QEMU, the open-source machine emulator and virtualization platform, is considering moving from a blanket rejection of AI-generated contributions to a limited, disclosure-based acceptance policy.
Paolo Bonzini has proposed updating QEMU’s code provenance documentation to permit AI-assisted patches in limited cases. Previously, QEMU declined contributions believed to include or derive from AI-generated content, such as output from ChatGPT, Claude, Copilot, Llama, and similar tools.
The proposed change maintains the project’s legal safeguards but narrows the ban. AI assistance would be permitted for mechanical changes, tests, documentation, and small bug fixes. Larger changes or work outside these categories would still require prior discussion with a maintainer.
Small bug fixes are defined as changes of 20 lines of code or fewer, excluding tests. Contributors must still understand the change and be able to explain both the code and their reasoning. For tests, contributors remain responsible for ensuring the test checks the intended behavior, including verifying that a regression test fails without the fix and passes for the correct reason.
Core code will continue to be handled with caution. Code that other parts of QEMU depend on, and that cannot be easily removed if issues arise, remains off-limits without maintainer approval. This distinction is based on reversibility: documentation, tests, and mechanical cleanups are easier to revert than architectural or widely used code.
The current QEMU policy was introduced because of unresolved questions around copyright, licensing, and the Developer’s Certificate of Origin. QEMU requires contributors to certify that they have the legal right to submit their work through the standard Signed-off-by line. The existing documentation states that AI-generated content raises unresolved provenance questions because the copyright and license status of such output is not clearly settled.
Bonzini’s proposal acknowledges that legal concerns remain, but argues the risk balance has shifted as AI tools have improved and other organizations have accepted AI-assisted development risks. The patch also notes that community projects lack the legal resources of companies, so even unfounded disputes could become prolonged distractions for QEMU.
Maintainer workload is another reason for these limits. While AI reduces the cost of producing patches, it does not reduce the cost of reviewing them and may even increase it, as reviewers cannot assume the submitter has reviewed every line. The proposed boundaries aim to manage both legal risk and review workload.
The policy update would introduce a new AI-used-for: trailer in commit messages. Contributors would use this when AI tools produce or significantly shape a patch. Suggested values include code, tests, docs, and research, with an optional short explanation such as AI-used-for: code (refactoring).
QEMU would not use Assisted-by or Generated-by trailers for this purpose, and contributors would not need to specify the exact AI model or tool used. Prompts or conversation summaries are also not required, though contributors may include them if they assist reviewers.
The proposal does not change the project’s baseline contribution rules. Contributors would still need to comply with the DCO and take responsibility for the entire patch through Signed-off-by, regardless of whether AI was used.
If accepted, this change would soften QEMU’s AI policy. The project would no longer reject all AI-derived contributions by default, but would maintain strict limits, emphasizing human responsibility, maintainer discretion, and disclosure.
