Linux security mailing list 'almost unmanageable'

Original Article ↗ Hacker News Discussion ↗

AI-generated security reports and Linux workflow

  • Discussion centers on AI tools causing a surge of security bug reports to the private Linux security mailing list.
  • Many reports are about genuine issues, but the same bug is rediscovered and reported repeatedly by different people using similar AI setups.
  • This makes the private list “almost unmanageable” and undermines secrecy: if AI can find a bug easily, it’s effectively public already.
  • New kernel docs now say that if AI was used to find a bug, it should be treated as public and not sent to the private security list.

Duplicates, false positives, and spam

  • A major pain point is deduplication: identifying multiple reports of the same bug and ignoring near-duplicates.
  • Some argue AI-found bugs have extremely high false-positive rates and that low-skill “security research” is DDoSing lists with low-value reports.
  • There are also examples of outright spam: giant, likely AI-generated nonsense patch dumps, possibly to poison future models.

Proposed solutions and workflows

  • Suggestions include:
    • Use issue trackers or closed trackers with public mail gateways for easier duplicate handling.
    • Apply AI/other automation for triage: grouping similar reports, flagging likely nonsense, checking versions and recent patches.
    • Create separate lists/queues for AI-generated reports or treat such reports as public by default.
    • Require minimal reproduction steps or concise summaries; classify non-reproducible “AI slop” as spam.
    • Consider anonymity for reporters to remove fame/job-hunting incentives, though others worry this removes reputation signals.

Attitudes toward AI in security

  • Many commenters see AI as a powerful tool that can both amplify useful work and massively amplify low-effort noise.
  • There’s tension between AI as a real contributor to finding serious bugs and AI as “the most powerful spam weapon ever invented.”
  • Some want maintainers to lean into AI agents for triage and review; others strongly reject pushing more AI into already-noisy pipelines.

Mailing lists vs modern collaboration tools

  • Extended debate over why kernel development still relies on mailing lists instead of forums/issue trackers.
  • Pro-mailing-list arguments: open standards, powerful local filtering, long-term robustness, and user-controlled moderation.
  • Critics find mailing lists opaque, unfriendly to newcomers, and inferior to threaded, web-based systems.