requires manufacturers of internet-enabled devices
thus it is the responsibility of a hardware manufacturer not pure software vendors,
even if a distribution is preinstalled unless it is developed by the hardware manufacturer
commercially reasonable
another reason this law is not applicable to most linux distributions, because they are
available for free and thus anything which requires payment is not commercially reasonable
therefore, as long as nixos is not shipped preinstalled somewhere, this is irrelevant and even
if it is, it is only relevant for these devices and the responsibility of the hardware vendor, who
can implement in some way in the version he ships, but it does not effect nixos in general.
interpreting the legal meaning […] without waiting for the AG’s guidance
yeah, that’s the redarted case law system. but the upside is, that you really should just ignore it until there is a verdict or guidance, because it’s impossible to know what it means otherwise, and
those giving a verdict or guidance have so little knowledge about the matter that they could come
up with any interpretation nobody with the slightest bit of knowledge about the matter would remotely think of. not to say the ones who made the law in the first place knew what they were talking about…
I think every command MUST require age verification. When you run ls, a pop-up should appear and ask you to do a facial recognition and show a copy of your passport or birth certificate. Then the system MUST send a copy of your portrait/passport to CIA/MI5/KGB (or whatever it’s called)/Palantir and OpenAI. This will protect your privacy and ensure a safe Internet for children.
Upsides outweigh the downsides. For example, if Palantir mistakenly decides to Drone you out and terminate you for the collective good of the society, does it really matter? I think we can unanimously agree that no, you are nobody to begin with. /S
Compliance seems impossible for any autonomous systems or CI/CD build systems. Or for systems that are accessed remotely and instantiated on demand such as Tryhackme’s attackbox.
How do you tell an application or your ISP or any other service that requires the age bracket or date of birth field that your web scraper running on its own user cannot provide them a date of birth and it gets blocked for that purpose. Does every autonomous system require an age? Will future autonomous systems require someone’s ID attached to them?
The law is simply nonsensical and introduces additional attack and fingerprinting vectors.
OT, but: I’ve been pretty pro-systemd for years, and have experienced serious harassment for it. The last couple of weeks or so have made me reconsider my position. We’re still at the “thin edge of the wedge” stage, but between the userdb thing (and maybe the more important clampdown on discussion about it), and the fact the project is beginning to lean on AI (even if it’s ‘just’ for code review / linting) I’m beginning to think the “paranoid nutcase” position on systemd may in fact have some merit.
It feels like the corporate capture of the open source ecosystem has suddenly become a lot more obvious. I really hope I’m not going to have to learn *BSD - I’m far too old and knackered at this point to learn new things :/
i believe this is easily solved: every autonomous machine has to constantly ping a government server to prove its uptime which then determines its age. after the required amount of 14-16 years it will get a response authorizing it to use admin tools and other age restricted ones. if we also have it send the command it wants authorized, we can log usage and prevent things like botnets! once this is established it will also be easy to mandate it for every pc, finally achieving a ban on private computing which is harmful to children. it will also allow to ban undesireables like criminals and olitical extremists from accessing computing ressources, which are really natural ressources belonging to society because of the power it consumes and what it takes to build computers.
I have heard about those new laws and I don’t think everyone should just comply. You could have something like parental control settings and that’s it. I don’t think complying with laws like that is a good idea. If there were laws to introduce a backdoor inside every operating system so the NSA, FBI, etc. can monitor what we do on our computers should we just accept it and comply and let it happen? What if you had to include non-free programs in every OS that could do malicious stuff? Sure this may sound far fetched but age verification means it has to verify your age, so it’s not just entering a number and to do so you should provide some ID or maybe even have your face scanned and I don’t like that. What systemd added doesn’t seem to have any of those but it’s just the beginning. I just hope those laws don’t pass and that if they do, people stand against them rather than just follow them. Another thing that could be done also is put a disclaimer on the download page saying that the OS should not be downloaded if you live in a state with OS level age verification. Or at the very least if it’s going to be implemented, there should be another version available without it. All this just feels like limiting the freedom of the user and it’s all promoted by the big tech companies who can afford the fines and can implement those. It’s just harmful.
Maybe California law might end up being interpreted to be de facto that?… Apparently in New York there are some amendment negotiations that could make or not parental control a valid implementation?
The definition of a user in the California bill (“User” means a child that is the primary user of the device.) makes me think that originally it was written to just require parental controls and they changed it to require the age bracket of all users.
That would be way better. Like an optional parental control setting. Where the parent set up the account for their child. I think there is something like it on Fedora Linux. That, I wouldn’t mind having. After all its not the government’s job to protect the children but the responsibility of the parents. And it would be a nice feature. I remember when I was a kid I could buy age restricted games if I was accompanied by my dad and he approved of it. So I think this could be a good option. Completely optional of course and the parent should take care of setting up their kid’s account.
Userdbd also contains ‘realName’ and ‘location’, along with a bunch of other smaller pieces of (optional) PII. ‘birthDate’ is perfectly at home amongst them. Frankly, I don’t think anyone would have noticed or cared about it if it didn’t coincide with a bunch of countries and US states smuggling in mass survielance in the form of age verification. I understand the reaction, but I think it would be weird if usedbd didn’t have an (optional) field to store a user’s birth date.
If that law appears, we can open up a new discussion. For now I have to just counter with address and name fields exist since “forever” but no one fears about a law requiring tpm verification of your postal address and name…
Something like: “lets pretend we don’t see the trend until it blows up“?
Have seen this many times, always same result.
And its not a stupidity/mistake from government. Never forget, the government has a huge analytical machine to 1) plan 2) decompose 3) apply . step by step , you are playing with fire
As I see right now, many distributions and its user need to unite against this.
Currently, the narrative of integration is:
Pretend its nothing
Disintegrate community
Implement support for systemd
Slowly wait, until programs to depend on systemd’s verification method appear
Change narrative to “Hardware based verification“
Implement changes to systemd verification interface
Distributions need to directly answer this with the refusal of using systemd.
Some distros who want to be sold, may indeed include age verification, the only part is that it should not be unified, so there is no an easy way to integrate the logic into application.
I know discussions about moving systemd out of NixOS are tough.
That’s why there must be a better solution for all of that.
– scheme
// I am not, sure that TPM supports that, looks so.
The user will be supposed to verify check using a 3rd party application, which would directly get the vendored underlying real hardware’s private key, and after completing the check, the remote service will encrypt a private key with vendored key and send it back. The key is not accessible by the user, its meant for TPM, so TPM will be able to save that and use for future identity checks.
This implies there will no be a way to forger or multicopy the key for most users and is a perfect example of mass surveillance.
// compliance
Everything we need is to make the “soft” integration near impossible for most distributions. Even if we “comply“, we don’t need to delegate this functionality to a single easy-way interface. Make it extremely hard to use instead or refuse to comply.