The Linux kernel project has established a formal Linux AI-generated code policy that permits developers to use AI assistants like GitHub Copilot, but with one critical condition: humans bear complete responsibility for every line that ships. After months of heated debate between Linus Torvalds and maintainers over whether to embrace or ban AI-assisted coding, the project chose pragmatism over prohibition.
Key Takeaways
- Linux AI-generated code policy allows tools like Copilot but mandates human review and sign-off
- AI agents cannot use the Signed-off-by tag; only humans can certify Developer Certificate of Origin compliance
- New Assisted-by tag required for transparency when AI tools contribute to code
- Human submitter takes full legal responsibility for licensing, bugs, and security flaws in AI-generated contributions
- Policy applies project-wide to Linux kernel; individual projects may enforce stricter rules
How the Linux AI-generated code policy actually works
The Linux AI-generated code policy treats AI-assisted contributions like any other kernel code submission, but with mandatory disclosure and human accountability built in. Developers can use AI tools to draft code, but they must review every line for correctness, security, and licensing compliance before submitting. The human submitter then adds their own Signed-off-by tag to certify they have reviewed the contribution and comply with the Developer Certificate of Origin, effectively declaring legal responsibility for the code. This is the core mechanism that makes the policy enforceable: AI agents cannot sign off, only humans can, and that signature carries legal weight.
The policy requires contributors to include an Assisted-by tag alongside the standard attribution, explicitly naming the AI tool used. This transparency serves two purposes: it helps maintainers understand the code’s origin and flags potential licensing risks from LLM training data. The Assisted-by tag might read “Assisted-by: GitHub Copilot” or similar, making the AI involvement visible in the kernel’s git history. Developers must also ensure contributions comply with GPL-2.0-only licensing and use appropriate SPDX identifiers, the same requirements that apply to human-written code.
Why Linux rejected the ban and embraced pragmatism
Banning AI tools entirely was never realistic. As one maintainer noted, “Trying to ban them is like trying to ban a specific brand of keyboard”. Developers were already using Copilot and other assistants—the Linux community simply needed rules that reflected reality rather than wishful thinking. The months-long debate centered on legitimate concerns: AI models sometimes regurgitate copyrighted code from training data, and poorly prompted AI can generate insecure or low-quality output (what the community calls “AI slop”). Rather than prohibit the tools, the policy mitigates risk by making human review mandatory and shifting liability to the submitter.
This approach differs from other major open-source projects, some of which have taken stricter stances. The Linux Foundation’s broader guidance allows AI-generated content with license checks and attribution, but leaves room for individual projects to add their own rules. Linux chose to lead with a pragmatic framework: permit the tools, demand transparency, and enforce accountability through the Signed-off-by mechanism.
What developers must do to comply with the Linux AI-generated code policy
The Linux AI-generated code policy places the entire burden of due diligence on the human submitter. Before submitting any AI-generated code, a developer must: review all code for correctness and security; verify licensing compliance and confirm no copyright-infringing material was memorized by the AI model; add their own Signed-off-by tag to certify the Developer Certificate of Origin; and take full responsibility for any bugs, security flaws, or legal issues that arise. If an AI-generated contribution introduces a kernel vulnerability or licensing violation, the developer who submitted it—not the AI vendor—is liable.
This liability structure is intentional. It ensures developers treat AI-generated code with the same scrutiny they apply to human contributions, rather than assuming AI output is correct because a machine produced it. The policy does not attempt to solve the upstream problem of AI models potentially containing memorized code; instead, it places the responsibility for detecting and preventing such issues squarely on the submitter. Developers who cannot confidently review AI output should not submit it.
Frequently asked questions about the Linux AI-generated code policy
Can AI tools like GitHub Copilot be used in Linux kernel development?
Yes, GitHub Copilot and other AI assistants are explicitly permitted under the Linux AI-generated code policy. However, all AI-generated code must be reviewed by a human developer, who must add the Signed-off-by tag and take full responsibility for the contribution.
What happens if AI-generated code introduces a bug or security vulnerability?
The human submitter who added the Signed-off-by tag is fully responsible for the bug or vulnerability. The policy does not shield developers from liability by claiming the AI made the mistake. This is why thorough review before submission is critical.
Do individual Linux projects have to follow this policy?
The Linux AI-generated code policy applies project-wide to the Linux kernel itself. However, other open-source projects or employers may enforce stricter rules or prohibit AI-assisted code entirely. Check your project’s specific guidelines before using AI tools.
The Linux AI-generated code policy represents a realistic middle ground: it acknowledges that developers will use AI tools whether or not leadership approves, so the community instead built guardrails around transparency and accountability. Developers who use Copilot or similar tools in the Linux kernel must accept that they are responsible for every line of code they submit, regardless of its origin. That responsibility is not a burden—it is the price of maintaining the kernel’s quality and legal integrity.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
