Why AI is both a curse and a blessing to open-source software – according to developers

AI is rapidly reshaping how open-source projects are built, tested, and secured. At its best, it catches critical bugs faster than humans and trims tedious chores. At its worst, it overwhelms maintainers with noise, wastes scarce volunteer time, and risks desensitizing teams to real threats. Developers on the front lines say both stories are true—simultaneously.

When AI actually makes open source safer

Mozilla recently shared a standout success: Anthropic’s Claude Opus 4.6 helped uncover high‑severity Firefox vulnerabilities at a remarkable pace. Anthropic’s Frontier Red Team surfaced more serious issues in two weeks than Mozilla typically sees reported in two months, and—crucially—sent minimal, reproducible test cases. With clean repros, Mozilla engineers verified, fixed, and shipped changes within hours, then scaled the same approach across more of the browser. That’s what “AI as a power tool” looks like: focused findings, crisp evidence, fast remediation, real impact.

…and when it becomes a time sink

That’s not the norm everywhere. Daniel Stenberg, creator of cURL, says AI-written security reports are burying his project. Before AI spam surged, roughly one in six cURL security reports was valid; now it’s closer to one in 20 or even one in 30. The result, he says, is triage turning into “terror reporting,” draining energy from a small, volunteer-driven security team. Stenberg even shut down cURL’s security bounty program after the flood of low-quality submissions, describing the onslaught as effectively a DDoS on maintainers’ time.

The risk isn’t just burnout. When teams are forced to sift through mountains of false alarms, they can miss the few real vulnerabilities that actually matter—an obvious hazard for the wider software supply chain.

The “accurate but trivial” problem

Another trend irking maintainers: AI-assisted sweeps that surface minor or ancient bugs and then hand them off to tiny teams. FFmpeg—used everywhere from TVs to the web—was recently hit with numerous small issues, including quirky playback in the first 10–20 frames of a 1995 game. These are technically “real” but not security game‑changers, and the volunteer FFmpeg crew has limited bandwidth. Reports like these, developers argue, still require triage, tests, and fixes—time that big reporters may not invest, and money they often don’t offer to fund.

How maintainers actually want to use AI

Linux creator Linus Torvalds has been clear: he’s bullish on AI as a tool for maintainers, not as a drop‑in code author. He’s more excited about AI that helps review patches, check regressions, and backport fixes to stable branches than about AI that “writes code.” He even experimented with Google’s Antigravity LLM on a personal toy program, but his argument remains that AI should feel like the next turn of the compiler crank—more automation, less drudgery—without replacing human judgment.

Sasha Levin, an Nvidia distinguished engineer and Linux stable maintainer, echoes that view. He emphasizes human accountability and disclosure when AI is used, and he’s already wired LLMs into two of the kernel’s least glamorous jobs: identifying backports (via AUTOSEL) and improving the CVE workflow. That’s high‑leverage augmentation, not autonomous patch dumping.

Culture change: show your work

Several senior maintainers warn that AI can encourage “trust me” submissions. Dan Williams, an Intel senior principal engineer and kernel maintainer, urges contributors—especially newer ones—to show their work. AI can make people feel confident without understanding the code they propose, which breaks a core open-source norm: the ability to explain, defend, and maintain changes over time.

That cultural gap is part of why Stormy Peters, AWS’s head of open source strategy, says we’re not seeing AI “replacing” open source so much as flooding it with low‑quality patches. People generate code quickly, assume it’s helpful, and submit it—but then can’t maintain or justify it. Maintainers can’t easily untangle it either, which slows everything down.

Educators and industry veterans argue the antidote is AI literacy. IBM distinguished engineer Phaedra Boinodiris and Rachel Levy of NC State point out that successful AI use demands more than prompt craft. Developers need fundamentals in testing, security, reproducibility, and ethics—plus inclusive processes for deciding when and how AI should be used.

The numbers aren’t all rosy

Beyond anecdotes, early research paints a mixed picture. Some studies suggest developers can be roughly 19% slower with AI-enabled coding due to time lost rechecking, refactoring, and validating generated code. Other analyses find AI-written code contains significantly more issues—on the order of 1.7 times as many. And experiments with autonomous agents show they can be “fast and loose”: quick to act, quick to err.

What works—and what doesn’t

• Works: Tight human-AI collaboration with clear, minimal repros; quick verification; shared ownership of fixes (Mozilla and Anthropic’s model).
• Works: AI for maintenance plumbing—backports, CVE triage, patch linkage, duplicate detection—where signal is structured and human review is final.
• Doesn’t work: Spray-and-pray bug reports with vague claims or non-reproducible PoCs that bury maintainers.
• Doesn’t work: Offloading “accurate but trivial” issues onto tiny teams without funding, fixes, or follow‑through.
• Non-negotiable: Human accountability, disclosure when AI is used, and contributors who can explain and maintain what they submit.

The bottom line

AI is already both a force multiplier and a maintenance hazard for open source. The difference lies in how it’s wielded. Used intentionally—paired with minimal test cases, reproducibility, and shared responsibility—it accelerates real security wins and reduces drudge work. Used carelessly, it spams volunteers, slows projects, and risks numbing teams to genuine threats.

Open source thrives on stewardship, not shortcuts. If tool builders, researchers, and contributors adopt the Mozilla–Anthropic playbook—and if communities insist on accountability and AI literacy—AI and open source can be powerful partners. If not, the “blessing” can quickly feel like a curse.