Guide on how to comply with California's "Age Verification" AB1043 as a software developer:
What to do:
* Don't give a shit because you don't live in California.
* If you live in California, leave California.
* If leaving is not an option, wait for a legal precedent for compliance has been set and implement the minimum requirements of the bill into your software (a very simple age bracket selection box during install will probably do more than enough).
What not to do:
* Already start proposing stupid and extremely deep implementations into xdg-desktop or d-bus. (Ubuntu)
What absolutely not to do:
* Freak the fuck out and relicense your entire codebase to a non-free software license because of a law not going into a effect for another year while you don't even live in California... (MidnightBSD)
Post
Remote status
Context
10
At least on porn sites it's a yes/no question and there's nothing to gain from that question.
But apparently requiring to put your age into an OS on install, which then can quickly be queried and possibly exfiltrated via malware is not a freedom related issue.Do you have a reading comprehension? This is Ubuntu's solution and I put them under my "What not to do" section.
@phnt@pl.borked.technology I'm not even sure if that part is even required, as it refers to app stores and such. GNU/Linux usually doesn't have these (unless you use Ubuntu with Snap garbage I guess) so that wouldn't even apply.
> A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
In legalese this means you have to check the users age at least once when the app is first launched. That covers all apps.
>“Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
>“Covered application store” does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application.
This in legalese means also all package repositories for Linux distros and ports trees for BSDs. Debian's apt repositories are a "Covered application store" under this law.
>“Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
> (a) An operating system provider shall do all of the following:
>(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
This means, if a user downloaded an app from a repository, the OS must provide an API to that application for the purpose of signalling the users age.
In other words, you have to implement a system-wide API on a low level where any application that doesn't come pre-bundled with the OS has to request the age indication of a user at least once on first start up.
Debian's apt repositories are a "Covered application store" under this law.No, this does not count. Your legalese skills are lacking.
Your missing one important detail:
applications from third-party developersAll packages in Debian's repo are official Debian packages maintained by Debian developers. They are not third party in this context any more and do not need age verification.
So how I read this is the definition of “Covered application store” only applies to crap like Flathub, Snap and AUR and shit (anywhere third parties can actually upload the packages), but not the official repos that tend to be only uploaded by first party maintainers.
And speaking of more legalese shittery:
Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or bothYou can also argue that this not apply to most GNU/Linux distros because they do not have accounts.
The definition of what an "account" means is unfortunately not defined in the bill, but it should be very easy to argue that initializing a posix uid and making a folder called "/home" is definitely not the same thing as registering an Microsoft/Google/Apple account.
You do not have to create this interface, because this interface only needs to be "at account setup". Therefore if there never is an "account setup" there never needs to be "an interface".
@SuperDicq >No, this does not count. Your legalese skills are lacking.
It definitely is. It is an online service that facilitates and distributes downloading of software from third-party developers.
>All packages in Debian's repo are official Debian packages maintained by Debian developers. They are not third party in this context any more and do not need age verification.
Objectively false. The software isn't maintained and developed by Debian in 90% of cases. It is only packaged by Debian.
>You can also argue that this not apply to most GNU/Linux distros because they do not have accounts.
man useradd and look for the mention of "account"
@phnt@pl.borked.technology Depending on how you look it at there either is no "operating system provider" because all packages have different developers (GNU/Linux/Systemd/etc.), so no rules apply
Or the "operating system provider" is Debian, because they put them all together and made the distro. Which includes everything in their repository, so there is no third party.
@phnt@pl.borked.technology Really?
So when is it "Debian" and when is it "third party"?
Either everything is third party or everything Debian.
And inb4 only the software on the installation image is Debian and the rest is third party. That doesn't count because you can also download the full Debian installation image that contains every single package.
Replies
3>So when is it "Debian"
When it is the OS as distributed in its minimal form for it to be legally called Debian, ie likely debootstrap.
>and when is it "third party"?
Every package that isn't maintained and developed by Debian, so basically everything that isn't dpkg/apt. Kernel and systemd are also third parties on your system.
And even still if you go the route you suggest that Debian is fully first-party. Mirrors of it aren't except those maintained by Debian.
It's like saying that everything in the Windows store is first-party because Microsoft provides the infra and choose what to allow and therefore kinda maintain it.
You also have to understand that these interpretations are made by a judge, not by someone that maintains Debian. Those maintainers only give input on how it should be interpreted.