[iamnothere]

Who is paying FOSS devs who will be implementing this? Who is providing them with legal indemnification since they are now apparently subject to fines for a fucking hobby if they do it wrong? Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place? Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption?

[whywhywhywhy]

>Who is paying FOSS devs who will be implementing this?

honestly if they let it be known they'd do it for payment the same person who's paying off the politicians to push this through would probably pay them too.

[alephnerd]

A large number of maintainers for larger OSS projects are employed by tech companies directly.

[LtWorf]

Not that large, no.

[alephnerd]

> Who is paying FOSS devs who will be implementing this

Most Linux maintainers are employed by Google, IBM, Facebook, and other similarly sized organizations.

> Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place

The US is a federal system. It's part of our checks and balances.

> Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption

No one. This is why organizations with actual security requirements do their own dependency checks.

[iamnothere]

Linux is the kernel, it has nothing to do with this.

The law apparently seems to target the packager/distributor of the distribution. Many small distros are hobby distros!

> The US is a federal system. It's part of our checks and balances.

Nonsensical answer. Different states are passing different requirements that often contradict each other. This is going to be a nightmare.

> No one. This is why organizations with actual security requirements do their own dependency checks.

So you’re saying that we should expect those laws too? Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work. If this is the direction we’re headed in, we need to organize and fight like hell.

[alephnerd]

> Many small distros are hobby distros...

Then region lock. You don't have to support California or NY or ...

> Different states are passing different requirements that often contradict each other. This is going to be a nightmare

Create regional feature flags or region lock. It's a solved problem.

> So you’re saying that we should expect those laws too

They already de facto exist contractually speaking.

> Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work

The mindset around tech regulation shifted after the 2016 election and Jan 6th. The maximalist tech civil libertarian view on privacy was an anomaly from the late 1990s to early 2010s when tech was viewed as inconsequential.

The 2016 election and Jan 6th showed otherwise.

---

The overlap between Linux daily drivers and "voters who can flip an election in California, NY, or <insert_state_here>" is nonexistent.

This also appears to be a front-run at reducing the risk of an Australia-style regulation being proposed.

Edit: can't reply

> Europe realized this with their new infosec liability regulations

European organizations (from private sectors to government agencies) sidestep this by contractually mandating SBOM and dependency requirements.

You end up with the same result, but it's essentially regulated via contracts instead of the law.

> Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them

That's a decision a lot of governments and organizations are fine with.

OSS where maintainers are hired by sponsor organizations is already the norm, and government-backed OSS is becoming increasingly common in the EU and much of Asia.

Hobbyists who don't wish to comply can region gate within their license - that solves your liability risk and will keep regulators happy.

[NegativeK]

>> hobby

> You don't have to support

This isn't just a kernel thing. Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them.

Europe realized this with their new infosec liability regulations. If you're giving your labor away, you're not liable for your software; if you're making money off your software, step up and do better. Maybe California and the others should learn more from the EU.

[bigfishrunning]

> Expecting volunteers to dump time into compliance is ridiculous.

Exactly, so any distribution that relies on volunteers will likely include a region-locking clause in their documentation (which may or may not be a GPL violation)

Many big distributions (Ubuntu, Suse, Fedora) are sponsered by big tech companies, and are not maintained by volunteers.

[iamnothere]

I think it would be better to create a parallel economy of underground unrestricted distributions while encouraging everyone to openly flaunt the law, and simultaneously fighting via lawfare and media. But maybe that’s just me!

[alephnerd]

> encouraging everyone to openly flaunt the law

> But maybe that’s just me

If you are fine taking the legal liability and are open to civil and criminal prosecution, go right ahead.

Western jurisdictions tend to cooperate on extradition as well, and American free speech laws are significantly more expansive than those in the EU, Canada, or ANZ so taking a principled approach wouldn't be a viable defense if you decided to go and incite via that route.

> fighting via lawfare

That is being done.

> and media

You heard about it via the media.

[iamnothere]

Fine by me, I’m willing to fight. The freedom to compute is one of our most fundamental freedoms, connected inherently with freedom of thought and speech. Cowards like you don’t deserve the benefits you enjoy, and you will surely complain about their absence when they are gone!

[orwin]

This is not the first time I read comments from you, I just want to tell you you're probably one of the most annoyingly, reasonably correct person I read. And take it as a compliment, because each time I disagree with you I have to look at my position because I fear being on the wrong side of the argument (which is probably what I find annoying. I want to be unreasonable sometimes!).

[GoblinSlayer]

I suppose it can be handled like porn: torrenting linux isos will be lewd.

[jeroenhd]

Work on a standardised solution has already been done and proposals are already being discussed. Things aren't moving as fast as they could be because every time something like this hits a front page somewhere a bunch of people have to come in and comment that they dislike the law, but the people behind open source projects don't seem to be bothered by the time they need to put into this. Their employer is probably just paying them to do so anyway.

Linux desktops already have APIs for profile management. This is just another field to add to those APIs.

Very few core Linux desktop development is coming from hobbyists compared to the massive corporations maintaining Linux as a real option. Companies like Red Hat and System76 isn't going to drop California as a customer base to make a statement that no politician will ever listen to.

[iamnothere]

A number of distros (even some large and well known ones) have signaled noncompliance or do not believe they are impacted due to technical reasons (Gentoo) or jurisdiction (OpenBSD, NixOS). Other US distros are not yet signaling agreement because of uncertainty regarding different laws in different states/countries and potential legal challenges. This is not set in stone and it’s still possible to present a united front of noncompliance.

[shadowgovt]

To be fair, "it's just a fucking hobby" no longer being an excuse has been a long time coming, much in the same way that driving cars or flying airplanes started as just a hobby but became no longer one when practicing it had outsized consequences to non-practitioners.

Signed, someone who notes frequently that the default apache configs probably put a web developer in violation of the GDPR (since if you just left on collecting IP addresses for no reason, you are de-facto not collecting them for "network security.")

[iamnothere]

You’re arguing against freedom of computing, itself an extension of freedom of thought and freedom of speech. These laws are an attempt to regulate not just what you do with your computer, but how it operates. This is fundamentally an attack on rights and freedoms, and if it goes unchallenged then it will expand into other areas.

Maybe that doesn’t move you; it seems like you don’t care much for personal liberties. (A Euro, go figure.) But this is America and we have constitutional guarantees here.

[shadowgovt]

You have made some fascinating assumptions about the person you are addressing. I recommend refraining from that in the future and instead asking why a fellow American takes a position other than the one you hold.

Two guys built a website to try and help people curb their undesired sexual proclivities and because they were bad at security, their users' personal information (including their own logs of their sexual proclivities) is leaked. They will see no consequences other than "oops, oh well, I guess we're going to shut down our website now and, probably, build another one."

Why is that okay? We've de-facto operated as if it os okay for decades under a notion of "user beware," but that notion is increasingly incompatible with the goals of treating Internet access as a human right because if you let everyone on, you are definitely letting people on who lack the capacity, knowledge, or savvy to beware. And we lack a framework for holding "two guys who just told the world how often you jack off" accountable for their violation of confidentiality.

Individual users become nodes in botnets. Individual users have their identities compromised. Individual users are talked into being kidnapped by anonymous victimizers. Individual users are, increasingly, everyone's concern the moment they connect to a shared network. And, perhaps most significantly to this topic: the Internet does not distinguish between two guys building a hobby app and a professional service.

This specific notion, age-gating access, may not be the right step. But we should be a lot more serious about taking more than zero steps. The time of effing around and pretending there are no consequences to these technologies is over.

[GoblinSlayer]

What they really fear is general purpose computers that can run free software (free as in not enslaved) without approved backdoors and vetted gatekeepers. Cyberpunk dystopia is coming and is enabled by smartphone cartel: phoneposters don't care what's going on.

Their reason: https://www.aclu.org/news/privacy-technology/government-mand...

[hypeatei]

> But we should be a lot more serious about taking more than zero steps

No, we shouldn't. There is no inherent need for government regulations in every part of our lives, let alone a computer. Sorry to be flippant, but this idea that everyone needs to have a "serious conversation" about something is laughable and inevitably leads to mountains of government legislation with unintended consequences.

Thanks, but no thanks. We should resist all of this bullshit and try not to become Europe 2.0 where it's illegal to offend people with your speech because some idiot thought that'd be "reasonable" regulation.

[Apocryphon]

In America, we simply have private individuals sue each other in civil court for that rather than state prosecution in criminal court. Close enough.

[hypeatei]

You still need legal standing for a civil case and the defendant isn't being threatened with jail time or men with guns. Yes, frivolous cases are a thing but it's both unlikely (because money) and not in the same league as criminal prosecution.

[iamnothere]

If you’re an American and you want to change this, feel free to propose and pass an amendment. That’s the allowable process for changing what the government can and can’t do regarding individual rights.

Edit: removed part of my comment because misunderstood your rambling point about that website, and I guess I have no idea how it relates to OS regulation. Websites are not operating systems. Your ability to tell me how I run my systems stops at my door, especially if I’m not hosting commercial services. Again, that’s just a question of fundamental rights.

[shadowgovt]

Conversely, you're an American and you want to change this, feel free to propose and pass an amendment that makes regulation of OS as a product the concern of the federal government, as opposed to (as per the 10th Amendment) a state government concern. These regulations are state affairs for the same reason that glyphosate is known in the state of California as a carcinogen (but not other states). Product standards are, generally, a state-level concern. I agree this is inefficient, but the burden to modify the Constitution is on those who would change that inefficiency.

I appreciate the grace in taking a step back on my other comment; I phrased it poorly. Here's my point in better summary: I think we have an issue right now where our hobby has two things that are true that have significant negative societal outcomes. And to be clear, I'm primarily responding to this comment: "Who is providing them with legal indemnification since they are now apparently subject to fines for a fucking hobby if they do it wrong?" Because the answer to that is "If these things are true, it doesn't matter."

1. There is very little daylight between professional and hobby coding. That has been one of its virtues: a person with the right idea can garage-hack way into becoming Fark, or Slashdot, or Craigslist. But the flipside of that coin is that a kid messing around in their garage can cause real consequences for real people they will never even meet. How many websites are falling over from people experimenting with AI crawling right now (at disregard for the existing best-practices for crawling)?

2. A lone actor misusing the machine can have large-impact consequences on strangers. A kid in their basement doing script-kiddie garbage can exfiltrate confidential data, steal someone's electricity to mine Bitcoin, or even just wreck their machine remotely, for fun. A lone actor with no malicious intent but simple negligence can drop a machine on the Internet with all the ports open and become a botnet node. When we have sitautions like that in the past, we often use licensure to ensure some minimum standard of care when using the shared resource.

In fairness, what may want to be licensed here is using the Internet, not installing an operating system. I think that's a fair point and state governments trying to move the issue to the OS, not network-connectivity level, are making a mistake.

[iamnothere]

State governments cannot pass laws that violate freedom of speech. Code is (written) speech, despite attempts to attack this.

If you want to push really hard, we can come up with something extremely verbose (worse than COBOL) that is VERY obviously speech. “Define a variable named x. Set the value of x to 3. Add the value of y to x.”

Outcomes take a back seat to rights. Bad outcomes are sometimes the inevitable consequence of liberty.

If you want to try and license use of public Internet infrastructure, like public roads, go ahead. But most of the Internet is private. Free association and free speech rules, regardless of the occasional difficulties it creates.

[Apocryphon]

Freedom doesn’t flow one way though. Their GDPR example just gives freedom to non-state malefactors to impinge upon user freedoms. You’re crying about 1984 and they’re crying about Neuromancer. An age-old dilemma.

https://theonion.com/the-future-will-be-a-totalitarian-gover...

[bee_rider]

This site is hosted in America, but in general I think they get the Internet in other countries now.

[alpaca128]

> driving cars or flying airplanes started as just a hobby

Those still are hobbies, you just need a license for it now. Which makes sense since crashing an airplane is a bit more devastating than crashing a computer. But most hobbies don't need a license and aren't a danger to others.

[shadowgovt]

I think we've reached a point where we're really turning our heads and squinting away from reality if we think that computing is a hobby that no longer poses danger to others.

A person using their own machine can hack all manner of other people's machines without their consent. On the flipside, a person who is not even malicious, but negligent, can configure a machine on the open internet with open ports and become part of a botnet in a half-hour. Perhaps these behaviors imply a level of responsibility that suggests licensing to use the shared resource that is "The internet" is appropriate.

[alpaca128]

And a person using their pen can hack other people's brains, yet free speech is more important.

I think manufacturers being required to provide longer security update support against hacks etc would be more helpful than violating privacy and restricting access to "protect" people. The amazing protective walled garden of mobile devices has mostly caused people to even forget what filesystems are and normalized subscriptions for the most basic things. A license for internet access or whatever would be an incredibly bad idea for anyone but abusive governments and corporations.

[shadowgovt]

We do, in practice, impose all manner of limitation on free speech while still maintaining the sanctity of that right. Lying in a professional capacity is fraud and punishable even though it's "just words." Being wrong as an engineer or lawyer can cost you your license to practice (as an engineer, even if you never turned a wrench but your directions to build the thing were flawed beyond the reason of the standards of the profession). "Wire fraud" is an aggravation atop regular fraud.

These protections could go further, but they haven't. Why is it just "okay" that someone can call you up on the phone and convince you that your loved one is in mortal peril and you have to wire money to them right now? Why is the party transiting that fraud or providing the wires connecting entire fraud offices to the global telephonic network not responsible for enabling that attack?

[alpaca128]

> Why is it just "okay" that someone can call you up on the phone and convince you that your loved one is in mortal peril and you have to wire money to them right now?

It is not okay and is in fact a crime. Making it more illegal by forbidding access mainly hurts normal users of the network.

> Why is the party transiting that fraud or providing the wires connecting entire fraud offices to the global telephonic network not responsible for enabling that attack?

Same reason the electric grid is not responsible because it powered the phones, and water is not responsible for generating its electricity in a power plant. The phone network is a medium for communication, and so is the internet. And they can be abused just like air as a verbal communication medium between a scammer and a victim can.

> We do, in practice, impose all manner of limitation on free speech while still maintaining the sanctity of that right.

And we do impose legal limitations on online scams while still maintaining access to the internet. What more do you want?

[GoblinSlayer]

What are the outsized consequences? They are trying to regulate voodoo.

[GuestFAUniverse]

Simple: the fail2ban jails need the logs to keep the bots away, that prevent a proper operation. Thus it is technically necessary. And this is explicitly allowed as part of the GDPR.

On the other hand, nobody can help a clueless web dev.