NY State has a bill pending that could go even further, requiring operating systems to “conduct commercially reasonable and technically feasible age assurance for users at the point of device activation.” Some reports imply that this only affects device manufacturers, but according to the summary of provisions, operating systems are included.
Based on my limited research, it is unknown as of yet whether or not self-attestation would be a valid mechanism of assurance for NY.
Where did he say that? Maybe in an interview somewhere?
I’ve been trying to stay on top of the slippery slope angle, looking for any cracks in the story that the CA bill is just about parental control but so far I haven’t seen any.
I know that Newsom has said that lawmakers should pass some changes to address the practical ambiguities in the bill before it goes into effect, but if anything that seemed more about making sure it has the right carve-outs.
Well, it gets more complex with FOSS projects. The worry is that some contributors, or companies redistributing (with or without contribution) would need to comply if they are based in countries which do implement this law.
Since they can’t tell their government to pound sand, they have to implement these changes somewhere, and that means they have to either fork or to try and upstream them, even if it’s behind a feature flag.
For features like the one proposed by the law discussed here originally, I don’t really see the need for a feature flag, since it can be useful for people who want to self-censor.
For laws that demand actual censorship, yeah, upstream may want to tell people trying to contribute such to pound sand.
There are many instances of people who work for overseas companies where they work on software that doesn’t comply with their local laws.
What immediately comes to mind is the number of european workers that are employed in the US. Their local government doesn’t persue them for violating GDPR. There would have to be extra laws that state if you engage in activity violating your local laws in other countries then I guess it would be persuable. In that case actually writing code that would violate the law.
Source: I dealt with a similar concern at a former employer.
Wanted to also mention. Most of these participatory decisions boil down to if people or businesses in California are targetted customers (citation the cancer warnings on stuff - it’s not everywhere, just common) Like unless you would be explicitly shipping to those places the local law doesn’t really matter.
I haven’t read in depth the legislations but I don’t think there’s a clause that forces users to have to use such an operating system.
They can just use an OS that doesn’t comply. I believe all the onus is on a manufacturer (in this case probably the steering committee/merge privileged users) but again we’re not shipping anything to california. Users in California would download it without warranty or terms.
I genuinely don’t understand how people think open source is affected by this.
We’re saying the same thing, our disagreement is this. If nobody gave a crap about California commercially this would be a big nothing-burger (just like with the GDPR - if you don’t care about the European market, you don’t care about that).
Unfortunately, an example of a vendor with official support for NixOS, including in their home state - which is one of the states introducing this law - would be system76, or framework.
It might also make NixOS less attractive for vendors like e.g. Valve, who absolutely will have a significant market in California and might feel the impact of enforcement - their use of Arch for their various hardware products alone will probably drive some development that would be naturally picked up by NixOS.
Personally I’d ultimately like to see more vendors switch to NixOS, so reducing the friction as long as it doesn’t actually impact user freedom seems desirable to me.
This isn’t about individual contributors being sued just for writing software, and I doubt the NixOS foundation would be affected - I find this just as unlikely as you do. Even if individual contributors within the relevant jurisdictions start small commercial operations it’s likely to fly under the radar.
I really dont understand the endless yapping here. If a vendor wants to use NixOS and they need to build this feature they can do it. Beauty of NixOS. It’s modular. They can even do it without forking.
I would be interested in a professional legal opinion on how this will affect open-source operating systems and applications. Since I am not a lawyer, I will refrain from speculation here.
There are two main points in the California bill that stick out and raise some interesting questions that one could ask a lawyer:
Under section 1, 1798.500 (g) the term “operating system provider” is defined: “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general-purpose computing device“.
The question is, how does that apply to the foundation, the steering committee, Github, or sysadmins managing NixOS installations?
Under point (e) a definition of “application store” is given: “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.”
How would this impact the binary cache? Which entities/persons could be held legally responsible here? The NixOS foundation, the CDN provider, the storage provider?
We most likely will get more clarification of such questions since other distributions will face the same issues. However, some above-mentioned entities may have business dealings in California so that we may not be able to avoid this issue completely.
Yes this is the right way to think about it. The nixpkgs source repo is not an operating system, it is source code which someone may use to assemble their own operating system based on their configuration.nix. I use nixpkgs to build my own custom operating system and distribute it to the PCs in my house under my control. So I am the “operating system provider” for my own computers, the thousands of contributors to nixpkgs are not. I live a long way from California so I do not need to worry about this nonsense legislation but even if I were in California I do not see how the state would know or care whether I am verifying my own age when I log into my own PC.
On the other hand, I can see that the binary cache might be in a bit of a pickle since it seems to fall under the definition of an “application store”, silly as that sounds. Hopefully the Linux vendors with enormous legal departments like Red Hat can figure out some reasonable solution which the NixOS Foundation can then follow.
Not gonna lie I haven’t read the lengthy topic, but Bradley M. Kühn from the Software Freedom Conservancy (the folks who made OpenWRT possible and have been enforcing the GPL in California) actually had a slide about AB 1043 this morning at SCALE 23x (where Planet Nix took place) and he was pretty reassuring, notable points I remember:
The requirement begins 2027-01-01;
Nothing is actually required until the law is interpreted and turned into regulation by the state of California;
The bill can still be updated;
In the context of Debian, Bradley explained modifying adduser to ask the user for their age range and some kind of API for Firefox/Chrome to access that answer would be enough (no id check of any sort is actually required).
Overall Bradley didn’t look concerned by AB 1043 and felt like the reporting by news outlets was bad and overblown. The takeaway seems to be that people can relax a bit.
AV was unfortunately a complete mess in the room this morning and I doubt we’ll get an usable recording.
This is not about how bad it is and if it is an actual privacy nightmare or not.
This is about principle and the beginning of a dystopian world.
Now they say age is sufficient - we comply.
Then when everybody says they are an adult or children use their parents users they demand reforms.
Dystopian worlds never start dystopian. They are turned dystopian by people with sometimes good intention that are exploited, misused, misinterpreted and reformed.
EDIT: Not to mention what the world becomes if we regulate more and more but never unregulate. At some point we will have trillion of regulations that none can follow anymore.
Well, this is about at least two things. On the political point, I totally agree with you. Another thing it’s about whether NixOS has to change to comply with the new laws, and that’s what most of this thread is about. I think we should discuss both but separately (I mean being clear about which is which, whether they’re in the same thread or not).
Seems to be mostly done by small niche OS’, so I don’t see a reason for nixOS to follow. It’s probably the easiest way to “comply”, until external tech is available we can just piggyback.
