Should Veteran Open‑Source Projects Embrace AI‑Generated Code?

Zero Tolerance for AI

Drew DeVault, a longtime Vim contributor, published a "Vim obituary" claiming that AI‑generated code has polluted Vim. He created a fork, Vim Classic, based on version 8.2.0148, and explicitly forbids any AI‑generated contributions in its CONTRIBUTING.md .

Similarly, Redox OS announced a ban on LLM‑generated code and introduced a Developer Certificate of Origin (DCO) mechanism, while SDL rejected AI code due to traceability, licensing, and review cost concerns. Earlier, projects such as NetBSD, GIMP, Zig, and QEMU had issued comparable bans.

Pragmatism Above All

In contrast, many established projects adopt an open stance. Phil Eaton’s March 2026 survey of 112 major open‑source projects found that about 63% accept clearly marked AI‑assisted contributions, including Linux, Chromium, and Kubernetes. The Linux kernel’s journey involved intense internal debate before reaching consensus.

In late 2025, Nvidia engineer Sasha Levin submitted a patch to Linux 6.15 entirely written by AI, including code, commit message, and tests, without disclosure. The discovery sparked a heated discussion on the Linux Kernel Mailing List (LKML).

By January 2026, the debate peaked when Intel’s Dave Hansen and Oracle’s Lorenzo Stoakes clashed over legal implications of AI‑generated code under the DCO, which requires contributors to certify code provenance—a guarantee AI tools cannot reliably provide.

Red Hat’s analysis warned that ignoring these issues could inadvertently violate open‑source licenses and undermine the DCO framework.

On April 12 2026, Linus Torvalds endorsed a new AI contribution policy for the kernel, merging the document coding-assistants.rst with three core rules:

Signed‑off‑by must be signed by a human : AI agents cannot use this legally binding tag. Must annotate Assisted‑by : indicate the model and tool, e.g., Assisted-by: Claude:claude-3-opus sparse . Humans bear full legal responsibility : including review duties, license compliance, and any future bugs or security issues.

Linus emphasized that AI should be treated merely as a tool, likening bans on specific AI tools to banning a particular keyboard brand.

Unexpected Conclusions of Policy Experiments

Anthropic researcher Nicholas Carlini used Claude Code to scan the Linux kernel source tree, discovering five remotely exploitable vulnerabilities in 90 minutes, four of which were previously unknown. One involved an NFS v4.0 driver buffer overflow caused by a mismatch between a 1024‑byte Owner ID field and a 112‑byte static buffer.

This experiment perfectly followed the new policy: AI‑generated output, human review, Assisted‑by annotation, and clear responsibility. Yet it raised a paradox—if AI can uncover decades‑old bugs quickly, the value of human review may lie more in assuming liability than in catching defects.

Carlini reported hundreds of additional potential bugs awaiting verification, suggesting that AI‑driven vulnerability discovery could become routine, turning human review into a ceremonial safeguard rather than an effective security filter.

Scale and Responsibility

Linus clarified that the kernel will not implement tools to detect undisclosed AI contributions, citing the impracticality given millions of lines of code and thousands of active contributors. Maintenance relies on deep expertise, pattern recognition, and peer review, not automated scans.

DeVault’s ability to enforce a strict “no AI” policy stems from Vim Classic’s modest size and single‑maintainer model, which avoids the pressures of massive PR volumes, multi‑architecture support, and corporate SLAs.

Consequently, bans are feasible for smaller projects like Vim Classic, Redox, and SDL, but impractical for large‑scale projects such as Linux, Chromium, and Kubernetes, whose governance structures cannot accommodate absolute prohibitions.

The split in the open‑source community reflects a fundamental trade‑off between project scale and the degree of responsibility developers are willing to assume regarding AI‑generated code.