lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250724194556.105803db@gandalf.local.home>
Date: Thu, 24 Jul 2025 19:45:56 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Kees Cook <kees@...nel.org>
Cc: "Dr. David Alan Gilbert" <linux@...blig.org>, Konstantin Ryabitsev
 <konstantin@...uxfoundation.org>, corbet@....net,
 workflows@...r.kernel.org, josh@...htriplett.org,
 linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH] docs: submitting-patches: (AI?) Tool disclosure tag

On Thu, 24 Jul 2025 14:20:03 -0700
Kees Cook <kees@...nel.org> wrote:

> On Thu, Jul 24, 2025 at 09:12:30PM +0000, Dr. David Alan Gilbert wrote:
> > * Kees Cook (kees@...nel.org) wrote:  
> > > [...]
> > > do for Coccinelle or other scripts. It's a bit buried in the Researcher
> > > Guidelines[1], but we have explicitly asked for details about tooling:
> > > 
> > >   When sending patches produced from research, the commit logs should
> > >   contain at least the following details, so that developers have
> > >   appropriate context for understanding the contribution.
> > >   ...
> > >   Specifically include details about any testing, static or dynamic
> > >   analysis programs, and any other tools or methods used to perform the
> > >   work.
> > > 
> > > Maybe that needs to be repeated in SubmittingPatches?  
> > 
> > 'produced from research' is narrowing things down a bit too much I think
> > when it's people using the tools as their normal way of working.  

So I did bring this up in the last TAB meeting. I brought it up because I
found out from reading an LWN[1] article that I received a patch fully
written in AI without knowledge that it was written with AI. If I had known,
I would have examined the patch a little more thoroughly, and would have
discovered a very minor mistake in the patch.

> 
> Right -- as currently written we have the explicit guideline for
> "produced from research" and kind of an unwritten rule to detail any
> complex tools involved for regular development (e.g. Coccinelle,
> syzkaller, etc). We could generalize the existing statement and repeat
> it in a better location?

When a patch is generated by Coccinelle, checkpatch or any other tool, it
should most definitely be mentioned in the change log.

I strongly believe the same goes for AI. Now the argument is where do we
draw the line? If you are using AI that helps write your code, do you need
to disclose it every time?

My thought is to treat AI as another developer. If a developer helps you
like the AI is helping you, would you give that developer credit for that
work? If so, then you should also give credit to the tooling that's helping
you.

I suggested adding a new tag to note any tool that has done non-trivial
work to produce the patch where you give it credit if it has helped you as
much as another developer that you would give credit to.

-- Steve


[1] https://lwn.net/Articles/1026558/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ