Debian Project Leader Andreas Tille has addressed the ongoing debate over age-verification laws and their potential impact on free software operating systems. Long story short: he clarified that Debian has not adopted a position and is awaiting legal analysis.
In his latest “Bits from the DPL” message, Tille stated that the main question is whether operating systems and package distribution mechanisms might be required to provide age-related information to applications.
He noted that Debian and other projects are discussing the issue, and that Software in the Public Interest, a non-profit corporation founded to act as a fiscal sponsor for organizations that develop open-source software and hardware, has begun seeking legal guidance.
I think the position to adopt is very clear:
- You stand upright facing the nearest government building.
- You extend your right arm horizontally in front of you.
- You rest your left hand, palm down, on top of your right arm, next to your antecubital fossa (the opposite side of the elbow).
- You make a fist with your right hand.
- Without opening your fist, you extend your right hand’s middle finger straight up.
- You decisively bend your right arm at the elbow, standing your forearm, fist, and middle finger straight up.
Thus you achieve the only reasonable position towards this nonsense.
There is no law that governs Linux development related to this, enywhere else. There is only a law in CA that requires this functionality (which would break any and all software infrastructure). Why would any maintainer of any Linux distribution, not actively dependent on following an untested law (from a legal PoV), even consider implementing it? This got a lot of headlines, because it’s absurd and stupid.
If maintainers wanted to comply, what the fuck would it actually entail? 99% of operating system doesn’t have any specific human users to identify. The only reasonable approach is to ignore it. If data centers in CA for Azure, AWS, GCP, or any other, wants to comply with this (which is impossible), either spend some of that tax free revenue to combat Meta’s suspected 2 billion USD effort in getting these online ID laws pushed through.
He also noted that, from a non-lawyer perspective, it remains uncertain how these regulations would apply to a non-commercial, volunteer-driven project like Debian, which does not sell software and distributes it in a decentralized manner.
FUCKING THANK YOU.
That should buy them deniability.
My coffee maker has an operating system… Okay well actually i use an electric kettle but some of them do.
This law is impossibleOur office coffee machine runs Android. Every time I wonder why…
Easier to turn into ewaste so you need to buy another one this way.
lmao send it to Bringus so he can install Steam on it
Tille suggested that, if such obligations arise, they would likely affect redistributors or commercial entities building on Debian, rather than the Debian project itself.
if my edgerouter 4 adds age verification i’m going to burn everything to the ground
This reminds me, I actually installed OpenWRT on an ER-X. I need to go poke around on it and see how it works.
No that’s total garbage.
The law doesn’t mention commerciality or vendors, only operating systems.
EdgeOS is a fork of Vyatta, which is itself based on Debian.
Imagine having to verify your age for every docker container spun up by GitHub/forgejo actions.
then it would be time to switch all my LXCs to alpine, i guess. if they’ll even still work. they’re all debian 12/13 right now.
Only restricted material will require an age verification.
So, what about an operating system is restricted material? That’s what this law requires.
Edit: wow, you’re all over the place here. Are you paid (perhaps run?) by Meta?
The problem isn’t the specific nature of the rule: having an api call in the background that can broadcast a user’s age range (if it isn’t a clearly identifiable marker) makes sense.
The problem is that if the government is able to tell open source developers “YOU MUST INSERT THIS CODE OR ELSE!!!” then what’s next?
Will in 5 years they require Persona in order to install an Operating System to combat terrorism?
Will in 7 years they require a closed source module created by the government to be running at all times and the kernel must check to make sure if the closed source module is running?
Part of open source software is creativity, freedom, and freedom of speech. Some software is created because developers like creating things.
I hope Debian fights back against this on first amendment grounds. Great code is not that different from a great work of art, there is unique creativity in something elegantly coded that functions well, and telling developers they can’t code how they want is the path toward totalitarianism.
It’s one thing to force this into Microslop and Android and iOS because those are large profitable companies who don’t actually care as long as they make money. It’s another thing to force FOSS developers who develop for free because of the love of software and great code that they must change their code in a certain way.
What else would you expect after FOSS was forced to deplatform and steal code developed by Russian contributors.
The problem is that if the government is able to tell open source developers “YOU MUST INSERT THIS CODE OR ELSE!!!” then what’s next?
What’s next is that code gets a build flag that’s turned off in the makefile, and maintainers have to explicitly turn it on for that code to compile in. Distros maintain patches that add this sort of thing all the time, even if upstream refuses to do so.
And Debian is saying that, as a non-profit, all volunteer org? This bullshit doesn’t apply to them. They are building a legal basis for the makefile solution I’m describing above, and its default-off state in their repositories.
All of your catastrophising can be addressed this way. We need devs like you who can help make sure this solution is implemented exactly as described.
Debian repos are great - we can even blacklist official repos and replace them with bare, sketchy IP addresses if we like, and share binaries through them.
You cannot stop the signal. Quit thinking like a voter trapped in a Fascist hellscape, and start thinking like a hacker that the state cannot outmaneuver.
Yes because that’s how governments work.
Right now the only Debian system I have is on Oldstable. If Debian decides to implement age verification/attestation, do you think it’s going to be backported to that version? 🤔
You could just rip out the age verification bits, you have root access, it shouldnt be that hard. If it ever happens
Yeah, if I were willing to comb through systemd’s source code and compile my own version, or add someone’s repo containing a modified version, assuming anyone even bothers to cover oldstable.
Just fucking block Brasil and California from using debian
Dont they just have to put a disclaimer saying that usage of the OS isnt legal in those places? That works for all sorts of other stuff so why not here?
That does nothing to address the issue. What happens when the requirement is adopted elsewhere? Just keep excluding territories?
It seems like a simple fix, but this would play right into the hands of the corporate overlords. And California is not some tiny state.
If California were an independent nation, it would rank as the fourth largest economy in the world in nominal terms, behind Germany and ahead of Japan.
Just keep excluding territories?
Yes.
Slap a label on it that it’s not legal to use in those areas and move on while they fight it out legally. It’s distributed via p2p anyway so if people in those places still want to use it they can. Absolutely no reason to bend on this.
I agree that that solves some problems, 100%. But I’ve seen the downward slide of society take hard-fought civil rights away for several decades now. It’s never a sudden process, it always starts small and then slowly grows.
This is just the beginning, and it should be fought against with tooth and nail now, not just postponed so that we have to deal with this issue once the fascists already have some momentum.
Which is why I included the bit about fighting it out legally.
But I’ve seen the downward slide of society take hard-fought civil rights away for several decades now. It’s never a sudden process, it always starts small and then slowly grows.
That’s what happens by adding features that comply with these stupid laws. Step one is NOT doing that. People can still use the software even if it doesn’t comply. What is the government going to do break into everyone’s home and look at their computers?
The CA one, at least from what I remember, doesn’t even place any expectations on a user. Even if a user did use an OS that was noncompliant, they would not be violating any laws for doing so, from what I understand.
That’s a good point.
What happens to the California economy if they can’t use Debian? Could it survive that?
There are plenty of dumb laws nobody applies anyway
I’m curious, what’s an example?
https://www.california.com/strange-laws-california/
Edit: My favorite.
“8. In Blythe, you are only permitted to wear cowboy boots if you own at least two cows”.
Debian can’t survive without California.
deleted by creator
This is why I stick with Debian. Adults make decisions over there.
Can you verify this? Maybe we should require Debian contributors to prove they are adults. /s
They voted to switch to systemd so yeah, no problem there.
TL;DR they are lawyering up and hasn’t said for or aginst
Fair enough, that means they’re probably gonna sue over it.
I read it as “we’re not gonna do it, and we’re getting the lawyers to tell us what we have to do to to avoid this bullshit”
Eh, more like they are having a lawyer help determine whether they comply or not (to avoid being sued/held liable for non-compliance).
Debian uses systemd, so its coming whatever they decide.
No, it’s not. That just means a birthdate field next to name, address, etc, is coming.
Just because systemd said “Guess we will roll over and add this in” doesn’t mean Debian has to use an extra demographic field, of which they didn’t use all of them to begin with.
Do the ageless fork of systemd
WTF?
How is this not reasonable? Everyone’s potentially got a lot to lose here.
Asking an expert for their opinion, even if that expert is a lawyer, is not “lawyering up”, nor is their any evidence whatsoever that the Debian Project or the SPI is going to “probably sue over it”.
The summary under the heading “TL;DR” was nothing more than an inflammatory opinionated interpretation of the headline and as interpretations go, it was not in any way, shape, or form, anything that might be considered a summary, which is what the “TL;DR” implied.
Hence my “WTF?” response and subsequent top level reply with the actual text and its source as sent by the DPL.
I note that the issue of “age verification” is an extremely troubling trend and I think that discussion about it needs to be considered and nuanced, neither of which were in evidence.
The TL;DR stopped when the line ended, there is a reason if they put more space between one line and the other
There was nothing inflammatory about that comment. It was just reasonable speculation and not harmful at all.
Software in the Public Interest is a US- based non-profit organization that legally represents and handles donations for Debian, Arch, LibreOffice, systemd and a lot of other projects. And if they’re in violation of US law, they can unfortunately be sued into oblivion. So they’re right to check with their legal team before making an informed decision.
And fortunately they can just change their fiscal host. That’s one thing the lawyers will tell them, if needed
Not providing an age signal is not illegal, you just won’t be able to access restricted material like social media.
Are you a lawyer?
I’m against these laws, strongly, but I think sending vitriol at systemd and distrust is not constructive.
The battle is legal and pretending it isn’t and fighting our maintainers who realistically can’t afford to be sued over good, is not helping the cause.
It’s humans at the end of the pipe. Thoughtful and vulnerable humans.
There is one small benefit to this speedbump on our road to freedom:
Governor Gavin Newsom, Democrat of California? Has been acting like he wants to run for President in 2028. He signed this into law for his state.
Make this an albatross on his neck. Sink him. Let him know that this crushed his dreams of ever being President. Publicly. Loudly. Don’t be satisfied until he quits twitter and retires from public life altogether, not just politics.
And for anyone in New Jersey? Get loud at your state reps phonelines now, they’re trying to pass the same in your state.
I don’t know how anyone can pretend to care about gay, trans, or black people and support this law.
It’s going to be used to ban “critical race theory” and lgbtq topics first.
I don’t see how the Dems can defend this
It’s going to be used to ban “critical race theory” and lgbtq topics first.
How would the CA law allow that? It’s not KOSPA but a dropdown selection.
Well, Newsom doesn’t even pretend to care about trans people, so we can start there.
I’d say it’s less a legal fight than it is a fight for control , using the law this time.
Pretending that what people are upset about is the field rather than the pre-capitulation is not helping the cause.
Most of the hate isn’t for the technical implementation of a field, though some FOSS people are upset at that as well.
You can sidestep the legal fight by not serving the places where it is illegal.
That’s doesn’t necessarily align with the goals of whatever project, but it is possible.
Every entity that bends over backwards to support US hegemony is deserving of all the criticism it gets.
The dude literally added an optional birthday field next to an optional full name field and an optional adress field
Then he got death threats
If you think that is an appropriate response you are a litteral child, mentally speaking.
It’s not so simple as that, the dude provided a framework for privacy abusers to use to force us into their bullshit. If that framework did not exist they wouldn’t be able to do that so easily. There is absolutely zero reason for there to be a centralized location on an operating system that just hands out your demographic information to whoever asks for it and yes, that includes the fields that already existed. None of it should be in there. This is not something we should be compromising on. There are enough invasions into our privacy as it is.
Doesn’t deserve death threats but he does deserve hate.
Figurative, unless you’re actually proposing a real, measurable, testable large scale mental deficit.
but yeah, death threat are stupid.
unless you’re actually proposing a real, measurable, testable large scale mental deficit.
I do if you think death threats are appropriate
That seems like a stretch…but you do you i suppose.
So you think there is a world where death threats are warranted for a… Pull request?
That seems like a stretch… But you do you i suppose.
I’ll assume you pulled that mental gymnastic routine out of the same place you store how you think the word literally is supposed to work.
At no point was “pull requests deserve death threats” even hinted at.
Semi-reasonable takes wrapped in logically dubious arguments is snatching defeat from the jaws of victory.
Doubling down with a retort that only requires you to read 5 lines to see it isn’t true is wandering in the fields of free and easy victory and choosing to drown yourself in the 2 inch puddle of defeat.
I don’t think you can include death threats under criticism
Yet here we are
I’m telling you that you did not understand what the guy you replied to really meant
Oh I know what he meant
I just think he relativizes how the discussion was going.
Constructive critizism is of course fine But this whole thing was the exact opposite
Death threats are stupid and indicate severe mental problems. This does not change the fact that the author explicitly mentioned that the aim was compliance with possible age verification laws. Just because he received death threats from some idiot man child does not mean he is right or what he did is inconsequential. It is a statement that they are willing to accept possible future identity verification laws without any legal fight and resistance.
Hating Dylan Taylor is not however
Hating a Dev? Broke.
Hating Governor Newsom? That’s on the money.
I can hate both
Hate the politician louder.
I do
Will drop debian like that if they capitulate a single inch
“Fuck off” is the only appropriate answer.
Aim it at the right people - but say it loud and clear.
I like your point
This is what the DPL actually wrote on the subject:
Recent discussions have started around new age verification legislation that may affect free software operating systems. In particular, the California Digital Age Assurance Act (AB 1043), expected to take effect in 2027, raises questions about whether operating systems and package distribution mechanisms could be required to provide age-related information to applications. In parallel, a recently adopted law in Brazil appears to introduce similar requirements and is already in force, with initial interpretations suggesting it could apply to components such as package management tools. These developments are currently under discussion within Debian and other projects, and SPI has initiated efforts to obtain legal guidance. At this stage, the situation remains unclear, and further analysis is ongoing.
From a non-lawyer perspective, it is not yet clear how such regulations apply to a non-commercial, volunteer-driven project like Debian, which does not sell software and provides it in a highly decentralized way. It seems plausible that obligations, if any, may primarily affect redistributors or commercial entities building products on top of Debian. In such cases, Debian would as usual be open to contributions that help downstreams meet their requirements, while keeping such features optional and respecting the needs of users in other jurisdictions. However, this is an area where proper legal analysis is still required.
Source: https://lists.debian.org/debian-devel-announce/2026/04/msg00001.html
The legislation is clear and unambiguous : an operating system must provide an age verification which is able to accessible by third parties on the internet.
From a non-lawyer perspective, it is not yet clear how such regulations apply to a non-commercial, volunteer-driven project like Debian, which does not sell software and provides it in a highly decentralized way
There’s no mention of selling in the law.
And how is an operating system defined in that law?
Should this be handled at the BIOS level, the kernel level, the init level, the packaging level, the GUI level, the user login level, the user desktop level, or somewhere else entirely, like a derivative distribution with its own layers, some of which will be different from the base distro?
I’m asking because each of those levels are pretty much handled by different groups of individuals, groups and organisations in different jurisdictions, cultures and countries.
While we’re talking about options on where to put this “feature”, who is liable for it not being implemented?
You might have an opinion on where it “should” be, but I can guarantee you that there are at least as many opinions on where it should be as people you ask.
That’s why the Debian Project is doing what it is.
From a non-lawyer perspective, it is not yet clear how such regulations apply to a non-commercial, volunteer-driven project like Debian, which does not sell software and provides it in a highly decentralized way. It seems plausible that obligations, if any, may primarily affect redistributors or commercial entities building products on top of Debian. In such cases, Debian would as usual be open to contributions that help downstreams meet their requirements, while keeping such features optional and respecting the needs of users in other jurisdictions. However, this is an area where proper legal analysis is still required.
I found this part very reassuring. Being neither a lawyer nor having read any of the legislation (of which I am not a subject, anyway), the “it’s not our job” approach seems very reasonable. Facilitating downstream vendors who do want/have to comply seems like an exceptional effort to show good faith to local legal processes, while remaining, fundamentally, just people freely sharing knowledge.
I hope their lawyers can make that work.
I wonder what the perspective is on Systemd, which debian uses, starting to implement this shit already,
with the same bootlicker already ruining XDG
