This headline is misleading. The California law requires that the OS store and provide the age bracket. It does not require that any verification take place.
I am not arguing that this is a good idea, but it is simply false that the law requires that Linux 'check kids' IDs before booting'.
The New York law is worse, and should be opposed, but the article only mentions it at the end - and even then, we actually don't know what the verification mechanism would be. I've heard a proposal that "age verification passes" be sold at liqour stores and porno shops, for example, who already seem to do an acceptable job of checking ID without destroying people's privacy.
When we are installing docker repositories on my Rockylinux installation on 100 nodes at once, should we need to manually put an age of the person who is running the script somewhere in the process? Will docker be forced to prevent me from downloading its packages if I do not transmit the age in a header?
The California law only stipulates that there's an "accessible interface at account setup" to set the birthday or age at account setup, and an interface to query the age bracket. Plus the crap for "application stores"
I don't think it's a very well thought-out law. But realistically this will end up as setting some env variable for your docker containers to assure them that you are 99 years old. And yes, maybe transmitting a header to docker hub that you are 99 years old. Probably configured via an env variable for the docker cli to use. It's stupid, but nothing a couple env variables wouldn't comply with
The real issue is when the law inevitably gets expanded to get some real teeth, and all the easy workarounds stop being legal
This is a neat attack (in that it is obvious and a big flaw but also it makes sense that the lawmakers wouldn’t have thought of it), but it would only affect users who have an age-bucket transition while your application is running, right?
Not necessarily, depending on how the application is logging it just means the resolution to which you know a birth date is limited by how often the application is run. If i check my email every morning at 8am, and my email app logs my "age bucket", then it can know to a resolution of one day. If i only check my email on Monday mornings, it knows to a resolution of one week, etc...
Then you store the user age every time it's run and check for changes on start. Maybe that only gives you a 7 day range for birthdays, but you can narrow that over time and it's still good enough for targeting.
is there any mention of granularity? so if the user sets their age bracket, then there's no DoB stored. if the user is old enough to fall into some other age bracket they can set that if they want. (and then somehow making this a bit more data driven - ie "verifying" - is a different matter altogether.)
Laws get made by whomever takes Gavin to the most dinners at the French Laundry. Don’t like this law? Good luck - reservations are booked out 6 months in advance.
Also, like, what about IOT devices. Are lightbulbs and thermostats going to need to attest the age of their users? There are so many computers without a useful concept of a user identity.
I honestly think the California law is well intentioned (in the sense that it just asks the OS to attest the age of the user, so, lawmakers probably thought this could be done in a privacy-preserving and minimally annoying fashion), but it seems very focused on desktop and cellphone use-cases.
Who is paying FOSS devs who will be implementing this? Who is providing them with legal indemnification since they are now apparently subject to fines for a fucking hobby if they do it wrong? Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place? Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption?
>Who is paying FOSS devs who will be implementing this?
honestly if they let it be known they'd do it for payment the same person who's paying off the politicians to push this through would probably pay them too.
Work on a standardised solution has already been done and proposals are already being discussed. Things aren't moving as fast as they could be because every time something like this hits a front page somewhere a bunch of people have to come in and comment that they dislike the law, but the people behind open source projects don't seem to be bothered by the time they need to put into this. Their employer is probably just paying them to do so anyway.
Linux desktops already have APIs for profile management. This is just another field to add to those APIs.
Very few core Linux desktop development is coming from hobbyists compared to the massive corporations maintaining Linux as a real option. Companies like Red Hat and System76 isn't going to drop California as a customer base to make a statement that no politician will ever listen to.
A number of distros (even some large and well known ones) have signaled noncompliance or do not believe they are impacted due to technical reasons (Gentoo) or jurisdiction (OpenBSD, NixOS). Other US distros are not yet signaling agreement because of uncertainty regarding different laws in different states/countries and potential legal challenges. This is not set in stone and it’s still possible to present a united front of noncompliance.
To be fair, "it's just a fucking hobby" no longer being an excuse has been a long time coming, much in the same way that driving cars or flying airplanes started as just a hobby but became no longer one when practicing it had outsized consequences to non-practitioners.
Signed, someone who notes frequently that the default apache configs probably put a web developer in violation of the GDPR (since if you just left on collecting IP addresses for no reason, you are de-facto not collecting them for "network security.")
Linux is the kernel, it has nothing to do with this.
The law apparently seems to target the packager/distributor of the distribution. Many small distros are hobby distros!
> The US is a federal system. It's part of our checks and balances.
Nonsensical answer. Different states are passing different requirements that often contradict each other. This is going to be a nightmare.
> No one. This is why organizations with actual security requirements do their own dependency checks.
So you’re saying that we should expect those laws too? Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work. If this is the direction we’re headed in, we need to organize and fight like hell.
Then region lock. You don't have to support California or NY or ...
> Different states are passing different requirements that often contradict each other. This is going to be a nightmare
Create regional feature flags or region lock. It's a solved problem.
> So you’re saying that we should expect those laws too
They already de facto exist contractually speaking.
> Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work
The mindset around tech regulation shifted after the 2016 election and Jan 6th. The maximalist tech civil libertarian view on privacy was an anomaly from the late 1990s to early 2010s when tech was viewed as inconsequential.
The 2016 election and Jan 6th showed otherwise.
---
The overlap between Linux daily drivers and "voters who can flip an election in California, NY, or <insert_state_here>" is nonexistent.
This also appears to be a front-run at reducing the risk of an Australia-style regulation being proposed.
Edit: can't reply
> Europe realized this with their new infosec liability regulations
European organizations (from private sectors to government agencies) sidestep this by contractually mandating SBOM and dependency requirements.
You end up with the same result, but it's essentially regulated via contracts instead of the law.
> Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them
That's a decision a lot of governments and organizations are fine with.
OSS where maintainers are hired by sponsor organizations is already the norm, and government-backed OSS is becoming increasingly common in the EU and much of Asia.
Hobbyists who don't wish to comply can region gate within their license - that solves your liability risk and will keep regulators happy.
This isn't just a kernel thing. Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them.
Europe realized this with their new infosec liability regulations. If you're giving your labor away, you're not liable for your software; if you're making money off your software, step up and do better. Maybe California and the others should learn more from the EU.
> Expecting volunteers to dump time into compliance is ridiculous.
Exactly, so any distribution that relies on volunteers will likely include a region-locking clause in their documentation (which may or may not be a GPL violation)
Many big distributions (Ubuntu, Suse, Fedora) are sponsered by big tech companies, and are not maintained by volunteers.
I think it would be better to create a parallel economy of underground unrestricted distributions while encouraging everyone to openly flaunt the law, and simultaneously fighting via lawfare and media. But maybe that’s just me!
If you are fine taking the legal liability and are open to civil and criminal prosecution, go right ahead.
Western jurisdictions tend to cooperate on extradition as well, and American free speech laws are significantly more expansive than those in the EU, Canada, or ANZ so taking a principled approach wouldn't be a viable defense if you decided to go and incite via that route.
Fine by me, I’m willing to fight. The freedom to compute is one of our most fundamental freedoms, connected inherently with freedom of thought and speech. Cowards like you don’t deserve the benefits you enjoy, and you will surely complain about their absence when they are gone!
> These laws can, and almost certainly will, get worse. New York's proposed Senate Bill S8102A explicitly forbids self-reporting. The state Attorney General will decide how to enforce it. For example, to use Linux, you might need to submit a driver's license.
My trench is keeping backups of ISO's that do not contain this creeping garbage. I will manually patch apps and where I can't the OS will be read-only and ephemeral. This will be my process until governments are no longer unacceptable to bribery.
But let’s talk about around the US. For example, all cars manufactured in 2029 and onward will be required to have a built-in alcohol detector / breathalyzer and to shut down and not let you drive if they detect your blood alcohol level is too high: https://www.clear2drive.com/the-pass-act-explained/
This is in addition to the interlinked CCTV cameras that are the norm in various cities (eg in the UK), new Flock cameras in US, etc. But the government doesnt even need Flock or Ring to cooperate. They have plenty of their own housing programs to install thousands of cameras to spy on citizens 24/7, and can now deploy AI to sift through it all. Here in NYC we already have the lovely Domain Awareness System: https://nysfocus.com/2025/08/11/eric-adams-nycha-nypd-camera...
To sum up: the government can know what you’re doing at all times, with sensors in your car, mandated apps on your phone, cameras on your street, and soon, mandated telemetry sent by your operating system. Caretakers of kids are required to report anything to authorities and not let parents know, in case the department of child services might need to know. Every child is required to be vaccinated too, with lots of different vaccines.
I wouldn’t be surprised if toilet plumbing in every apartment in the future will be required to install a test for what you’re eating or drinking, to catch diseases early and for public health.
What's hilarious is that in supposed dystopic corrupt hellholes I've lived or spent time in (Syria during the civil war, Iraq, Philippines, etc) all of this is unimaginable. Westerners view freedom as having a piece of paper that says they are free plus not having to bother fighting off ISIS or the gangsters because the even bigger gangster in a clean uniform and nice jackboot will take care of it. Much of the rest of the world views freedom as the government being weak enough that it's actually possible for rebel groups to emerge, which you might then have to fight off, but at least that is easier to fight off than a central government that consumes 25+% of the GDP and projects their air power to every end of the earth.
Of course, there are cases like North Korea where you get the worst of both worlds (strong central government + not even a useful piece of paper limiting it).
Because it's a competitive market and offering a lower price than your competitors helps you earn more business. If your competitors lower their prices and you don't lower yours then you'll lose business.
It's optimistic to think it will even do anything to stop drunks. It's a $5 wrench problem. They think all this tech will stop drunks, when in reality some guy gorded out his mind on vodka is paying his 12 year old his weekly $20 allowance to blow into the machine.
To be fair, it's not about blowing into the machine, but a bunch of sensors all around the driver, e.g. looking at the finger pressing the button to test your blood alcohol content through your skin, detecting alcohol particles, etc. So you better hope your passenger isn't drunk LMAO
Age verification passes? Now not only would extra costs be added for users to verify their age, that sounds like an age verification passes is a form factor that could easily be resold to someone else.
> liqour stores and porno shops, for example, who already seem to do an acceptable job of checking ID without destroying people's privacy
The difference being, of course, that as an adult one can simply refrain from frequenting a liquor store or porno shop if one chooses not to.
It's not practical to refrain from using a computer while participating fully in modern society. The UN has indicated Internet access to be a human right.
Voting is far more important. If someone is falsely denied access to some web site, it doesn't matter. But everyone with the right to vote must be allowed to vote, no exceptions.
In any case, voting is substantially more intrusive. You must register with your full name and address, which is made public record. Each time you vote, that is also made public record (not who you voted for, but the fact that you voted). In states with closed primaries, your party membership is public record. In states with open primaries, it's public record which party's primary you vote in. It's way more invasive than a text box in your computer's account setup screen that asks for your age.
I disagree there. I think that this is far more intrusive, because it impacts your everyday life rather than just a small slice of it, and thus more important.
FWIW, there are vanishingly few problems with improper voting in the US, and the extremely unusual occurrences are mostly PartyB voters trying to "counteract" the imaginary PartyA violations.
Anyone who tells you differently is lying or ignorant.
If there's no problem w/ improper voting, then why would anyone object to measures intended to verify that the proprieties involved are being followed?
If it were out of genuine concern for verification, those supporting it would want to ensure that all citizens are able to easily, quickly, and cheaply get ID. That is not the case, however.
Because 10% of US citizens (legitimate voters) do not have the forms of ID required in these proposed laws, and it can be expensive and time-consuming to get those forms of ID which are not otherwise required for their lives (QED), and they might not do so strictly for voting.
Some people think disenfranchisement is bad. Others see it as useful.
Specifically, PartyB thinks those people with inadequate ID skew toward PartyA voters. This has been the accepted wisdom for decades. So they are incentivized to make it harder for them to vote.
Interestingly though, PartyB might be wrong about the current population. PartyA, and those against disenfranchisement and imaginary crises in general (I count myself in this third group), do not want to blow up centuries of precedent especially if the consequences are likely to be undemocratic and unfair.
> measures intended to verify that the proprieties involved are being followed?
Giving you the benefit of the doubt regarding the intent, why would anyone support a measure that demonstrably does not achieve what it intends, but instead denies you the right to vote?
Authoritarianism rarely happens overnight, it happens one step at a time and at every step the useful idiots [0] exclaim "It's just one step! What's the big deal? Stop overreacting!".
Next thing you know you've walked 100 miles and it's too late to turn back.
The overwhelming majority of programmers likely cut their teeth on computers as kids. Any attempt to restrict computer access to 18+ will only make American programmers un-competitive in the job market.
I guess going forward if you are under 18 and want to learn programming and not be harassed by the government you have to go back to having and offline only computer and stack of o'reilly books?
Soon programming will itself require a license. Only government approved individuals will be able to write code. CPUs will only boot software signed by the government.
"Software engineering" is one of the few large practices with 'engineering' in its name that has no mechanism for license granting and revocation for violation of professional standard.
That's not what is happening here, but we might see that happen in our lifetimes. Hopefully before someone writes the software that kills enough people to necessitate licensing, not after (since generally, such outcomes are how licensing comes into being).
I started using Linux when I was in high school. I got my first job years later because I knew my way around Linux much better than other candidates. My OS never tried to track my age to prevent me doing what I wanted. I used to live in one of these places where OSs should report user’s age and I am glad my kid will grow up in one that doesn’t (yet?).
Totally inaccurate. The actual technical requirement is to add a self-reported age field to user creation flows, and that the value selected be made available to applications.
But let's just pretend something totally different is happening. It's more exciting that way.
And well, the law represents an intent.. if self-reporting won't work (obviously won't), then the scenario where PCs end up as locked down as smartphones is not far fetched.
Many parents will not be proactive in protecting their children online and I think this is a legitimate societal problem. The idea of algorithmic feeds for adult content that descend into increasingly "engaging" depictions is something I find horrifying.
I do not want my kids to experience those "loss of innocence" moments too soon by letting their curiosity lead them into things they are not equipped to confront yet. Hell, I still have those moments as an adult on occasion.
There has to be steps we can take as a society to address these legitimate challenges ourselves so that governments can no longer hide behind them in tinkering with mechanisms for stability and control. Maybe a "sunlight disinfects" approach.
I want my kids exposed to the brutal realities of the world asap.
I reflect that my innocence caused me to make some extreme major mistakes as a young adult that took a decade to show itself. I cannot go back, and now I am suffering terribly.
I blame my parents at least a little bit, but I blame western idealism more majorly.
I am intrigued by this. I have long thought that exposing children to optimism and "what could be" allows them to envision a world different from our own. Kind of like how once you're in capitalism it's hard to think of alternatives.
> Jef Spaleta, the Fedora Project leader, isn't sure of the legalities, but he thinks it might be as simple as mapping "uid to usernames and group membership and having a new file in /etc/ that keeps up with age."
Personally I think Linux distros should ignore this law and put a disclaimer on their download sites. I expect OpenBSD will do just that. If Linux decides to make this a requirement, I guess I know what OS I will move to next.
Anyway, Instead of a new file, there are optional fields in /etc/passwd that can be used for "age". These fields can be added as comma separated fields. But, maybe he is thinking of making the new file readable only by root ?
I think it’s more that they have no idea that Linux exists, or headless operating systems used on servers and embedded devices. They are trying to legislate based on the experience of having an iPhone.
FOSS (and frankly all systems that don’t use walled garden commercial app stores) should be exempted from this, at a minimum.
If it’s like the Illinois one, all of tech are probably behind them, because these shift age verification away from service providers to a self-reported age bracket at the OS level.
It’s much safer than what some idiotic states are doing (like upload your photo id to services where it gets stolen).
The idea is a parent or guardian is probably setting up a device. They make a user account for their kid and specify a user age. The OS then can supply one of four age brackets to service providers.
> The real problem is this hodgepodge of laws; it's the growth of the surveillance state. From voting rights in the United States, facing Trump's Orwellian-named SAVE America Act, to Ring's doggie tracking system that can also be used to follow people, to Trump booting Anthropic to the side for refusing to allow its AI tools to be used for mass surveillance, privacy is on the decline.
I understand it is popular to pick on the current administration, and there are plenty of rightful reasons to, but let's not forget this has been happening way before either of Trump's terms (see: KYC laws). The only difference between then and now is that current administration has essentially taken a mask-off approach, so we get to see this discussion finally brought up by mainstream media outlets.
You're not wrong, but there is a huge difference between moving US government regulated currency to (possibly) foreign and (possibly) nefarious actors, and this.
Ever since KYC was extended to cover cryptocurrency exchanges, I have given up any faith in that this is solely about regulated currencies, or money laundering at all.
I don't understand this position. Cryptocurrency exchanges are the primary legal touch point (fiat offramp) for a lot of criminal activity. Of course they will get attention for AML.
I can understand the regulation of fiat/crypto exchanges, but the verification extends to centralized exchanges that merely facilitate exchanges one kind of purely virtual currency for another, neither of which have to be recognized as legal tender.
I don't think it's unique to America either. It's just the ebb and flow of the envelope of possibilities for central governance as technology and culture changes. FATF has managed to implement KYC worldwide, even in banana republics at least for the peasant without connections.
This headline is misleading. The California law requires that the OS store and provide the age bracket. It does not require that any verification take place.
I am not arguing that this is a good idea, but it is simply false that the law requires that Linux 'check kids' IDs before booting'.
The New York law is worse, and should be opposed, but the article only mentions it at the end - and even then, we actually don't know what the verification mechanism would be. I've heard a proposal that "age verification passes" be sold at liqour stores and porno shops, for example, who already seem to do an acceptable job of checking ID without destroying people's privacy.
When we are installing docker repositories on my Rockylinux installation on 100 nodes at once, should we need to manually put an age of the person who is running the script somewhere in the process? Will docker be forced to prevent me from downloading its packages if I do not transmit the age in a header?
The California law only stipulates that there's an "accessible interface at account setup" to set the birthday or age at account setup, and an interface to query the age bracket. Plus the crap for "application stores"
I don't think it's a very well thought-out law. But realistically this will end up as setting some env variable for your docker containers to assure them that you are 99 years old. And yes, maybe transmitting a header to docker hub that you are 99 years old. Probably configured via an env variable for the docker cli to use. It's stupid, but nothing a couple env variables wouldn't comply with
The real issue is when the law inevitably gets expanded to get some real teeth, and all the easy workarounds stop being legal
So once my application is running I can just keep querying an age bracket until it flips and then I've successfully determined a date of birth.
This is a neat attack (in that it is obvious and a big flaw but also it makes sense that the lawmakers wouldn’t have thought of it), but it would only affect users who have an age-bucket transition while your application is running, right?
Not necessarily, depending on how the application is logging it just means the resolution to which you know a birth date is limited by how often the application is run. If i check my email every morning at 8am, and my email app logs my "age bucket", then it can know to a resolution of one day. If i only check my email on Monday mornings, it knows to a resolution of one week, etc...
Then you store the user age every time it's run and check for changes on start. Maybe that only gives you a 7 day range for birthdays, but you can narrow that over time and it's still good enough for targeting.
is there any mention of granularity? so if the user sets their age bracket, then there's no DoB stored. if the user is old enough to fall into some other age bracket they can set that if they want. (and then somehow making this a bit more data driven - ie "verifying" - is a different matter altogether.)
Gavin said he's open to amending the law. I hope someone's taking him up on that..
Gavin doesn't make laws and should have vetoed this one.
Laws get made by whomever takes Gavin to the most dinners at the French Laundry. Don’t like this law? Good luck - reservations are booked out 6 months in advance.
> The real issue is when the law inevitably gets expanded to get some real teeth, and all the easy workarounds stop being legal
Which will happen. The road to hell is built one brick at a time.
We'll call the query tool jackboot.
Also, like, what about IOT devices. Are lightbulbs and thermostats going to need to attest the age of their users? There are so many computers without a useful concept of a user identity.
I honestly think the California law is well intentioned (in the sense that it just asks the OS to attest the age of the user, so, lawmakers probably thought this could be done in a privacy-preserving and minimally annoying fashion), but it seems very focused on desktop and cellphone use-cases.
Server sends age rating, and client checks it.
Who is paying FOSS devs who will be implementing this? Who is providing them with legal indemnification since they are now apparently subject to fines for a fucking hobby if they do it wrong? Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place? Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption?
>Who is paying FOSS devs who will be implementing this?
honestly if they let it be known they'd do it for payment the same person who's paying off the politicians to push this through would probably pay them too.
A large number of maintainers for larger OSS projects are employed by tech companies directly.
I suppose it can be handled like porn: torrenting linux isos will be lewd.
Work on a standardised solution has already been done and proposals are already being discussed. Things aren't moving as fast as they could be because every time something like this hits a front page somewhere a bunch of people have to come in and comment that they dislike the law, but the people behind open source projects don't seem to be bothered by the time they need to put into this. Their employer is probably just paying them to do so anyway.
Linux desktops already have APIs for profile management. This is just another field to add to those APIs.
Very few core Linux desktop development is coming from hobbyists compared to the massive corporations maintaining Linux as a real option. Companies like Red Hat and System76 isn't going to drop California as a customer base to make a statement that no politician will ever listen to.
A number of distros (even some large and well known ones) have signaled noncompliance or do not believe they are impacted due to technical reasons (Gentoo) or jurisdiction (OpenBSD, NixOS). Other US distros are not yet signaling agreement because of uncertainty regarding different laws in different states/countries and potential legal challenges. This is not set in stone and it’s still possible to present a united front of noncompliance.
To be fair, "it's just a fucking hobby" no longer being an excuse has been a long time coming, much in the same way that driving cars or flying airplanes started as just a hobby but became no longer one when practicing it had outsized consequences to non-practitioners.
Signed, someone who notes frequently that the default apache configs probably put a web developer in violation of the GDPR (since if you just left on collecting IP addresses for no reason, you are de-facto not collecting them for "network security.")
> Who is paying FOSS devs who will be implementing this
Most Linux maintainers are employed by Google, IBM, Facebook, and other similarly sized organizations.
> Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place
The US is a federal system. It's part of our checks and balances.
> Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption
No one. This is why organizations with actual security requirements do their own dependency checks.
Linux is the kernel, it has nothing to do with this.
The law apparently seems to target the packager/distributor of the distribution. Many small distros are hobby distros!
> The US is a federal system. It's part of our checks and balances.
Nonsensical answer. Different states are passing different requirements that often contradict each other. This is going to be a nightmare.
> No one. This is why organizations with actual security requirements do their own dependency checks.
So you’re saying that we should expect those laws too? Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work. If this is the direction we’re headed in, we need to organize and fight like hell.
> Many small distros are hobby distros...
Then region lock. You don't have to support California or NY or ...
> Different states are passing different requirements that often contradict each other. This is going to be a nightmare
Create regional feature flags or region lock. It's a solved problem.
> So you’re saying that we should expect those laws too
They already de facto exist contractually speaking.
> Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work
The mindset around tech regulation shifted after the 2016 election and Jan 6th. The maximalist tech civil libertarian view on privacy was an anomaly from the late 1990s to early 2010s when tech was viewed as inconsequential.
The 2016 election and Jan 6th showed otherwise.
---
The overlap between Linux daily drivers and "voters who can flip an election in California, NY, or <insert_state_here>" is nonexistent.
This also appears to be a front-run at reducing the risk of an Australia-style regulation being proposed.
Edit: can't reply
> Europe realized this with their new infosec liability regulations
European organizations (from private sectors to government agencies) sidestep this by contractually mandating SBOM and dependency requirements.
You end up with the same result, but it's essentially regulated via contracts instead of the law.
> Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them
That's a decision a lot of governments and organizations are fine with.
OSS where maintainers are hired by sponsor organizations is already the norm, and government-backed OSS is becoming increasingly common in the EU and much of Asia.
Hobbyists who don't wish to comply can region gate within their license - that solves your liability risk and will keep regulators happy.
>> hobby
> You don't have to support
This isn't just a kernel thing. Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them.
Europe realized this with their new infosec liability regulations. If you're giving your labor away, you're not liable for your software; if you're making money off your software, step up and do better. Maybe California and the others should learn more from the EU.
> Expecting volunteers to dump time into compliance is ridiculous.
Exactly, so any distribution that relies on volunteers will likely include a region-locking clause in their documentation (which may or may not be a GPL violation)
Many big distributions (Ubuntu, Suse, Fedora) are sponsered by big tech companies, and are not maintained by volunteers.
I think it would be better to create a parallel economy of underground unrestricted distributions while encouraging everyone to openly flaunt the law, and simultaneously fighting via lawfare and media. But maybe that’s just me!
> encouraging everyone to openly flaunt the law
> But maybe that’s just me
If you are fine taking the legal liability and are open to civil and criminal prosecution, go right ahead.
Western jurisdictions tend to cooperate on extradition as well, and American free speech laws are significantly more expansive than those in the EU, Canada, or ANZ so taking a principled approach wouldn't be a viable defense if you decided to go and incite via that route.
> fighting via lawfare
That is being done.
> and media
You heard about it via the media.
Fine by me, I’m willing to fight. The freedom to compute is one of our most fundamental freedoms, connected inherently with freedom of thought and speech. Cowards like you don’t deserve the benefits you enjoy, and you will surely complain about their absence when they are gone!
From the article:
> These laws can, and almost certainly will, get worse. New York's proposed Senate Bill S8102A explicitly forbids self-reporting. The state Attorney General will decide how to enforce it. For example, to use Linux, you might need to submit a driver's license.
There is no limit to the power grab. The only acceptable thing to do is to dig the trenches before it gets worse.
My trench is keeping backups of ISO's that do not contain this creeping garbage. I will manually patch apps and where I can't the OS will be read-only and ephemeral. This will be my process until governments are no longer unacceptable to bribery.
The trenches will eventually be overwhelmed regardless. Once the government has AI and sensors, it will mandate its ubiquitous use.
For minors, we have this lovely law coming in NYC: that will broadcast to everyone that you’re a minor: https://www.nysenate.gov/legislation/bills/2025/S8102
But let’s talk about around the US. For example, all cars manufactured in 2029 and onward will be required to have a built-in alcohol detector / breathalyzer and to shut down and not let you drive if they detect your blood alcohol level is too high: https://www.clear2drive.com/the-pass-act-explained/
And in 2027 — next year — new cars are required to watch where you are looking, how much you’re blinking or nodding and alert authorities if you aren’t alert enough: https://www.gadgetreview.com/federal-surveillance-tech-becom...
And it’s not just the US government. That phone in your hand? Governments have mandated tha all vendors preinstall spy software, filters and apps on it, that are not removable: https://www.aclu.org/news/privacy-technology/government-mand...
Also these phones no longer shut down when you shut them down. They continue operating and sending telemetry so the government can eventually know where they are at all times. https://android.stackexchange.com/questions/228682/why-do-ce...
This is in addition to the interlinked CCTV cameras that are the norm in various cities (eg in the UK), new Flock cameras in US, etc. But the government doesnt even need Flock or Ring to cooperate. They have plenty of their own housing programs to install thousands of cameras to spy on citizens 24/7, and can now deploy AI to sift through it all. Here in NYC we already have the lovely Domain Awareness System: https://nysfocus.com/2025/08/11/eric-adams-nycha-nypd-camera...
To sum up: the government can know what you’re doing at all times, with sensors in your car, mandated apps on your phone, cameras on your street, and soon, mandated telemetry sent by your operating system. Caretakers of kids are required to report anything to authorities and not let parents know, in case the department of child services might need to know. Every child is required to be vaccinated too, with lots of different vaccines.
I wouldn’t be surprised if toilet plumbing in every apartment in the future will be required to install a test for what you’re eating or drinking, to catch diseases early and for public health.
Looks like this short film is a documentary about our future, except with AI doing the snitching instead of humans: https://www.youtube.com/watch?v=vJYaXy5mmA8
What's hilarious is that in supposed dystopic corrupt hellholes I've lived or spent time in (Syria during the civil war, Iraq, Philippines, etc) all of this is unimaginable. Westerners view freedom as having a piece of paper that says they are free plus not having to bother fighting off ISIS or the gangsters because the even bigger gangster in a clean uniform and nice jackboot will take care of it. Much of the rest of the world views freedom as the government being weak enough that it's actually possible for rebel groups to emerge, which you might then have to fight off, but at least that is easier to fight off than a central government that consumes 25+% of the GDP and projects their air power to every end of the earth.
Of course, there are cases like North Korea where you get the worst of both worlds (strong central government + not even a useful piece of paper limiting it).
The sobriety check requirement for cars is so optimistic:
“Once data prove the tech cuts drunk-driving crashes, insurers may trim rates.”
Why would any insurance company want to cut into their profits by reducing rates?
Because it's a competitive market and offering a lower price than your competitors helps you earn more business. If your competitors lower their prices and you don't lower yours then you'll lose business.
It's optimistic to think it will even do anything to stop drunks. It's a $5 wrench problem. They think all this tech will stop drunks, when in reality some guy gorded out his mind on vodka is paying his 12 year old his weekly $20 allowance to blow into the machine.
To be fair, it's not about blowing into the machine, but a bunch of sensors all around the driver, e.g. looking at the finger pressing the button to test your blood alcohol content through your skin, detecting alcohol particles, etc. So you better hope your passenger isn't drunk LMAO
The initial mislead comes from the bill[1] where it's described as "verification" in the name and digest but nowhere in the law itself.
1. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
Sure the headline is misleading.
But anyone from 10 miles away could see what's going to happen next.
> It does not require that any verification take place.
Yet
Age verification passes? Now not only would extra costs be added for users to verify their age, that sounds like an age verification passes is a form factor that could easily be resold to someone else.
The register is a satirical publication.
> liqour stores and porno shops, for example, who already seem to do an acceptable job of checking ID without destroying people's privacy
The difference being, of course, that as an adult one can simply refrain from frequenting a liquor store or porno shop if one chooses not to.
It's not practical to refrain from using a computer while participating fully in modern society. The UN has indicated Internet access to be a human right.
And where is the information about a person's age stored? On their ID. They're just checking ID on the honor system (for now!)
It's funny that they want to do these checks in a country where even the checks for voting are very iffy.
Voting is far more important. If someone is falsely denied access to some web site, it doesn't matter. But everyone with the right to vote must be allowed to vote, no exceptions.
In any case, voting is substantially more intrusive. You must register with your full name and address, which is made public record. Each time you vote, that is also made public record (not who you voted for, but the fact that you voted). In states with closed primaries, your party membership is public record. In states with open primaries, it's public record which party's primary you vote in. It's way more invasive than a text box in your computer's account setup screen that asks for your age.
I disagree there. I think that this is far more intrusive, because it impacts your everyday life rather than just a small slice of it, and thus more important.
FWIW, there are vanishingly few problems with improper voting in the US, and the extremely unusual occurrences are mostly PartyB voters trying to "counteract" the imaginary PartyA violations.
Anyone who tells you differently is lying or ignorant.
But how are any of them able to carry out the violations?
If there's no problem w/ improper voting, then why would anyone object to measures intended to verify that the proprieties involved are being followed?
If it were out of genuine concern for verification, those supporting it would want to ensure that all citizens are able to easily, quickly, and cheaply get ID. That is not the case, however.
Because 10% of US citizens (legitimate voters) do not have the forms of ID required in these proposed laws, and it can be expensive and time-consuming to get those forms of ID which are not otherwise required for their lives (QED), and they might not do so strictly for voting.
Some people think disenfranchisement is bad. Others see it as useful.
Specifically, PartyB thinks those people with inadequate ID skew toward PartyA voters. This has been the accepted wisdom for decades. So they are incentivized to make it harder for them to vote.
Interestingly though, PartyB might be wrong about the current population. PartyA, and those against disenfranchisement and imaginary crises in general (I count myself in this third group), do not want to blow up centuries of precedent especially if the consequences are likely to be undemocratic and unfair.
> Interestingly though, PartyB might be wrong about the current population
Luckily, this problem is wholly solved via selective enforcement.
> measures intended to verify that the proprieties involved are being followed?
Giving you the benefit of the doubt regarding the intent, why would anyone support a measure that demonstrably does not achieve what it intends, but instead denies you the right to vote?
Because that's not the intent.
Have you heard of the slippery slope? A cornerstone of American political philosophy?
Arguments like this one are why the authoritarian ratchet continues to turn unimpeded over time.
What "arguments like this one"? It isn't an argument at all, it's just pointing out some actual facts.
If your slippery slope argument can't withstand a simple statement that something is at the top of the slope, it's not much good.
Authoritarianism rarely happens overnight, it happens one step at a time and at every step the useful idiots [0] exclaim "It's just one step! What's the big deal? Stop overreacting!".
Next thing you know you've walked 100 miles and it's too late to turn back.
[0] https://en.wikipedia.org/wiki/Useful_idiot
Hmm the Reg article seems to have missed the reporting on Meta being behind many of the US lobbying groups - https://news.ycombinator.com/item?id=47362528
The overwhelming majority of programmers likely cut their teeth on computers as kids. Any attempt to restrict computer access to 18+ will only make American programmers un-competitive in the job market.
Or lots of parents will put their ID into their kid's computer so that they have full access.
I guess going forward if you are under 18 and want to learn programming and not be harassed by the government you have to go back to having and offline only computer and stack of o'reilly books?
Soon programming will itself require a license. Only government approved individuals will be able to write code. CPUs will only boot software signed by the government.
"Software engineering" is one of the few large practices with 'engineering' in its name that has no mechanism for license granting and revocation for violation of professional standard.
That's not what is happening here, but we might see that happen in our lifetimes. Hopefully before someone writes the software that kills enough people to necessitate licensing, not after (since generally, such outcomes are how licensing comes into being).
I started using Linux when I was in high school. I got my first job years later because I knew my way around Linux much better than other candidates. My OS never tried to track my age to prevent me doing what I wanted. I used to live in one of these places where OSs should report user’s age and I am glad my kid will grow up in one that doesn’t (yet?).
Biased headline indicates misleading contents.
Totally inaccurate. The actual technical requirement is to add a self-reported age field to user creation flows, and that the value selected be made available to applications.
But let's just pretend something totally different is happening. It's more exciting that way.
So TempleOS is still illegal?
And well, the law represents an intent.. if self-reporting won't work (obviously won't), then the scenario where PCs end up as locked down as smartphones is not far fetched.
Many parents will not be proactive in protecting their children online and I think this is a legitimate societal problem. The idea of algorithmic feeds for adult content that descend into increasingly "engaging" depictions is something I find horrifying.
I do not want my kids to experience those "loss of innocence" moments too soon by letting their curiosity lead them into things they are not equipped to confront yet. Hell, I still have those moments as an adult on occasion.
There has to be steps we can take as a society to address these legitimate challenges ourselves so that governments can no longer hide behind them in tinkering with mechanisms for stability and control. Maybe a "sunlight disinfects" approach.
Huh... I am the opposite.
I want my kids exposed to the brutal realities of the world asap.
I reflect that my innocence caused me to make some extreme major mistakes as a young adult that took a decade to show itself. I cannot go back, and now I am suffering terribly.
I blame my parents at least a little bit, but I blame western idealism more majorly.
I am intrigued by this. I have long thought that exposing children to optimism and "what could be" allows them to envision a world different from our own. Kind of like how once you're in capitalism it's hard to think of alternatives.
> Jef Spaleta, the Fedora Project leader, isn't sure of the legalities, but he thinks it might be as simple as mapping "uid to usernames and group membership and having a new file in /etc/ that keeps up with age."
Personally I think Linux distros should ignore this law and put a disclaimer on their download sites. I expect OpenBSD will do just that. If Linux decides to make this a requirement, I guess I know what OS I will move to next.
Anyway, Instead of a new file, there are optional fields in /etc/passwd that can be used for "age". These fields can be added as comma separated fields. But, maybe he is thinking of making the new file readable only by root ?
I think it’s more that they have no idea that Linux exists, or headless operating systems used on servers and embedded devices. They are trying to legislate based on the experience of having an iPhone.
FOSS (and frankly all systems that don’t use walled garden commercial app stores) should be exempted from this, at a minimum.
Or maybe the likes of MS lobbied for this because it suits them.
If it’s like the Illinois one, all of tech are probably behind them, because these shift age verification away from service providers to a self-reported age bracket at the OS level.
It’s much safer than what some idiotic states are doing (like upload your photo id to services where it gets stolen).
The idea is a parent or guardian is probably setting up a device. They make a user account for their kid and specify a user age. The OS then can supply one of four age brackets to service providers.
Keep repeating those talking points, we all know what this is really about. It’s bad enough as it is, and it’s the foot in the door for much worse.
Before now, nobody has ever tried to legislate how an OS should work. This is unprecedented and unconstitutional.
We have got to do something about the bad powerful people!
> The real problem is this hodgepodge of laws; it's the growth of the surveillance state. From voting rights in the United States, facing Trump's Orwellian-named SAVE America Act, to Ring's doggie tracking system that can also be used to follow people, to Trump booting Anthropic to the side for refusing to allow its AI tools to be used for mass surveillance, privacy is on the decline.
I understand it is popular to pick on the current administration, and there are plenty of rightful reasons to, but let's not forget this has been happening way before either of Trump's terms (see: KYC laws). The only difference between then and now is that current administration has essentially taken a mask-off approach, so we get to see this discussion finally brought up by mainstream media outlets.
You're not wrong, but there is a huge difference between moving US government regulated currency to (possibly) foreign and (possibly) nefarious actors, and this.
Ever since KYC was extended to cover cryptocurrency exchanges, I have given up any faith in that this is solely about regulated currencies, or money laundering at all.
I don't understand this position. Cryptocurrency exchanges are the primary legal touch point (fiat offramp) for a lot of criminal activity. Of course they will get attention for AML.
I can understand the regulation of fiat/crypto exchanges, but the verification extends to centralized exchanges that merely facilitate exchanges one kind of purely virtual currency for another, neither of which have to be recognized as legal tender.
... which is a step in the money laundering process, so of course it would.
I don't think it's unique to America either. It's just the ebb and flow of the envelope of possibilities for central governance as technology and culture changes. FATF has managed to implement KYC worldwide, even in banana republics at least for the peasant without connections.
Be nice to hear Linus' take on it.
If you want interesting takes ask RMS.
Depends on how much he wants to anger his employer, which supports the bill.