On Sun, May 17, 2026 at 12:29:12PM -0400, Theodore Tso wrote: > It should also be noted that Intel's zero-day bot was (a) closed > source, and (b) was sending its test regression reports with the > linux-kernel mailing list cc'ed, and no one really complained because > it was so useful, and if Intel was willing to use very expensive > hardware in their data center to contribute reports, so long as the > reports were useful and the false-positive noise was low enough, we > decided to be grateful and not worry (too much) about the fact that > Intel's zero-day bot was closed source. (There was indeed some > grumbling in the bar at Plumbers, of course. :-)
The 0-day but was a closed-source front-end to orchestrate analysis tools that are open-source (compilers, static analyzers, ...). Sashiko is an open-source front-end to orchestrate analysis tools that are closed-source. That's the complete opposite, so I'm not sure how relevant the comparison is. Comparing with Coverity may be more relevant. > In my opinion, we should be doing the same for Sashiko, and that's the > decision which the ext4 developers have made --- at least for ext4 > patches, after an experiment where we only sent reviews to the patch > authors and the maintainer, people were satisifed that false positive > rate was low enough (with the caveats that I had previously mentioned, > but we were willing to live with them because at least for us, it was > useful enough), that we will be requesting that Sashiko reviews be > cc'ed to the ext4 mailing list. > > I realize that there are some extra sensitivities around AI / LLM's, > but from the perspective of reviewing patches, I don't see any > difference between this and other closed source tools that we've used, > such as Coverity and the Zero-day bot. Not everyone will agree, of > course, but at the moment, this is a decision that we are making on a > subsystem by subsystem basis, which again, has strong historical > precedence. -- Regards, Laurent Pinchart
