How much do we gotta worry about this Linux "age verification" BS?

If you wanted to know, let’s hop back to ARPANET of 1960s when the US needed to create a network under the sea to compete with USSR. If we like to geoblock California, many of legacy ARPANET computers and protocols won’t works without synchronized transactions between many site. As such, Google won’t works completely includes US Confidential Network in which they also needed for technological warfare. Yes, it can be diverted, but if you came physically to the State and drive a car around the State, you will know how frustrating the construction will be. Anyways, let’s see what you can come up with.

PS: It is national security if trying to geoblock the State.

Additional notes:

1. To geoblock the State, please remember the Berlin Wall.
2. Consider the US is constantly at war, which we are now in.
3. California has a lot of military bases in which requires to connect to the US Confidential Network at all time so everyone could get ready.
4. California is a strategic state which lies on the West Coast, but if severs the connection, it is matter of Constitutional security.

MidnightBSD just announced they are prohibiting California residents to use their OS starting January 1th 2027

d

The Brazilian law , like that passed in other countries, is hugely
different from the Californian. The former sets out requirements on
providers to put in place age verification of users of those services,
and prohibits self declaration. Among other requirements there must be
parental controls in place, a ban on targeted advertising, and a
requirement that under age accounts be linked to a parent or guardiuan
account.

AB1043 is completely different. It sets out a requirement that an
“operating system provider” provide an interface at account setup for
the user to enter age or birth date. This information should be
available to applications by an API so that the application can
determine in to which age bracket the user may fall. The age/dob is
provided by the user - it is envisaged that users may provide inaccurate
information since it is incumbent on the developer of the application to
use internal information where that differs from the reported
age/bracket.

It should be blindingly obvious to any one who actually read the act
that it gives no “personal identifiers”.

Despite all the hand wringing, none of the major distros has put
forward their position: probably they are taking legal advice before
rushing to judgement. That is good advice, that I wish users here would
follow.

Some other remarks:

I know that folk on the internet love drama, but this is beyond. Qubes
has not said that the project will implement anything: nor have RedHat or
Debian. (It cant be Fedora - it would be RedHat who would take any decision
here - a minor point but some one who worries about such things should be
aware of the distinction.)
There are no “unique identifiers” at stake. Nothing sad to see.

Even if RedHat were to provide such a tool and API, and Qubes were
to continue to use Fedora in dom0 and templates, the only data to be
shared would be whatever you input in to that form. (You could, of
course, enter different ages or dates in to the forms for each template
that you used, which would enhance differentiation between your online
personae: dont you do this already?)

A few US states are introducing age verification in different forms. I
have read various opinions (by qualified lawyers, not random handwaving
folk on the internet), that these laws may not be enforceable within the
USA.
In any case, as (I think) Zrubi intimated, we have seen US stupidity
before, and distros found ways around it. The glory days of non-US
Debian could make a welcome return.

It should not need saying but I do not speak for Qubes. Almost every
one of my posts carries such a disclaimer. I hope that Qubes is taking
time to digest legal implications of laws like this, to consider the
responses of larger and better funded organisations, before taking any
decision at all on how to go forward.

Even worse laws may be underway. Draft amendment at the time of writing…

Quote: The New York State Senate: Senate Bill S8102A

(Bold added.)

To require devices to conduct commercially reasonable age assurance for users under the age of 18 at the point of device activation, unlocking the ability to enforce all other digital privacy and safety laws for underage users

• live: https://legislation.nysenate.gov/pdf/bills/2025/s8102a
  • archived: Wayback Machine

Quote: (bold added)

1. “Age assurance” shall mean any method to reasonably determine the age category of a user, using methods that reasonably prevent against circumvention. Such method may include a method that meets the requirements of article forty-five of this chapter, or may be a method that is identified pursuant to new regulations promulgated by the attorney general consistent with section fifteen hundred forty-five of this article

I will keep documenting new information in wiki chapter New York State Senate Bill S8102A as I get to it. More relevant quotes are there. It’s getting really tough legalize.

Whonix adding age verification? - Support - Whonix Forum

AB 1043 applies to any entity that qualifies as an “operating system provider” or “covered application store” under its definitions; it does not distinguish between “base” or “derivative” distributions; “hypervisor”, “dom0”, etc.

Whether a particular Linux or Xen (Qubes) distribution, derivative, or downstream project is an “operating system provider” may depend on who “develops, licenses, or controls” the OS software in practice, which is a fact‑specific inquiry rather than something the statute addresses directly.

Qubes (dom0) may be responsible, may have to comply with this before stable distributions such as Debian do something about this.

Due to the very high penalties, I would hope that Qubes will research this and/or take legal advice.

The answer may be “no” when doing a strict reading of What about privacy in non-Whonix qubes? but let’s see how things will develop.

I don’t see how “move to another operating system” helps against a potential legal issue that affects most operating systems.

Because “it’s a global issue”, not a Fedora issue.

I - as a non-lawyer - have looked in detail into that option.
Prohibiting California residents in the Terms of Service and Geo-Blocking
And concluded:

• Conclusion: A TOS / Geo-Blocking based California prohibition may lower risk in some scenarios, but it might not reliably prevent California use or contacts, and therefore may not be a dependable way to fully avoid legal exposure by itself.

Right. For now. But it may get worse. (The very top of this very post of mine.)

@otter2

It seems like the developer doesn’t have a good way to fight back or ignore such laws.

Boycott.

@adrelanos

Thanks for providing extra info.
Sounds like yet another Overton window.

I just really hope that such stupidity will not spread (to far) from the USA.
As the old non-us (debian) repository was adressing similar USA only ‘restrictions’.
But I might be wrong

Indeed. Hard on those users in boycotted states/countries, unless, of
course, they are prepared to break some licensing and policy agreements.

It might just be possible to include statements prohibiting use in
certain US states or other countries. Many entities already have such
statements to cover cases where (as US entities) distribution would fall
under US Embargoed export. Whether those would be sufficient or
enforceable within the US is a moot point.
Of course, Qubes itself is not an US entity, so would be looking
at formulations to govern the reverse flow. (Into the US rather than
export from US.) It’s ironic that the US, a country that has often used
its laws to restrict software use abroad, could find itself subject to
similar restrictions.

All of this is speculation. When Debian provided non-us repositories
(in the Netherlands, I think), this was considered enough to circumvent
US export controls. So it might be enough to provide software in
US repositories that includes the dreaded age check, and in mirrors
outwith the US that does not. There would be no way to stop US users
from downloading from non-US mirrors if they were so motivated, but this
might be enough to show good faith on the part of the developers.

The legal frameworks here are complex, and the situation is untested. I
am sure that better minds than ours are working on this as I write.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Thanks all for your helpful replies. I’m still depressed. It’s like we’re watching tech be destroyed and there isn’t a god damned thing we can do about it. It’s not even partisan since both fxcking sides want shxt like this. Can’t blame orange man this time. It’s bipartisan authoritarianism. I doubt anyone’s consciously voting for this. That old Soviet joke is making more and more sense now: America truly is a one-party state with two parties. When is it appropriate to start calling for a people’s revolution against this despicable medieval political system? Or is there another solution?

Okay so I set my age to 1970-01-01 but what about the next rxtarded law? FFS. I better start bulk downloading information in preparation for the day I’m kicked out and I recommend all fellow paranoids start doing the same. I’m gonna need more 21tb seagates…

Here is a potential idea:

An open letter on the position of security and privacy scientists and
researchers on Age assurance.
https://csa-scientist-open-letter.org/ageverif-Feb2026

I started a meta-topic in the Privacy Guides Community:

@null from there provided a related topic from Fedora Discussion:

Been following that thread… looks like it has fully devolved into capitulation now. Bending the knee so damn quickly. Absolutely disgusting.

It’s whatever, man. I’m more of a Debian guy so I’m ing whatever they do isn’t too much of a pain in the ahh to remove. I definitely won’t be using an age-gated computer in this lifetime, specially not one I built. Like bruh, what’s next? My toaster asking me about my damn marital status?

But you know what, I’m not so angry about how this affects me personally. I’m already dedicated to inconveniencemaxxing. I’m already used to things being 15x harder than they need to be. This would make it 16x. Boo hoo, I can get over it. What I’m really boiling about is what this will do to the children. I got into computers pretty young and pretty hard, but maybe I wouldn’t have if the computers I had available to me at the time only showed sanitized baby-friendly content. I have previously pondered this regarding kids who grow up with smartphones instead of computers, but now the way things are going there will be no escape. How is the child of the future supposed to spark an interest in computing when all they see on the screen is fxcking tiktok with AI slop ads and the alternative is so niche that they may never run into it? I feel personally attacked on behalf of all future generations of computing enthusiasts. This is a fxcking state-sponsored war against our entire breed and the sooner we start treating it like what it is the better. None of this is about protecting children. It’s about making them dumb and it’s about making the rest of us slaves.

It’s a bit offtopic and i really hate to tell you …

bits from DPL

What’s the deal? Should I be worried about something specific regarding Debian besides this age crap?

The beginning of that discussion on the mailing list is about increasing age diversity among Debian contributors:

1. Debian needs to become more diverse
======================================

In recent discussions, concerns were raised about the diversity within
our project - not only regarding gender and geographic distribution, but
also age. I do not have comprehensive data to confirm or refute these
perceptions. However, even the perception itself is worth reflecting on.
If members of our community feel that certain perspectives are
underrepresented, we should take that seriously.

When we speak about diversity in Debian, we often focus on gender and
geographic distribution. Both remain important. A project that aims to
serve users worldwide should reflect different backgrounds,
perspectives, and lived experiences.

But diversity also includes generational diversity. We need contributors
at different stages of life: people bringing decades of experience, and
people just starting their technical journeys. A healthy mix ensures
continuity, fresh ideas, mentorship, and long-term sustainability.

@qubist

Preventing use of OS in California is not “fighting back”. It helps them as much as installing age-declaration mechanism into the system, because the goal is to be able to verify age in California. From OS perspective this is also a dead end, because it means:

• People of California won’t be able to use whatever benefit an operating system provides.
  OS becomes mostly extinct in California. Sure, we may choose to not care about them.
• Following this track (assuming the worst: all other regions will eventually implement equivalent laws) OS becomes essentially illegal. Not only this is a problem for the users, but also provides reasonable justification to actually make something like this illegal and actively punish the developers.

Running away is not fighting back.

The fact this much energy has been spent on this stupid law already is already too much.

MidnightBSD’s approach of just updating their license to exclude California residents seems like the best approach - given all the uncertainty around the law atm, just take 5 minutes to update the license and call it a job done.

Don’t spend hours debating the issue when the law itself is unworkable. Just take the easiest and least harmful approach

GrapheneOS devs to Californian politicians: punch sand

We’re under no more obligation to filter the internet for California than we are to do it for China. Neither blocks access to the GrapheneOS website or services. If California wants to block access to those then they’re welcome to pass a law implementing their own Great Firewall. The most action they could get from us is replacing Los Angeles and San Jose servers with Las Vegas or Seattle

This is the attitude I hope to see. Don’t capitulate to your oppressors. Resist