[alephnerd]

> Who is paying FOSS devs who will be implementing this

Most Linux maintainers are employed by Google, IBM, Facebook, and other similarly sized organizations.

> Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place

The US is a federal system. It's part of our checks and balances.

> Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption

No one. This is why organizations with actual security requirements do their own dependency checks.

[iamnothere]

Linux is the kernel, it has nothing to do with this.

The law apparently seems to target the packager/distributor of the distribution. Many small distros are hobby distros!

> The US is a federal system. It's part of our checks and balances.

Nonsensical answer. Different states are passing different requirements that often contradict each other. This is going to be a nightmare.

> No one. This is why organizations with actual security requirements do their own dependency checks.

So you’re saying that we should expect those laws too? Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work. If this is the direction we’re headed in, we need to organize and fight like hell.

[alephnerd]

> Many small distros are hobby distros...

Then region lock. You don't have to support California or NY or ...

> Different states are passing different requirements that often contradict each other. This is going to be a nightmare

Create regional feature flags or region lock. It's a solved problem.

> So you’re saying that we should expect those laws too

They already de facto exist contractually speaking.

> Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work

The mindset around tech regulation shifted after the 2016 election and Jan 6th. The maximalist tech civil libertarian view on privacy was an anomaly from the late 1990s to early 2010s when tech was viewed as inconsequential.

The 2016 election and Jan 6th showed otherwise.

---

The overlap between Linux daily drivers and "voters who can flip an election in California, NY, or <insert_state_here>" is nonexistent.

This also appears to be a front-run at reducing the risk of an Australia-style regulation being proposed.

Edit: can't reply

> Europe realized this with their new infosec liability regulations

European organizations (from private sectors to government agencies) sidestep this by contractually mandating SBOM and dependency requirements.

You end up with the same result, but it's essentially regulated via contracts instead of the law.

> Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them

That's a decision a lot of governments and organizations are fine with.

OSS where maintainers are hired by sponsor organizations is already the norm, and government-backed OSS is becoming increasingly common in the EU and much of Asia.

Hobbyists who don't wish to comply can region gate within their license - that solves your liability risk and will keep regulators happy.

[NegativeK]

>> hobby

> You don't have to support

This isn't just a kernel thing. Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them.

Europe realized this with their new infosec liability regulations. If you're giving your labor away, you're not liable for your software; if you're making money off your software, step up and do better. Maybe California and the others should learn more from the EU.

[bigfishrunning]

> Expecting volunteers to dump time into compliance is ridiculous.

Exactly, so any distribution that relies on volunteers will likely include a region-locking clause in their documentation (which may or may not be a GPL violation)

Many big distributions (Ubuntu, Suse, Fedora) are sponsered by big tech companies, and are not maintained by volunteers.

[iamnothere]

I think it would be better to create a parallel economy of underground unrestricted distributions while encouraging everyone to openly flaunt the law, and simultaneously fighting via lawfare and media. But maybe that’s just me!

[alephnerd]

> encouraging everyone to openly flaunt the law

> But maybe that’s just me

If you are fine taking the legal liability and are open to civil and criminal prosecution, go right ahead.

Western jurisdictions tend to cooperate on extradition as well, and American free speech laws are significantly more expansive than those in the EU, Canada, or ANZ so taking a principled approach wouldn't be a viable defense if you decided to go and incite via that route.

> fighting via lawfare

That is being done.

> and media

You heard about it via the media.

[iamnothere]

Fine by me, I’m willing to fight. The freedom to compute is one of our most fundamental freedoms, connected inherently with freedom of thought and speech. Cowards like you don’t deserve the benefits you enjoy, and you will surely complain about their absence when they are gone!

[orwin]

This is not the first time I read comments from you, I just want to tell you you're probably one of the most annoyingly, reasonably correct person I read. And take it as a compliment, because each time I disagree with you I have to look at my position because I fear being on the wrong side of the argument (which is probably what I find annoying. I want to be unreasonable sometimes!).

[LtWorf]

He's completely incorrect in saying that most free software developers work for some USA megacorp.