see no need to provide advertizing for these tools. Our security disclosure rules require that the submitter acknowledge they have reviewed any LLM output themselves before reporting. So from that POV it is the human who gave us the report and whom deserves the credit, not any tool or vendor. FWIW, although pretty much every security report recently smells strongly of LLM (highly structured markdown with headings that look the same from all reporters), almost none of them credit the specific tool used anyway. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
