Linus Torvalds and Dirk Hohndel at Open Source Summit North America 2026
SJVN/ZDNET
Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- Torvalds likes the AI, but the AI sometimes doesn’t like Torvalds.
- The founder of Linux believes that there will always be work for programmers.
- AI remains a mixed blessing when it comes to finding and fixing security bugs.
Speaking at the Linux Foundation Open Source Summit North AmericaLinux creator Linus Torvalds said modern AI tools are reshaping the way developers work on the kernel, increasing the amount of contributions and exposing new social and security tensions in the open-source world. But he emphasized “AI is a great tool, but it’s a tool” rather than a wholesale replacement for programmers.
Now, if only companies on the left and right who are laying off tech workers would listen.
Also: Microsoft surprises with its first server Linux distribution: Azure Linux 4.0
Torvalds spoke to Verizon’s Open Source Program Office head Dirk Hohndel, who is also a Linux kernel maintainer and friend of Torvalds. Torvalds said that while the Linux kernel’s long-standing release process has been stable “for about 20 years” since it moved to Git, that trend broke about six months ago as AI coding tools took off.
“Over the last six months, we’ve seen a lot of commits,” Torvalds said, estimating that “in the last two releases, it’s been about 20% more commits than previous releases in several years.”
Initially, Torvalds misinterpreted the spike as excitement around a major version change: “At first I thought, ‘Hey, people are excited about the 7.0 release because I changed the major number from time to time…’ And it turns out I was wrong. The real change that happened over the last six months was that AI tools were actually good enough for a lot of people… We’re seeing a definite increase in development on almost all fronts.”
Torvalds acknowledged that the new tools lower the barrier of entry for contributors, reiterating Hohndel’s observation that “the tooling really lowers this initial barrier… (and) does a larger share of the work.” But he stressed that the real impact is social rather than purely technical: “Traditionally the big problem point in Linux, and I suspect in most projects, is not so much the code itself, but rather… when you’re forced to change the way you work.”
Also: Ubuntu Core 26 delivers an immutable Linux you can rely on until 2041
has been one of the biggest flashpoints The Linux kernel security mailing list, which Torvalds said was recently “overrun by duplicate reports” with AI.
“People think that when they find a bug with AI, the first reaction is sometimes, let’s send it to the security list, because that could have security implications,” he said. The result of the intentionally small, confidential list was that “we were flooded with people sending bugs, and then you had very few people on this list… and we spent all our time forwarding these reports… to other developers who knew that area better.”
AI and security
To deal with this, Torvalds announced new AI security disclosure guidelines with a strict rule: “If you find a security bug with AI, you should basically treat it as public, just because if you found it with AI, 100 other people also found it with AI.”
At the same time, he urged researchers not to publish working exploits: “When it comes to things that are really security issues, you don’t want to make the exploit public… Don’t be the guy who screams about it publicly and says, ‘Look, I can bring down this big company.'”
Torvalds linked the disclosure debate to broader changes in the security ecosystem. He said, in the past, the kernel community would quietly inform distributions about bugs and ask them to upgrade without providing details of the vulnerability, and “most of the time, no one would know what happened.” Now, with AI-accelerated analysis, he recalled that “Last week, we fixed the bug; within three hours, there was a blog post about the implications of that bug fix, because security people love attention.”
Also: Fourth Linux kernel glitch this month could lead to theft of SSH host keys
He argued that closing source is not the answer: “For example, I don’t think the solution is to not do open source, because if you think AI can’t reverse engineer closed source, you’d be surprised.” In fact, he warned, “Closed source is even worse in this regard, because AI can’t help you fix problems, but AI can certainly help you find those problems in the first place.”
Torvalds is right. While Windows vulnerabilities, except the really catastrophic ones, don’t get much attention anymore, AI is finding a lot of security holes in Windows too. As Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, recently said, “Microsoft’s total number of CVE patches will reach 1,139 in 2025,” which was the second-highest since 2020. Childs expects, “As AI bugs become more prevalent, this number is likely to be even higher in 2026.”
Meanwhile, at the Open Source Summit, Hohndel criticized vendors who promote vulnerabilities without responsibly coordinating fixes. He cited four recent local privilege escalation bugs in the kernel, “two of which were disclosed at all” along with brand names, domains, and logos, before contacting maintainers. “My reaction is always, here’s a company I never want to work with, because if you do this with the Linux kernel, you do this with anyone.”
Love, Hate and AI
As annoying as it is, Torvalds admitted to having a love-hate relationship with AI. He said, “I really like it from a technical standpoint. I like the tools. I find it very useful and interesting, but it’s definitely causing trouble.”
Also: 10 trillion downloads are crushing open-source repositories – here’s what they’re doing about it
On the positive side, he defined bugs discovered by AI as “short-term pain” with long-term benefits: “When AI finds a bug in any source code… the long-term is you find a bug, we fixed it, that the end result is better for it.” After all, he added, “I think it’s great to find bugs, because the real problem is all the bugs you don’t find.”
But he warned about “social bottleneck points and social pain points” as AI pours traffic into already highly dispersed communities, especially in “1000 to 1000 random projects that people maintain that are not Linux kernels.” For small teams or single maintainers, he said, flood-style AI bug reports can cause real burnout, especially when “it’s a bug report, and by the time you ask for more information, the person has done a drive-by and isn’t even answering your questions anymore.”
Torvalds said maintenance is becoming more about people rather than code. “For me, as a top-level maintainer, I don’t do a lot of coding. My job is to work with people, and I don’t use AI to work with people. Thank you. And let me suggest you don’t do that either.” Torvalds has come a long way since the days when he was known for treating poor coders with contempt.
AI and the future of programming work
Moving away from Linux, when asked what advice he would give to someone at the beginning of their career amid predictions that “all code will be written by AI”, Torvalds hit back at the marketing claims.
“My opinion has always been that AI is a great tool, but it’s a tool, and when I see people saying, ‘Hey, 99% of our code is written by AI,’ it really annoys me.”
He contrasted those claims with the reality that “100% of their code is written by compilers,” and traced their way from hand-entered machine code to assemblers, then compilers, and now AI helpers. “I grew up writing machine code, and when I say machine code, I don’t mean assembly language, I mean numbers,” he recalled, “It took me a while to understand that writing numbers and calculating offsets for branches is kind of stupid, and people came up with this tool called assembler, and then later I discovered that compilers are good too. These days, I’m realizing that AI tools are good too.”
So, Torvalds argued, “I’m personally 100% convinced that AI is changing programming, but it’s not changing the basic principles.” As compilers increase productivity “by a factor of 1000,” he estimates that “AI will increase your productivity by a factor of 10,” but emphasizes that “AI is great, but AI is not replacing programming.”
Instead, he argued, “Many people will use AI to generate the code that compilers use to generate the code that assemblers use to generate machine code. This is revolutionary in the same sense that we have seen revolutions before.”
The important thing, Torvalds said, is that developers still need to understand what their devices produce. “You want to understand how it all works ultimately,” he said. “Even when I use AI for my pet toy projects, I’ll use AI to generate code, I’ll look at that code, I’ll actually still look at assembly language… because that’s what I grew up with.” For any serious, long-term system, he cautions, “You not only need to understand your signals, but you also need to understand the end result, because that’s the only way you can make it last long.”
Also: 51% of professionals say AI workflow reduces their productivity – stop it in 2 steps
Throughout the session, Torvalds returned to a consistent theme: open source and now AI tools are powerful ways to manage software complexity, but they do not replace human judgment, community norms, and the need for a deep understanding of the systems being built.
“Software is very complex,” he said, and “the only good way to manage the complexity of a complex infrastructure is open source,” with AI now joining the ranks as just another tool in the programmer’s toolbox.
