Daniel P. Berrangé <[email protected]> writes: > On Tue, Jun 16, 2026 at 07:06:23PM +0200, Christian Borntraeger wrote: >> Am 29.05.26 um 11:46 schrieb Paolo Bonzini: >> > -Exceptions do not remove the need for authors to comply with all other >> > -requirements for contribution. In particular, the "Signed-off-by" >> > -label in a patch submission is a statement that the author takes >> > -responsibility for the entire contents of the patch, including any parts >> > -that were generated or assisted by AI tools or other tools. >> > +.. code-block:: none >> > + >> > + AI-used-for: tests, docs >> > + AI-used-for: code >> > + AI-used-for: code (refactoring) >> > + AI-used-for: code (prototype) >> > + AI-used-for: research >> > + >> > +``AI-used-for`` should not be included for "background" usage such as >> > +autocomplete or obtaining a pre-review of the patch. >> >> So what about using AI for security scanning? So how do we want to treat >> a patch from a human that is based on an AI report. >> And if ok, would we then add something like >> >> Reported-by: Claude, chatgpt whatever? > > I see no need to provide advertizing for these tools. > > Our security disclosure rules require that the submitter acknowledge > they have reviewed any LLM output themselves before reporting. So > from that POV it is the human who gave us the report and whom > deserves the credit, not any tool or vendor. > > FWIW, although pretty much every security report recently smells > strongly of LLM (highly structured markdown with headings that > look the same from all reporters), almost none of them credit the > specific tool used anyway.
We have created a new label Audit Tooling: AI in the issues but the most interesting thing about that is to see how AI does compared to existing fuzzing and static analysis techniques. The underlying model isn't super interesting here. > > With regards, > Daniel -- Alex Bennée Virtualisation Tech Lead @ Linaro
