Article

'Fork It or Walk Away.' Torvalds Just Settled the Kernel's AI Debate.

Erdeniz Korkmaz
7 min read
'Fork It or Walk Away.' Torvalds Just Settled the Kernel's AI Debate.

Linus Torvalds does not do corporate hedging. This week, when a mailing list argument over an AI code reviewer threatened to turn into a referendum on whether the Linux kernel should touch LLMs at all, he ended it in one line: "they can do the open-source thing and fork it." The most scrutinised codebase on the planet, the one running your servers, your phone and probably your doorbell, just made its position on AI-assisted engineering official. If you're still running that debate inside your own team, it's worth ten minutes to see how the kernel's version of it played out.

The thread that lit the fuse

The row started somewhere gloriously mundane: a thread on the linux-media mailing list titled "Linking Patchwork with Sashiko?". Patchwork is the web tool many kernel subsystems use to track patches flowing through their mailing lists. Sashiko is an agentic AI review system, a Linux Foundation project announced earlier this year by Roman Gushchin, a kernel engineer at Google, that watches lore.kernel.org and reviews incoming kernel patches automatically. The question on the table was simple plumbing: should Sashiko's reviews be wired into Patchwork's tracking?

The plumbing question didn't stay a plumbing question. Laurent Pinchart, a veteran media subsystem developer, objected to patch authors receiving unsolicited AI review emails, and argued maintainers should "triage and verify" Sashiko's findings before they ever reach a human author. He pointed to the Software Freedom Conservancy's recommendations on LLM-backed generative AI in free software as the standard to follow. Gushchin pushed back hard, arguing that forcing manual triage "makes the point of sashiko, helping maintainers, unachievable", and that the Conservancy document "expresses a very anti-LLM position in general".

That's the message Torvalds replied to, at six minutes past three in the morning UTC on 15 July. His response deserves quoting properly, because it's the clearest statement of AI policy the kernel has ever had. "I realize that some people really dislike AI, but this is an area where I'm willing to absolutely put my foot down as the top-level maintainer," he wrote. "Linux is not one of those anti-AI projects, and if somebody has issues with that, they can do the open-source thing and fork it. Or just walk away."

Then the part that should get your attention, because this is Torvalds, the man who two years ago was dismissing most of the AI industry as hype: "AI is a tool, just like other tools we use. And it's clearly a useful one. It may not have been that 'clearly' even just a year ago, but it's no longer in question today." He was equally blunt about the costs, admitting AI tooling can be "a somewhat painful tool, both for maintainer workloads and just from a 'it keeps finding embarrassing bugs' standpoint". But his conclusion cut one way: "The solution is to make sure those LLM tools help maintainers instead of just causing them pain." Nobody is forced to use it, he added, "but I will very loudly ignore people who try to argue against other people from using it."

What Sashiko actually does

The tool at the centre of all this is worth understanding, because its architecture is more interesting than "we pointed a chatbot at some diffs". Sashiko is self-contained (no wrapping of third-party agent CLIs) and works across multiple LLM providers; Gemini, Claude and GitHub Copilot CLI are supported today. It ingests patches from mailing lists, GitHub PRs or GitLab MRs, and then runs each one through an eleven-stage review protocol that mimics a team of specialised reviewers rather than one generalist.

The stages are the clever bit, and you could sketch them on a whiteboard. Stage one analyses the commit's main goal: big picture, architectural flaws, breakage of userspace APIs. Stage two checks whether the code actually matches what the commit message claims. Stage three traces C execution flow looking for logic errors, unhandled error paths and off-by-ones. Then come dedicated passes for resource management (memory leaks, use-after-free, double frees), locking and RCU correctness, a security audit (buffer overflows, TOCTOU races, uninitialised memory leaks), and a hardware engineer's review for driver code (register access, DMA mapping, memory barriers). The final four stages are pure quality control: deduplicate and consolidate the findings, resolve conflicts between concerns and dismissed concerns, verify what's left and estimate severity, then generate a polite inline-commented reply in standard kernel mailing list format. The prompts build on per-subsystem review prompts initially developed by kernel veteran Chris Mason.

The numbers are honest, which is refreshing. On the project's own benchmark, the unfiltered last 1,000 upstream fixes, Sashiko running Gemini 3.1 Pro caught 53.6% of the original bugs. The README's framing is the killer detail: "In some sense, it's already above the human level given that 100% of these bugs made it through human-driven code reviews and were accepted to the main tree." Every single bug in that benchmark sailed past experienced human reviewers. The machine catches half of what the humans missed. False positives sit "well within 20% range" based on limited manual review, with most of those in a grey zone rather than flat wrong, and the project is upfront that output is probabilistic: run the same patch twice and you may get different findings.

What this settles, and what it doesn't

Here's why this matters beyond kernel-watching. The Linux kernel is the most conservative major engineering project in existence. It still runs on emailed patches. It took over a decade of argument to let a second programming language in. When that project's benevolent dictator rules that agentic AI review is legitimate infrastructure, "should serious engineering organisations use AI review at all" stops being a live question. As Torvalds put it: "In the kernel community we do open source because it results in better technology, not because of religious reasons... we make decisions primarily based on technical merit. Not fear of new tools."

Be careful about what this doesn't settle, though. The 53.6% figure comes with survivorship bias built in: the benchmark only contains bugs somebody eventually found and fixed, so it says nothing about the ones nobody caught. A false positive rate near 20% is genuinely painful at volume, which is exactly the maintainer workload problem Torvalds acknowledged. Sashiko's own disclaimers note that it ships your patches, and potentially large chunks of your repository history, to whichever LLM provider you configure, which is a non-issue for public kernel code and a real conversation for proprietary codebases. And the social questions that started the fight, opt-in versus opt-out, who triages, whether an unsolicited robot email is a courtesy or a nuisance, were still being argued by heavyweight maintainers (Ted Ts'o, Steven Rostedt, Willy Tarreau and others piled in) the day after Torvalds' post. He settled the direction, not the etiquette.

The bit worth stealing

Strip out the kernel drama and there's a very copyable pattern here. Sashiko's real insight isn't "LLMs can review code", it's the harness: many narrow, specialised review passes, each hunting one class of defect, followed by aggressive deduplication, self-adjudication and severity filtering, so a human sees five findings that matter instead of fifty maybes. That last part is what separates AI review your engineers thank you for from AI review they mute in week two.

That's squarely the kind of thing we build at Dakik. Not kernels, and not models, but the workflow layer: a staged review pipeline hooked into your GitHub or GitLab CI, with prompts tuned to your stack and your past incidents, severity thresholds your team actually agrees with, and an opt-in rollout so nobody gets ambushed by a robot in their pull requests. It's a contained proof of concept, a few weeks of work against one repository, and you'll know quickly whether it earns its keep the same way the kernel is finding out right now.

The kernel didn't adopt AI review because it's fashionable. It adopted it because the tool caught real bugs that real experts missed, and because the man at the top decided fear of new tools isn't a technical argument. Your codebase is not the Linux kernel. The logic still holds.

Share