From: Kevin Wolf <kwolf@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: qemu-devel@nongnu.org, stefanha@redhat.com
Subject: Re: on ai generated and code provenance
Date: Tue, 26 May 2026 19:43:35 +0200 [thread overview]
Message-ID: <ahXbxzB4C_lr6b0N@redhat.com> (raw)
In-Reply-To: <20260524083329-mutt-send-email-mst@kernel.org>
Am 24.05.2026 um 14:42 hat Michael S. Tsirkin geschrieben:
> So, I had to reject a perfectly reasonable patch:
> https://lore.kernel.org/qemu-devel/20260320193746.242704-1-jinpu.wang@ionos.com/
> just because of a tool used to make it.
>
>
> How contributors could comply with DCO terms (b) or (c) for the output of AI
> content generators commonly available today is unclear. The QEMU project is
> not willing or able to accept the legal risks of non-compliance.
>
>
> But, since this was written, Red Hat's Richard Fontana and Chris Wright
> published this piece:
> https://www.redhat.com/en/blog/ai-assisted-development-and-open-source-navigating-legal-issues
>
>
> Saying, in particular "
> We understand this concern, but the DCO has never
> been interpreted to require that every line of a contribution must be
> the personal creative expression of the contributor or another human
> developer.
> "
I never found that blog post particularly convincing, especially because
they acknowledge a concern:
There are two versions of this concern. The first is practical: that
an AI tool could covertly insert excerpts of proprietary (or
license-incompatible) code into an open source project, potentially
creating legal risk for maintainers and users. The second is broader
and more philosophical: that large language models, trained on vast
amounts of open source software, are essentially misappropriating
the community’s work, producing outputs stripped of the obligations
that open source licenses require.
We think these concerns deserve to be taken seriously.
The second one is essentially what I understood the QEMU policy to be
about. Unfortunately, the blog post then goes on to only ever deal with
the first one and ignore the second one that seems more relevant for us.
So yes, the DCO isn't about "personal creative expression" or whatever
(and nobody suggested it is, this is a strawman), but it's about whether
the submitter has the legal rights to submit the code. And that's
exactly the question we decided we don't want to take a risk on.
So if that part isn't helpful, what has changed since we introduced the
AI policy? It's a few points:
1. While AI has been in use for a while now, we haven't seen projects
accepting AI generated code/content get into big trouble. While it
could still happen in the future, it might be an indication that the
probability of the risk hitting us is not that high.
2. The useful part of the blog post is that it tells us that Red Hat
considers the risk acceptable. This can inform our assessment of the
risks, though of course there might be a significant difference in
the impact of the risk for a company with a legal department and an
open source community consisting mainly of developers acting as
individuals.
I think it's obvious that if the QEMU project gets involved in a
legal case, we have a problem (at the very least long lasting
distraction from actual work on QEMU), even if we didn't do anything
wrong and a good lawyer would easily win the case.
3. It was easy to just outright ban AI while its results were usually
not really usable anyway. This has changed meanwhile, so it's much
harder to maintain an absolute ban.
It's not really the best use of my time to look at the idea in
AI-generated test cases and then rewrite them from scratch so I can
actually submit them. (On the other hand, I think my rewritten
submissions were always better and more maintainable than what AI
produced initially, so there's that.)
So while my perspective is a lot more nuanced than yours, I do see a
shift in the balance and was actually thinking of suggesting a change of
the policy myself.
What I was thinking of was allowing AI-generated content in places where
it's at least easy to revert if there is ever a problem with it: Tests,
documentation etc., but not core code that lots of other things depend
on and that will have evolved a lot when we notice a problem and for
which throwing away is simply not an option.
> I propose adopting linux's rules instead:
> https://docs.kernel.org/process/coding-assistants.html
>
> which boils down to attribution.
What would we actually do with the detailed information? Why do we care
which model was used? Is this helpful commit metadata or is it just free
advertising for a handful of companies?
I think I would see more use in a tag like (better name welcome):
AI-used-for: [code|tests|docs|commit message]...
Kevin
next prev parent reply other threads:[~2026-05-26 17:44 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-24 12:42 on ai generated and code provenance Michael S. Tsirkin
2026-05-24 17:06 ` Alex Bennée
2026-05-24 17:42 ` Michael S. Tsirkin
2026-05-24 18:26 ` Warner Losh
2026-05-24 20:04 ` Michael S. Tsirkin
2026-05-24 20:11 ` Michael S. Tsirkin
2026-05-24 20:44 ` Stefan Hajnoczi
2026-05-25 15:27 ` Stefan Hajnoczi
2026-05-25 16:32 ` Paolo Bonzini
2026-05-25 17:15 ` Warner Losh
2026-05-25 19:44 ` Stefan Hajnoczi
2026-05-25 22:36 ` Michael S. Tsirkin
2026-05-26 13:16 ` Stefan Hajnoczi
2026-05-25 19:56 ` Paolo Bonzini
2026-05-26 21:48 ` Philippe Mathieu-Daudé
2026-05-26 8:23 ` Peter Maydell
2026-05-26 9:28 ` Alex Bennée
2026-05-26 9:57 ` Paolo Bonzini
2026-05-26 11:27 ` BALATON Zoltan
2026-05-26 12:30 ` Michael S. Tsirkin
2026-05-26 12:37 ` Manos Pitsidianakis
2026-05-26 13:00 ` Michael S. Tsirkin
2026-05-26 13:22 ` Stefan Hajnoczi
2026-05-26 14:01 ` Warner Losh
2026-05-27 7:11 ` Philippe Mathieu-Daudé
2026-05-26 17:43 ` Kevin Wolf [this message]
2026-05-26 18:03 ` Michael S. Tsirkin
2026-05-26 18:59 ` Kevin Wolf
2026-05-26 19:30 ` Michael S. Tsirkin
2026-05-26 19:52 ` Warner Losh
2026-05-27 8:41 ` Kevin Wolf
2026-05-27 10:01 ` Paolo Bonzini
2026-05-27 10:43 ` Alex Bennée
2026-05-27 12:49 ` Kevin Wolf
2026-05-27 10:53 ` Kevin Wolf
2026-05-27 12:33 ` Paolo Bonzini
2026-05-27 12:43 ` Michael S. Tsirkin
2026-05-27 10:54 ` Alistair Francis
2026-05-27 14:21 ` Warner Losh
2026-05-28 1:59 ` Alistair Francis
2026-05-28 5:06 ` Michael S. Tsirkin
2026-05-28 7:32 ` Paolo Bonzini
2026-05-27 14:11 ` Michael S. Tsirkin
2026-05-27 14:14 ` Warner Losh
2026-05-27 14:51 ` Kevin Wolf
2026-05-27 16:41 ` Michael S. Tsirkin
2026-05-27 16:50 ` Kevin Wolf
2026-05-27 16:56 ` Michael S. Tsirkin
2026-05-27 17:06 ` Michael S. Tsirkin
2026-05-27 17:15 ` Warner Losh
2026-05-27 17:07 ` Warner Losh
2026-05-27 16:05 ` Paolo Bonzini
2026-05-27 16:48 ` Michael S. Tsirkin
2026-05-27 16:57 ` Warner Losh
2026-05-27 17:05 ` Michael S. Tsirkin
2026-05-27 17:48 ` Paolo Bonzini
2026-05-27 16:39 ` Michael S. Tsirkin
2026-05-26 19:50 ` Michael S. Tsirkin
2026-05-27 7:44 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahXbxzB4C_lr6b0N@redhat.com \
--to=kwolf@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.