FOSS (and frankly all systems that don’t use walled garden commercial app stores) should be exempted from this, at a minimum.
It’s much safer than what some idiotic states are doing (like upload your photo id to services where it gets stolen).
The idea is a parent or guardian is probably setting up a device. They make a user account for their kid and specify a user age. The OS then can supply one of four age brackets to service providers.
Before now, nobody has ever tried to legislate how an OS should work. This is unprecedented and unconstitutional.
There are already laws about OSes, that they shouldn't spy on you and so on.
Ok, so you’ll say that it just applies to operating systems even though it’s not explicitly mentioned. Show me where the ADA has been used successfully in a lawsuit against an OS developer for the construction of their OS. I’ll wait!
I am not arguing that this is a good idea, but it is simply false that the law requires that Linux 'check kids' IDs before booting'.
The New York law is worse, and should be opposed, but the article only mentions it at the end - and even then, we actually don't know what the verification mechanism would be. I've heard a proposal that "age verification passes" be sold at liqour stores and porno shops, for example, who already seem to do an acceptable job of checking ID without destroying people's privacy.
But anyone from 10 miles away could see what's going to happen next.
Like if I said "Yes, the university reserves the right to expel students who defecate on the teacher's desk. But we all know where this is going." that'd be pretty crazy, wouldn't it?
For minors, we have this lovely law coming in NYC: that will broadcast to everyone that you’re a minor: https://www.nysenate.gov/legislation/bills/2025/S8102
But let’s talk about around the US. For example, all cars manufactured in 2029 and onward will be required to have a built-in alcohol detector / breathalyzer and to shut down and not let you drive if they detect your blood alcohol level is too high: https://www.clear2drive.com/the-pass-act-explained/
And in 2027 — next year — new cars are required to watch where you are looking, how much you’re blinking or nodding and alert authorities if you aren’t alert enough: https://www.gadgetreview.com/federal-surveillance-tech-becom...
And it’s not just the US government. That phone in your hand? Governments have mandated tha all vendors preinstall spy software, filters and apps on it, that are not removable: https://www.aclu.org/news/privacy-technology/government-mand...
Also these phones no longer shut down when you shut them down. They continue operating and sending telemetry so the government can eventually know where they are at all times. https://android.stackexchange.com/questions/228682/why-do-ce...
This is in addition to the interlinked CCTV cameras that are the norm in various cities (eg in the UK), new Flock cameras in US, etc. But the government doesnt even need Flock or Ring to cooperate. They have plenty of their own housing programs to install thousands of cameras to spy on citizens 24/7, and can now deploy AI to sift through it all. Here in NYC we already have the lovely Domain Awareness System: https://nysfocus.com/2025/08/11/eric-adams-nycha-nypd-camera...
To sum up: the government can know what you’re doing at all times, with sensors in your car, mandated apps on your phone, cameras on your street, and soon, mandated telemetry sent by your operating system. Caretakers of kids are required to report anything to authorities and not let parents know, in case the department of child services might need to know. Every child is required to be vaccinated too, with lots of different vaccines.
I wouldn’t be surprised if toilet plumbing in every apartment in the future will be required to install a test for what you’re eating or drinking, to catch diseases early and for public health.
Looks like this short film is a documentary about our future, except with AI doing the snitching instead of humans: https://www.youtube.com/watch?v=vJYaXy5mmA8
“Once data prove the tech cuts drunk-driving crashes, insurers may trim rates.”
Why would any insurance company want to cut into their profits by reducing rates?
Undercutting the competition pays off when they're much smaller and you can eliminate them that way and subsequently raise prices.
Of course, there are cases like North Korea where you get the worst of both worlds (strong central government + not even a useful piece of paper limiting it).
That said, I don’t think I would like to live in a region governed by gangs or rebel groups, even if they probably don’t have the capacity to annoy everybody, the low odds of a catastrophic interaction with enforcement seems bad.
That's not much of a source -- a 100-karma user in 2020 based on "I've known this for a long time. A quick google confirms that many people think the same." I don't believe it is true.
I suspect the dark pattern this will lead to is user-maintained ISO's as was the early days of Microsoft. People would slip-stream in patches, applications, better default settings and in some cases, malware.
I don't think it's a very well thought-out law. But realistically this will end up as setting some env variable for your docker containers to assure them that you are 99 years old. And yes, maybe transmitting a header to docker hub that you are 99 years old. Probably configured via an env variable for the docker cli to use. It's stupid, but nothing a couple env variables wouldn't comply with
The real issue is when the law inevitably gets expanded to get some real teeth, and all the easy workarounds stop being legal
Edit: as folks have pointed out, the attacking application doesn’t actually have to be running while the age-transition takes place. The attacker just has to have logs from before and after the age transition, and then they can narrow the birth-date down.
I mean, the app can query on a weekly basis, and then if you go from “under 18” to “over 18” it knows the week that you were born in. But, if the user was already an adult when the logging started, there isn’t a transition to go off.
I think the intent was for the OS to know the user age, but only provide an age range, so it could automatically upgrade people as they aged (but I could be wrong about that).
Which will happen. The road to hell is built one brick at a time.
I honestly think the California law is well intentioned (in the sense that it just asks the OS to attest the age of the user, so, lawmakers probably thought this could be done in a privacy-preserving and minimally annoying fashion), but it seems very focused on desktop and cellphone use-cases.
Arguments like this one are why the authoritarian ratchet continues to turn unimpeded over time.
If your slippery slope argument can't withstand a simple statement that something is at the top of the slope, it's not much good.
Next thing you know you've walked 100 miles and it's too late to turn back.
The slippery slope argument says that open source software is a stepping stone to a world where all commercial activity is banned. Should we therefore oppose open source software?
> The slippery slope argument says that open source software is a stepping stone to a world where all commercial activity is banned.
No it doesn't.
Yes, it does.
> These laws can, and almost certainly will, get worse. New York's proposed Senate Bill S8102A explicitly forbids self-reporting. The state Attorney General will decide how to enforce it. For example, to use Linux, you might need to submit a driver's license.
Anyone who tells you differently is lying or ignorant.
Some people think disenfranchisement is bad. Others see it as useful.
Specifically, PartyB thinks those people with inadequate ID skew toward PartyA voters. This has been the accepted wisdom for decades. So they are incentivized to make it harder for them to vote.
Interestingly though, PartyB might be wrong about the current population. PartyA, and those against disenfranchisement and imaginary crises in general (I count myself in this third group), do not want to blow up centuries of precedent especially if the consequences are likely to be undemocratic and unfair.
Luckily, this problem is wholly solved via selective enforcement.
How is it that you don't need an ID to exercise the rights of voting 'citizens', but you need one to exercise the right of 'people'? Consider that virtually all 'citizens' are also 'people', and even if you argue they are not, the portion of voting citizens that aren't 'people' is inconsequential compared to the supposed "10%" that can't muster an ID.
It's almost as if both sides of the argument are just using logically inconsistent arguments that just aligns with whatever gets the voting demographics they like. In fact, Vermont is the only state I know of that gives both full rights of citizens and full rights of people to those without ID in a manner consistent with the anti-ID argument usually presented.
Consequences of errors with guns are higher than with voting, because elections are audited and mistakes and fraud are found and reversed.
You cannot helpfully audit misuse of guns, after the fact.
But lets accept your premise as true.
You're proposing something like rank-stacking the risk of various rights of citizens and people and if they're high enough on the stack it's OK to to ID and if they're lower maybe it's not OK. That seems to move the goalpost quite a bit from your prior argument.
This happens before the winners are certified, and before they're given the ability to drop bombs.
I don't understand your confusion.
In the US, ACH transactions are reversible and trusted throughout the nation. Bitcoin transactions are not, and are not. This seems parallel to me.
Giving you the benefit of the doubt regarding the intent, why would anyone support a measure that demonstrably does not achieve what it intends, but instead denies you the right to vote?
This is how we know how extremely few problems there are, and how we catch the accidents (which are backed out, hence the delay between voting and election certification), and the fraud (which is extremely rare but of course also backed out).
In any case, voting is substantially more intrusive. You must register with your full name and address, which is made public record. Each time you vote, that is also made public record (not who you voted for, but the fact that you voted). In states with closed primaries, your party membership is public record. In states with open primaries, it's public record which party's primary you vote in. It's way more invasive than a text box in your computer's account setup screen that asks for your age.
Most Linux maintainers are employed by Google, IBM, Facebook, and other similarly sized organizations.
> Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place
The US is a federal system. It's part of our checks and balances.
> Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption
No one. This is why organizations with actual security requirements do their own dependency checks.
The law apparently seems to target the packager/distributor of the distribution. Many small distros are hobby distros!
> The US is a federal system. It's part of our checks and balances.
Nonsensical answer. Different states are passing different requirements that often contradict each other. This is going to be a nightmare.
> No one. This is why organizations with actual security requirements do their own dependency checks.
So you’re saying that we should expect those laws too? Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work. If this is the direction we’re headed in, we need to organize and fight like hell.
Then region lock. You don't have to support California or NY or ...
> Different states are passing different requirements that often contradict each other. This is going to be a nightmare
Create regional feature flags or region lock. It's a solved problem.
> So you’re saying that we should expect those laws too
They already de facto exist contractually speaking.
> Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work
The mindset around tech regulation shifted after the 2016 election and Jan 6th. The maximalist tech civil libertarian view on privacy was an anomaly from the late 1990s to early 2010s when tech was viewed as inconsequential.
The 2016 election and Jan 6th showed otherwise.
---
The overlap between Linux daily drivers and "voters who can flip an election in California, NY, or <insert_state_here>" is nonexistent.
This also appears to be a front-run at reducing the risk of an Australia-style regulation being proposed.
Edit: can't reply
> Europe realized this with their new infosec liability regulations
European organizations (from private sectors to government agencies) sidestep this by contractually mandating SBOM and dependency requirements.
You end up with the same result, but it's essentially regulated via contracts instead of the law.
> Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them
That's a decision a lot of governments and organizations are fine with.
OSS where maintainers are hired by sponsor organizations is already the norm, and government-backed OSS is becoming increasingly common in the EU and much of Asia.
Hobbyists who don't wish to comply can region gate within their license - that solves your liability risk and will keep regulators happy.
> But maybe that’s just me
If you are fine taking the legal liability and are open to civil and criminal prosecution, go right ahead.
Western jurisdictions tend to cooperate on extradition as well, and American free speech laws are significantly more expansive than those in the EU, Canada, or ANZ so taking a principled approach wouldn't be a viable defense if you decided to go and incite via that route.
> fighting via lawfare
That is being done.
> and media
You heard about it via the media.
> You don't have to support
This isn't just a kernel thing. Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them.
Europe realized this with their new infosec liability regulations. If you're giving your labor away, you're not liable for your software; if you're making money off your software, step up and do better. Maybe California and the others should learn more from the EU.
Exactly, so any distribution that relies on volunteers will likely include a region-locking clause in their documentation (which may or may not be a GPL violation)
Many big distributions (Ubuntu, Suse, Fedora) are sponsered by big tech companies, and are not maintained by volunteers.
honestly if they let it be known they'd do it for payment the same person who's paying off the politicians to push this through would probably pay them too.
Linux desktops already have APIs for profile management. This is just another field to add to those APIs.
Very few core Linux desktop development is coming from hobbyists compared to the massive corporations maintaining Linux as a real option. Companies like Red Hat and System76 isn't going to drop California as a customer base to make a statement that no politician will ever listen to.
Signed, someone who notes frequently that the default apache configs probably put a web developer in violation of the GDPR (since if you just left on collecting IP addresses for no reason, you are de-facto not collecting them for "network security.")
Maybe that doesn’t move you; it seems like you don’t care much for personal liberties. (A Euro, go figure.) But this is America and we have constitutional guarantees here.
https://theonion.com/the-future-will-be-a-totalitarian-gover...
Two guys built a website to try and help people curb their undesired sexual proclivities and because they were bad at security, their users' personal information (including their own logs of their sexual proclivities) is leaked. They will see no consequences other than "oops, oh well, I guess we're going to shut down our website now and, probably, build another one."
Why is that okay? We've de-facto operated as if it os okay for decades under a notion of "user beware," but that notion is increasingly incompatible with the goals of treating Internet access as a human right because if you let everyone on, you are definitely letting people on who lack the capacity, knowledge, or savvy to beware. And we lack a framework for holding "two guys who just told the world how often you jack off" accountable for their violation of confidentiality.
Individual users become nodes in botnets. Individual users have their identities compromised. Individual users are talked into being kidnapped by anonymous victimizers. Individual users are, increasingly, everyone's concern the moment they connect to a shared network. And, perhaps most significantly to this topic: the Internet does not distinguish between two guys building a hobby app and a professional service.
This specific notion, age-gating access, may not be the right step. But we should be a lot more serious about taking more than zero steps. The time of effing around and pretending there are no consequences to these technologies is over.
> Two guys built a website to try and help people curb their undesired sexual proclivities and because they were bad at security, their users' personal information (including their own logs of their sexual proclivities) is leaked. They will see no consequences other than "oops, oh well, I guess we're going to shut down our website now and, probably, build another one."
Erm, what? Did you think this was a normal thing to include in your reply?
On the other hand, nobody can help a clueless web dev.
Those still are hobbies, you just need a license for it now. Which makes sense since crashing an airplane is a bit more devastating than crashing a computer. But most hobbies don't need a license and aren't a danger to others.
1. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
Yet
The difference being, of course, that as an adult one can simply refrain from frequenting a liquor store or porno shop if one chooses not to.
It's not practical to refrain from using a computer while participating fully in modern society. The UN has indicated Internet access to be a human right.
I understand it is popular to pick on the current administration, and there are plenty of rightful reasons to, but let's not forget this has been happening way before either of Trump's terms (see: KYC laws). The only difference between then and now is that current administration has essentially taken a mask-off approach, so we get to see this discussion finally brought up by mainstream media outlets.
The counterpoint is that if your job was to prevent/punish financial crimes that affect consumers, would it make sense to ignore these exchanges?
Heck, if M:TG cards were the medium, and they could be moved across international borders with a few keystrokes, then surely those would be watched too.
I won't argue that it's not privacy-invading for legitimate customers, but if the legal structure allows it, regulators have an obligation to look where the problems are expected to be.
Your implied comparison of "promotion" vs "monitoring" makes zero sense though.
Personally I think Linux distros should ignore this law and put a disclaimer on their download sites. I expect OpenBSD will do just that. If Linux decides to make this a requirement, I guess I know what OS I will move to next.
Anyway, Instead of a new file, there are optional fields in /etc/passwd that can be used for "age". These fields can be added as comma separated fields. But, maybe he is thinking of making the new file readable only by root ?
I do not want my kids to experience those "loss of innocence" moments too soon by letting their curiosity lead them into things they are not equipped to confront yet. Hell, I still have those moments as an adult on occasion.
There has to be steps we can take as a society to address these legitimate challenges ourselves so that governments can no longer hide behind them in tinkering with mechanisms for stability and control. Maybe a "sunlight disinfects" approach.
I want my kids exposed to the brutal realities of the world asap.
I reflect that my innocence caused me to make some extreme major mistakes as a young adult that took a decade to show itself. I cannot go back, and now I am suffering terribly.
I blame my parents at least a little bit, but I blame western idealism more majorly.
If my old man slapped me on the back at 13, called me a man, and made me scroll through the morbid reality subreddit and do a book report on the Nanjing Massacre or My Lai I think that would be really damaging.
I think the stories we tell our children about the world, naive as they can be sometimes, tell us a lot about what we value in our societies and the ways in which we hope future generations will surpass us in overcoming our own failings. Everyone has to learn later that the truth is messy, yet the existence of brutality doesn't disqualify idealism and goodness.
I don't mean to imply that I'm denying your experience, but for most people, I hope, cynicism is temporary response to the disillusionment of the complexity of the world and not a persistent worldview.
The Register article is about laws that were specifically designed to not give Meta and their ilk anything more than an unverified age bracket. The age reported is whatever the person who set up the account on the computer said to report.
That's not what is happening here, but we might see that happen in our lifetimes. Hopefully before someone writes the software that kills enough people to necessitate licensing, not after (since generally, such outcomes are how licensing comes into being).
But let's just pretend something totally different is happening. It's more exciting that way.
And well, the law represents an intent.. if self-reporting won't work (obviously won't), then the scenario where PCs end up as locked down as smartphones is not far fetched.
These kinds of laws just seem like unworkable messes to fool the tech ignorant into thinking they care about kids.
Application side I get, there is an entity there running the application, that can be fined or banned or what have you. But software itself? No.
functionmouse•2h ago