This should be the time for open-source developers to use their common sense to decide whether we should push back.
If California wants to create its own Protect the children operating system, it should bear the cost and responsibility for this alone, and not export any of the sketchy political agenda to the wider open source community.
It's the law. If you live in the United States, and a minor in California uses your OS that didn't check age, you could be liable for up to $2500 per occurrence. That can add up quickly if California schoolkids discover your OS does an end run around the law. When ruin is the alternative, compliance becomes non-negotiable.
Many distros disagree and are not complying. It’s very likely that this (and all similar bills) will be overturned after legal challenges. Noncommercial projects especially have a strong 1A case and we have already beaten one of these bills. Keep fighting.
Nobody in their right mind can explain how locking down operating systems will protect children. It does not make sense. This is just another way to sneak in more mass surveillance and kill anonymous online presence, with most ridiculous excuses.
California can't govern outside California. Other states have discovered the legal limits of their soverignty quite recently. But it certainly argues against hosting in CA and furthermore, consulting an attorney.
If you have a connection to California, you can be sued in their courts. I don't know whether providing (not selling, that certainly counts) an OS to California residents from outside California counts as a connection, that's something you need to review with your legal team. One thing is certain though: you need legal counsel to do OS dev; the Terry Davis era has come to a close.
Then let Californians do their dirty work. They have no place in the broader open-source community or in the rest of the world. Nobody should care about them, except now about caring about blocking them.
The owner of the computer should decide what the computer does.
California is a soon failed bankrupted US state, and no one outside its borders cares what's going on there. Companies are leaving, people are leaving. Let them sink to the ocean with their idiotic laws.
I don't mean to come across as a snob, or anything like that, but I find this PR really odd.
It's the authors first time contributing to this repo and it the feedback on the PR that was addressed is really odd, like some of it is super basic stuff, even if you're not familiar with the code base or the language.
for the california legislation there were no "nay" votes. it's disapointing this performatively protective stance permeates both dominant right-of-global-center parties in America, but it is "all of them"
Pretty much the same laws in red and blue states yeah. It always gets confusing when Americans use the word liberal, everyone is a liberal, it never meant *your* liberty.
It's about making sure you can't bypass systems like this-- or rather, that when you use your rights under the GPL to remove this privacy invading crud or just otherwise modify your software you'll be broadly banned from interacting with third party services.
I cannot express how disappointed I am to see open source projects giving in to complying with age attestation laws.
I feel like complying really undermines any first amendment arguments. Software is a first amendment protected form of expression, giving in before getting any actual threats from the state makes your participation seem voluntary.
Systemd's participation puts the entire world into compliance with a California law
Techbros gonna techbro... bending the knee to fascists and privacy traitors. The next law will groom something else and eventually it will be tech requiring digital identification and approval to use the internet.
BSDs don’t use SystemD, neither do some distros. After they have been exposed here as collaborators I suspect we will see freedom-respecting distros move away from them. I myself have been neutral to weakly positive on SystemD until now, as they put forward some decent solutions to longstanding problems, but from now on I intend to stop using their software entirely.
As it turns out, the people who warned against “professionalizing” and corporatizing Linux were correct.
Just to be clear and specific, formal engineering processes and corporate selling out are two orthogonal properties that should never be conflated. Stuff millions of people use shouldn't be slapped together as a "hobby" without careful testing and change control processes. It also should get sufficient (crowd)funding so it can get the attention it deserves.
No one actually complained about Linux becoming more "professional" in terms of meeting high engineering standards. Just about corporate control over the process. There was a study that found code with more F-bombs in the comments were actually more professional according to the engineering standard, in response to complaints from suits that swearwords in the code meant that Linux couldn't be taken seriously as professional software.
Sure, not picky. A symlink to /dev/null for "I'm a grown-up/own this device" would be acceptable. Assumed one would put whatever value they wanted in the INI file :)
I doubt I can do the observation justice, my mind went there thinking 'a moment before the Unix Epoch' and the more... well-traveled meme: 'haha funny number [dropping the leading 19]'. Any number would've worked just as well, it's not significant. I really just wanted to express my participation in this, if at all, likely won't be in good faith.
That said... an option for 'I could have declared an age/birth date but chose not to' seems preferable. I was talking about poisoning but this could be more productive. Any attestation would reasonably fail, sure, but it sends a potentially-meaningful signal [to someone].
OK, "I am so old that already lived before the UNIX epoch even started" (or a year which breaks systems that cannot handle times before the UNIX epoch) sounds plausible. :-)
Fairly context dependent, however :) This attestation/verification topic (and 1969, presumably) keeps appearing in places where I doubt The Epoch is relevant!
That's beside my 'point', but fine. I'm deliberately conflating things for humor, sorry it missed. I'll get serious/stop joking around. I have no interest in administrating this. Especially on a per-user basis (despite that being the only way this 'works', I'm generally opposed). I'd prefer a file to drop in /etc... like one would express preferences over, say, /usr.
It's entirely optional, I get that. I could 'just' not set anything. Spare your fingers. I want to poison it [or loudly opt out] without a lot of effort. This includes running N commands when a file to could effectively disable the signal.
Said differently: I don't want to configure the portal, I want to ~~break~~ mask it.
> Said differently: I don't want to configure the portal, I want to ~~break~~ mask it.
Since this is sd-userdbd we are talking about unless the used backend provides the value it is unset by default. And if you manage your home directory using sd-homed unless you explicitly set it it is also unset by default.
Well, to get something to fail you need an implementation that can fail. And since nothing is using this so far there is nothing you can get to fail. In the end something that implements the actual communication would end up probably defaulting to "under 13" or whatever if it somehow fails to retrieve any value (or maybe not, who knows), so I wouldn't realistically see even without this, getting the attestation to "break" would end up unlikely.
Hypotheticals are truly exhausting! I had a wall of text and chopped most of it off. This started out as a joke and now it's dead, thanks.
The failure/assumption of under-13 or whatever, as a result of manipulation, is fine. I'm not actually trying to solution something though, jeez.
I find it more compelling to say, for instance, "x% of our users have chosen not to share their information"... rather than "y% have not set it". This category would almost surely be about as 'useful' (useless) as the 'do not track' header... and a concern for something other than systemd or even the portal (to a degree).
Stick a service unit in `/etc/systemd/system/` that is a oneshot type with `WantedBy=multi-user.target`, and which runs the appropriate homectl command for each user listed in /etc/passwd (likely just in a shell script).
Will unincorporated distros who don't comply be illegal to use in the areas passing these laws? This isn't "obscenity" -- isn't there a first amendment argument for these projects?
The context is that this is in response to California in the US potentially passing a law that requires age verification on the operating system level.
There is in New York, Brazil, and probably other places too. Attestation is a foot in the door and will become verification when it is shown to be ineffective. And unless the law is defeated, it will provide precedent for further legislative intrusion into personal computing.
Because systemd isn’t an operating system. It’s just providing a mechanism for the OS to store/lookup the user’s birthday. It’s up to individual distros to do the verification (should the law stand and OS vendors choose to comply)
Yeah, it's the most basic thing you could do that's not intrusive to the rest of the system. userdb is a local directory and most directories, like LDAP, have a DoB field. Even if these laws fizzle out the change would still be potentially useful for other things like parental controls apps.
It's scary how much global surveillance is closing in to become a reality with states passing these lesgilations, in the name of "protecting children", but it just serves to collect citizent personal data...
And now they are creeping into open source projects too. What once was thought as the bastion of absolute freedom from the state
You can always use a distro that doesn't use systemd or roll your own. Sure you lose the GNOME desktop environment, but if you ask me that's a net positive.
This should be the time for open-source developers to use their common sense to decide whether we should push back.
If California wants to create its own Protect the children operating system, it should bear the cost and responsibility for this alone, and not export any of the sketchy political agenda to the wider open source community.
It's the law. If you live in the United States, and a minor in California uses your OS that didn't check age, you could be liable for up to $2500 per occurrence. That can add up quickly if California schoolkids discover your OS does an end run around the law. When ruin is the alternative, compliance becomes non-negotiable.
Many distros disagree and are not complying. It’s very likely that this (and all similar bills) will be overturned after legal challenges. Noncommercial projects especially have a strong 1A case and we have already beaten one of these bills. Keep fighting.
> It's the law
"There is no justice in following unjust laws." - Aaron Swartz (Guerilla Open Access Manifesto)
Nobody in their right mind can explain how locking down operating systems will protect children. It does not make sense. This is just another way to sneak in more mass surveillance and kill anonymous online presence, with most ridiculous excuses.
California laws apply to people living in California. Not the whole country.
Let alone the world.
Except systemd isn't an OS. xdg-desktop-portal is not an OS. None of these projects need to flop over and acquiesce to this overreach.
At some point you have to pick a jurisdiction. It's impossible to support all jurisdictions laws as a company, much less as a FOSS project.
California can't govern outside California. Other states have discovered the legal limits of their soverignty quite recently. But it certainly argues against hosting in CA and furthermore, consulting an attorney.
If you have a connection to California, you can be sued in their courts. I don't know whether providing (not selling, that certainly counts) an OS to California residents from outside California counts as a connection, that's something you need to review with your legal team. One thing is certain though: you need legal counsel to do OS dev; the Terry Davis era has come to a close.
Then let Californians do their dirty work. They have no place in the broader open-source community or in the rest of the world. Nobody should care about them, except now about caring about blocking them.
The owner of the computer should decide what the computer does.
California is a soon failed bankrupted US state, and no one outside its borders cares what's going on there. Companies are leaving, people are leaving. Let them sink to the ocean with their idiotic laws.
I don't mean to come across as a snob, or anything like that, but I find this PR really odd.
It's the authors first time contributing to this repo and it the feedback on the PR that was addressed is really odd, like some of it is super basic stuff, even if you're not familiar with the code base or the language.
Just an all round weird vibe.
> “The clang-tidy test failures appear to be pre-existing and don't seem to be related to my code”
I’ve seen Claude reproduce nearly identical comments, wonder if that’s a couidence
Likely. Whenever I see that it usually means it itself created the test failures but won't admit to it!
"protecting" children by providing specific ages to data harvesters.
as per usual, liberal policy doing the exact opposite thing they claim it does.
for the california legislation there were no "nay" votes. it's disapointing this performatively protective stance permeates both dominant right-of-global-center parties in America, but it is "all of them"
Well yeah: Meta wrote the bill, Meta greases palms in their home state, Meta gets their bill unanimously passed.
Pretty much the same laws in red and blue states yeah. It always gets confusing when Americans use the word liberal, everyone is a liberal, it never meant *your* liberty.
It's quite conservative. Liberalism means I can use my device with no laws in between.
Not conservative (there's nothing traditional about this) or liberal, just surveillance authoritarianism.
In the past, children were not allowed their own phone. To be particularly cautious, smartphones have not proven a net good; and we're 20 years in.
It's not a liberal policy, it's an illiberal one bending the knee to feudal techbros.
Tangentially related, but does anyone know what Poettering's "cryptographically verifiable integrity" endeavor[0] is about yet?
[0]: https://news.ycombinator.com/item?id=46784572
It's about making sure you can't bypass systems like this-- or rather, that when you use your rights under the GPL to remove this privacy invading crud or just otherwise modify your software you'll be broadly banned from interacting with third party services.
I assume all along that trusted computing is where this age verification stuff is planned to lead to eventually: https://en.wikipedia.org/wiki/Trusted_Computing#Criticism
Probably what it says on the tin, TBH. If you hold the keys, it can strengthen security a lot.
I cannot express how disappointed I am to see open source projects giving in to complying with age attestation laws.
I feel like complying really undermines any first amendment arguments. Software is a first amendment protected form of expression, giving in before getting any actual threats from the state makes your participation seem voluntary.
Systemd's participation puts the entire world into compliance with a California law
this is not attestation though? it's just parental controls, no?
Techbros gonna techbro... bending the knee to fascists and privacy traitors. The next law will groom something else and eventually it will be tech requiring digital identification and approval to use the internet.
BSDs don’t use SystemD, neither do some distros. After they have been exposed here as collaborators I suspect we will see freedom-respecting distros move away from them. I myself have been neutral to weakly positive on SystemD until now, as they put forward some decent solutions to longstanding problems, but from now on I intend to stop using their software entirely.
As it turns out, the people who warned against “professionalizing” and corporatizing Linux were correct.
Just to be clear and specific, formal engineering processes and corporate selling out are two orthogonal properties that should never be conflated. Stuff millions of people use shouldn't be slapped together as a "hobby" without careful testing and change control processes. It also should get sufficient (crowd)funding so it can get the attention it deserves.
No one actually complained about Linux becoming more "professional" in terms of meeting high engineering standards. Just about corporate control over the process. There was a study that found code with more F-bombs in the comments were actually more professional according to the engineering standard, in response to complaints from suits that swearwords in the code meant that Linux couldn't be taken seriously as professional software.
Where can I drop a file to always return 1969
I was thinking 1984, or if I can return a float, NaN.
Sure, not picky. A symlink to /dev/null for "I'm a grown-up/own this device" would be acceptable. Assumed one would put whatever value they wanted in the INI file :)
> Where can I drop a file to always return 1969
I am out of the loop: what is so special about 1969 concerning age verification?
I doubt I can do the observation justice, my mind went there thinking 'a moment before the Unix Epoch' and the more... well-traveled meme: 'haha funny number [dropping the leading 19]'. Any number would've worked just as well, it's not significant. I really just wanted to express my participation in this, if at all, likely won't be in good faith.
That said... an option for 'I could have declared an age/birth date but chose not to' seems preferable. I was talking about poisoning but this could be more productive. Any attestation would reasonably fail, sure, but it sends a potentially-meaningful signal [to someone].
> 'a moment before the Unix Epoch'
OK, "I am so old that already lived before the UNIX epoch even started" (or a year which breaks systems that cannot handle times before the UNIX epoch) sounds plausible. :-)
Fairly context dependent, however :) This attestation/verification topic (and 1969, presumably) keeps appearing in places where I doubt The Epoch is relevant!
It’s admin settable. So just sudo homectl it. You are presumably admin.
That's beside my 'point', but fine. I'm deliberately conflating things for humor, sorry it missed. I'll get serious/stop joking around. I have no interest in administrating this. Especially on a per-user basis (despite that being the only way this 'works', I'm generally opposed). I'd prefer a file to drop in /etc... like one would express preferences over, say, /usr.
It's entirely optional, I get that. I could 'just' not set anything. Spare your fingers. I want to poison it [or loudly opt out] without a lot of effort. This includes running N commands when a file to could effectively disable the signal.
Said differently: I don't want to configure the portal, I want to ~~break~~ mask it.
> Said differently: I don't want to configure the portal, I want to ~~break~~ mask it.
Since this is sd-userdbd we are talking about unless the used backend provides the value it is unset by default. And if you manage your home directory using sd-homed unless you explicitly set it it is also unset by default.
I am aware, I kind of want a louder signal than doing nothing [which is a great option, I admit]. I quote myself:
> It's entirely optional, I get that. I could 'just' not set anything.
Why? Telemetry, mainly. I'd rather attestation [or whatever intends to use this] fail and make it apparently deliberate.
Well, to get something to fail you need an implementation that can fail. And since nothing is using this so far there is nothing you can get to fail. In the end something that implements the actual communication would end up probably defaulting to "under 13" or whatever if it somehow fails to retrieve any value (or maybe not, who knows), so I wouldn't realistically see even without this, getting the attestation to "break" would end up unlikely.
Hypotheticals are truly exhausting! I had a wall of text and chopped most of it off. This started out as a joke and now it's dead, thanks.
The failure/assumption of under-13 or whatever, as a result of manipulation, is fine. I'm not actually trying to solution something though, jeez.
I find it more compelling to say, for instance, "x% of our users have chosen not to share their information"... rather than "y% have not set it". This category would almost surely be about as 'useful' (useless) as the 'do not track' header... and a concern for something other than systemd or even the portal (to a degree).
Stick a service unit in `/etc/systemd/system/` that is a oneshot type with `WantedBy=multi-user.target`, and which runs the appropriate homectl command for each user listed in /etc/passwd (likely just in a shell script).
How would this work for multiuser accounts? Mu kids all share the same account on the family computer.
Instead of protesting, large corporations decided to ploy.
They cannot loose markets, like California or Brazil.
Will unincorporated distros who don't comply be illegal to use in the areas passing these laws? This isn't "obscenity" -- isn't there a first amendment argument for these projects?
There is a strong 1A argument, and one such law has already been defeated: https://netchoice.org/netchoice-wins-permanent-block-of-loui...
Bernstein v. United States set a precedent that has not yet been overturned.
Thanks that's encouraging
The context is that this is in response to California in the US potentially passing a law that requires age verification on the operating system level.
Traced back to Meta lobbyists. https://tboteproject.com/
Meta gives money to the Heritage Foundation? Wild.
there is no verification happening though
There is in New York, Brazil, and probably other places too. Attestation is a foot in the door and will become verification when it is shown to be ineffective. And unless the law is defeated, it will provide precedent for further legislative intrusion into personal computing.
Because systemd isn’t an operating system. It’s just providing a mechanism for the OS to store/lookup the user’s birthday. It’s up to individual distros to do the verification (should the law stand and OS vendors choose to comply)
I had to check the date; is not April yet
Pretty good implementation imo
Yeah, it's the most basic thing you could do that's not intrusive to the rest of the system. userdb is a local directory and most directories, like LDAP, have a DoB field. Even if these laws fizzle out the change would still be potentially useful for other things like parental controls apps.
It's scary how much global surveillance is closing in to become a reality with states passing these lesgilations, in the name of "protecting children", but it just serves to collect citizent personal data...
And now they are creeping into open source projects too. What once was thought as the bastion of absolute freedom from the state
> and now it's creeping into open source projects too. What once was thought as the bastion of absolute freedom from the state
It is indeed scary is how compliant the open-source projects have become to the "governmental overlords". Where has the hacker spirit gone?
Interesting solution and I really expected systemd would be were this age validation would be placed if distros what it.
But if this becomes a thing in Linux for the distro I use (doubtful), I will abandon Linux after 30+ years.
I am rather confident OpenBSD will ignore this law and I expect other BSDs will to. If not, back to DOS :)
Note, I have a BSD on a coupld of old laptops for testing reasons. I test what I write in the BSDs to help find issues, that works well.
You can always use a distro that doesn't use systemd or roll your own. Sure you lose the GNOME desktop environment, but if you ask me that's a net positive.
Having this in userdb is not bad per se. We already have a bunch of PII in there.
I like the analogy of data as oil: polluting when it gets out.
I'd like to severely limit the amount of PII on the system.
This should fit lennarts hubris well.
This developer should be blacklisted from all open source projects, permanently.
i dont like this
This is absolutely ridiculous.
Thank you blue states for the stupidity.