A small set of people are merging changes to various Linux components to make sure every application knows your birth date.
This is being done rapidly by people with questionable justifications and being merged with no youth and few marginalized people involved.
@artemis I don't know why.
And I'd say "why are people complying at all?".
@feonixrift @dalias @wwahammy @artemis It's not complying "in advance". The California thing is *law* now. Sure, other jurisdictions are in progress, but the time between now and the next Linux distribution releases before the January 1, 2027 date isn't that long.
Everyone in the different community spaces that *do the work* are scrambling because being out of compliance is ludicrously expensive and there's not much time to be prepared. Even so, there *are* public discussions with patch review.
@neal @feonixrift @dalias @wwahammy @artemis I stated on the xdg mailing list that amendments are expected. We are working with Colorado legislators on language that would exclude effectively all open source operating systems and all embedded/server operating systems. This has a chance of making it to the California bill before it is effective.
I had a chance to demand polkit access controls be implemented on the accountsservice change but the systemd userdb change did not get that implemented.
@neal @feonixrift @dalias @wwahammy @artemis My recommendation would be to wait on merging any of these changes at least until we see if an amendment excluding floss is accepted in Colorado, I'd hope to see it within two months. The intention of the bill's sponsors, as I have heard, is not to fine or take to court countless volunteer projects.
The systemd change was particularly rushed. If it is used, it does nothing to protect PII from being read by a user's non-sandboxed applications.
Update on the Colorado Age Attestation bill: Everyone that participated in the meeting last week submitted proposed changes to the bill. They included good ideas to improve consumer protection and privacy and exempt open source software. Sen. Ball responded this morning that they'll now draft potential amendments. I think we're making good progress. I'm off for a ski weekend with the kids. Have a great weekend everyone!
It's good that someone is doing that. IBM seriously dropped the ball when it came to lobbying about this, given how it affects #RedHat. No-one even brought up the implications for #Unix-like operating systems in #California.
You're not the first person to talk about amending the California Bill. It's an Act now, not a Bill, though. It's nigh on impossible to supersede it before 2027-01-01.
The politics, as well as the physical realities of how long it takes to enact legislation, mean that there just isn't the time, even if the will could be drummed up.
The current Act took 8 months to pass, itself, and not only is there no-one in California really lobbying to fix this, there's also the political problem of seeming to want to carve a massive exemption in a law that only months ago passed through every stage in the legislature with zero 'no' votes.
https://mastodonapp.uk/@JdeBP/116175882841550437
@neal @feonixrift @dalias @wwahammy @artemis
#CaliforniaLaw #USLaw #FreeSoftware #AgeVerification
Actually, it doesn't.
But the legislative record does. The California legislature has detailed accounts of what was brought up, pro and con, in committee.
It shows that the only 'free' things that the objectors thought about, the only things recorded as formal objections by concerned parties, were gratis applications on Microsoft/Google/Apple App Stores, and a supposed effect on their development costs.
No-one mentioned the #Unix model of user accounts or the BSD/Linux-based/Illumos-based operating system models of application packaging.
That said, it really was up to someone like IBM to spot this and lobby at the very least for #RedHat and RPMs to be taken into consideration in the definitions of 'covered application store' and whatnot.
@soller @neal @feonixrift @wwahammy @artemis
#CaliforniaLaw #USLaw #AgeVerification
@JdeBP @neal @feonixrift @dalias @wwahammy @artemis Gavin Newsom's signing letter requested amendments for other cases prior to the law taking effect. I see no reason to give up on an exemption for floss being there before 2027.
https://www.gov.ca.gov/wp-content/uploads/2025/10/AB-1043-Signing-Message.pdf
You should. Because the problem will be a lot of #California legislators having to be convinced that what they just did, not even in a prior legislative session, was wrong enough for a political U-turn; and then come up with a way of fixing this so that it does not broadly encompass pretty much any operating system with a ports/packages system for applications, *without* letting the targets that they *thought* that they were hitting (given the records of the passage through committee stages) off the hook; and *then* fight the organized lobby that clearly is behind this almost exactly the same bill text appearing in Colorado, Illinois, and New York as well, reacting with a #FreeSoftware-people-want-to-harm-children campaign.
2027-01-01 is simply too near a deadline for all that to happen before. Colorado, Illinois, and New York have a chance, as it's still Bills there; but it's too late in practical terms for California.
@JdeBP @soller @neal @feonixrift @wwahammy @artemis What is your goal in saying that? What result do you expect or want it to have? How do you expect anything to be better from you saying that, versus if you had shut up and said nothing at all?
If you don't have good answers to those questions you should step back and leave this to people who do have good intents.
Without a doubt if people are now paying attention and lobbying. The immediate problem is the chance that @soller mentioned of them happening before the provisions of the #California Act take effect on 2027-01-01. It's slim to none.
The slightly further away problem is finding how to express the difference in legal terms. It's actually quite hard to come up with something that doesn't as a side-effect let #FDroid off the hook. They'll want to keep F-Droid in the 'covered' camp, because it's exactly the sort of smart 'phone thing that they *thought* that they were covering, so the law cannot just exempt a 'store' solely on the grounds that it distributes #FreeSoftware.
Colorado came up with an addition to the common base text that grants exemptions for intra-business use. But that's an exemption for developers, not for operating system makers, based upon application purpose; so isn't much use to follow.
I gave this some thought at the start of March. There are a number of blind alleys.
The Microsoft Store is obviously a direct target here, but Microsoft Windows is a multi-user operating system; so the operating system having multiple local user accounts is not a way to structure an exemption.
The likes of Debian, Ubuntu, RedHat, FreeBSD, et al. use accountless access to repositories, whereas one has to use a Google Account with Google Play and a Microsoft Account with the Microsoft Store. But F-Droid is seemingly accountless too so that sort of exemption would let it off the hook.
Maybe one could get somewhere with tweaking the definition of a 'covered user' to make it specific to operating systems where Microsoft/Google/AppleID/whatever accounts functionally *are* the operating system user accounts.
Several ways still to draft that badly, though.
@neal @feonixrift @dalias @artemis
#ColoradoLaw #AgeVerification #USLaw
@neal @feonixrift @wwahammy @artemis No, there is a law that says something.
t's unclear what it's intended to apply to.
It does not define "operating system" in any adequate way to know what it applies to.
It's probably not Linux distributions; the assumptions are all built around walled-garden platforms.
Even if it did, it's not clear who the provider with an obligation to comply would be.
Nobody pushing or accepting these patches has has brought serious legal opinions into any public discourse.
They have not considered whether storing age/DoB might violate other laws.
All of this is textbook "complying in advance".
@MisuseCase @dalias @wwahammy @artemis
And it's absolutely doing my fucking head IN, that we have all these people saying, "Oh welp it's the law" like all of this shit is a totally normal obvious foregone conclusion, immutable law of the land no takes backsies look they all voted for it blah blah blah blah
MEANWHILE BOMBING HOSPITALS IS TOTALLY COOL AND INTERNATIONAL LAW MEANS NOTHING WHATSOEVER SO MUCH WET TISSUE PAPER
People sure pick and choose which laws to act like they care about. Jumping to comply this far in advance of shit designed to destroy ALL PRIVACY and digital freedom is entirely fucked.
I think this preemptive compliance has a lot to do with a lot of low-level open source development now being a regular day-job at a large tech company. So, you have people writing code who are embedded in an infrastructure with managers, performance targets, and the corporate culture associated with that, and where compliance with whatever the corporate hierarchy demands is the norm.
This is a very different situation when you compare that to entrepreneurs and academics like Phil Zimmermann and djb, who didn't preemptively comply with export control laws.
@artemis @wwahammy this isn't complying in advance, it's complying with the law. Which passed unanimously through the California assembly and senate and was signed into law by Gavin Newsom in 2025. It's not going to be repealed.
Open source projects do not have the type of budget that allows them to merely ignore the law and shrug off fines and legal fees.
@wwahammy
If that person would be a maintainer of a “popular” OSS¹ project then the AG could choose to make them an example.
So I could see from their viewpoint not wanting to get in trouble.
…because they don't want to leave the CA jurisdiction so they choose to comply.
1. “F” omitted, as systemd being enforced and feeling pompous enough to consider itself the operating system is definetly not “Freedom”.
@wwahammy @frumble @artemis @smn
Why even implementing such feature? XD I'm really lost wtf.
> and helps support age verification requirements from recent legislation.
Why should we care about any legislation. It's open source for fucks sake. I should be able to can run it on my dildo if I wanted.
Even now I can drop this stupid commit and government could suck my dick. What if I run RToS on Arduino? Do I still need to add age flag XDD WTF.
@ShadSterling @artemis @smn while understandable, that's not a good solution. I don't think we should trade one freedom away for another.
The whole thing needs to be stopped. Period. No compromise, no surrender.
@wwahammy @artemis @smn it does, but I don’t think that license change is meant to be a whole solution, and I’m not sure what better thing those orgs could do.
Until it is stopped, maybe it would be better if the ones not located in California just ignored it; it’s not like they can impose California law on the entire world
@ShadSterling @wwahammy @artemis @smn I actually think that the license change and/or a website note saying "don't download this if you're in $jurisdiction" is an excellent response.
It's not like CA or the UK or Brazil can actually police who downloads what OS, and it removes legal liability* from the distro without actually affecting access or changing the code to support surveillance. The distros *do* need a way to avoid legal liability.
If in the end this leads to a situation where most Linuxes are officially banned in most of the world but people routinely ignore that ban, that's a good thing actually because it trains people to ignore bad laws. If some jurisdictions escalate to more invasive measures that target users, that's where you'll actually find a political base to resist this.
* I'm not a lawyer, but I have seen decent-sized orgs go this route.
@tiotasram @ShadSterling @artemis @smn I think the warning on downloads is perfectly fine but let's step back for a second: which distros need to avoid liability?
Most distros likely don't, they have no assets or there's no organization to actually sue. A few distros have some assets but why would the AG ever consider suing them? And how would they prove the number of negligent violations? There's no centralized record of users.
Are there companies who might be at risk? Valve seems the most likely but the Steam Deck is a gaming platform in millions of houses. That's worth suing over. But why would they sue Canonical over Ubuntu? Are there even 100k kids in all of California using Ubuntu? I doubt it.
@wwahammy @ShadSterling @artemis @smn agree with your logic but sadly logic is often not relevant when it comes to bureaucracy.
To put it another way: a vindictive suit designed to take down a distro web server could happen merely because some silicon valley VC got mad (or bored) and decided to drop $100k on an AG race somewhere?
There are innumerable bad reasons for a suit to arise that could absolutely happen, and being "technically in compliance due to disclaimer" probably heads off some number of these. The "don't download if you're in CA" language has other upsides too, like getting a broad group of users pissed at the law and priming them for non-compliance, and setting a standard for your community that you'll stand up to bad laws by refusing compliance.
@ShadSterling @wwahammy @artemis @smn
For the Polish example, I probably wouldn't worry about it. For the Portland example, I might. If it's a US entity, and/or servers that host it are in the US, I imagine a "don't distribute OSes in CA law could be applied. Otherwise how does the law have any effect on Microsoft, which is also not headquartered or incorporated in CA? Possibly the mechanism is "sales to entities registered in CA" which indeed Linuxes don't have (well, Red Hat might, but I don't care about their ilk). But certainly the framework for cross-border prosecution is there. I'm not a lawyer, and I think asking an actual lawyer is the right thing to do if you suspect litigation might be possible. I think I saw in another thread someone say that at least one distro has done exactly that and said they aren't making any changes, so perhaps that's a good approach for some.
Eric Schultz
Artemysia
Cassandrich
d.rift
Neal Gompa (ニール・ゴンパ) 
Jeremy Soller 🦀
JdeBP
ben
Misuse Case
Violet Madder
Hendrik Weimer
Justin Fitzsimmons
Maxi 12x 💉
Dźwiedziu
grayrattus
Moth 
Sharp Cheddar Goblin
Chris Goss
Patrick
ShadSterling
Heyla
Tiota Sram
emilianosandri
Knut 🏳️🌈 🇳🇴🧸
Derek