Linux security mailing list ‘almost unmanageable’

Linux 安全邮件列表变得“几乎无法管理”

Linux kernel boss Linus Torvalds has declared the project’s security mailing list has become “almost entirely unmanageable” due to multiple researchers using AI to find bugs and then filling the list with duplicate reports.

Linux 内核负责人 Linus Torvalds 宣布，由于多名研究人员使用人工智能（AI）查找漏洞，并向邮件列表发送大量重复报告，该项目的安全邮件列表已变得“几乎完全无法管理”。

Torvalds used his weekly state of the kernel post to deliver release candidate four for Linux 7.1 and report “fairly normal” progress towards a full release.

Torvalds 在其每周的内核状态更新中发布了 Linux 7.1 的第四个候选版本（RC4），并表示向正式版迈进的过程“相当正常”。

He then pointed kernelistas to the project’s documentation, which he wrote “might be worth highlighting” as “the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.”

随后，他向内核开发者们指出了项目的文档，并写道“值得强调一下”，因为“源源不断的 AI 报告基本上让安全列表变得几乎无法管理，由于不同的人使用相同的工具发现了相同的问题，导致了大量的重复。”

“People spend all their time just forwarding things to the right people or saying ‘that was already fixed a week/month ago’ and pointing to the public discussion,” Torvalds complained.

“人们把所有时间都花在将报告转发给相关负责人，或者回复‘这个问题在一周/一个月前就已经修复了’并指向公开讨论链接上，”Torvalds 抱怨道。

The Penguin Emperor believes that kind of chatter is “all entirely pointless churn” and isn’t productive because “AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved – and only makes that duplication worse because the reporters can’t even see each other’s reports.”

这位“企鹅皇帝”认为这种交流“完全是毫无意义的折腾”，且没有成效，因为“AI 检测到的漏洞按定义来说几乎都不是秘密，将它们放在私有列表中处理对所有相关人员来说都是浪费时间——而且只会加剧重复报告的问题，因为报告者甚至无法看到彼此的报告。”

He then offered an opinion on how best to use AI to improve software security. “AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work,” he wrote. “Feel free to use them, but use them in a way that is productive and makes for a better experience.”

随后，他提出了关于如何最好地利用 AI 提升软件安全性的看法。“AI 工具很棒，但前提是它们确实能提供帮助，而不是造成不必要的痛苦和毫无意义的虚假工作，”他写道。“欢迎使用它们，但请以一种高效且能带来更好体验的方式去使用。”

“The documentation may be a bit less blunt than I am,” he added, “but that’s the core gist of it.”

“文档的措辞可能比我委婉一些，”他补充道，“但核心意思就是这样。”

“So just to make it really clear: If you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too, and add some real value on top of what the AI did. Don’t be the drive-by ‘send a random report with no real understanding’ kind of person. OK?”

“所以，明确一点：如果你使用 AI 工具发现了漏洞，那么很可能别人也发现了。如果你真的想贡献价值，请阅读文档，编写补丁，并在 AI 的基础上增加真正的价值。不要做那种‘在没有真正理解的情况下发送随机报告’的过客。明白吗？”

Torvalds’ remarks contrast with recent comments from fellow kernel maintainer Greg Kroah-Hartman, who recently told The Register that AI has become an increasingly useful tool for the FOSS community.

Torvalds 的言论与另一位内核维护者 Greg Kroah-Hartman 最近的评论形成了对比，后者近期告诉《The Register》，AI 已成为开源社区（FOSS）中日益有用的工具。