This is a great post, but obviously it hasn’t convinced me: The folks waving their arms and yelling about recent models’ capabilities have a point: the thing works. This project finished in three weeks. Compare that to Ringspace, a similarly-sized project that took me about six months of nights and early mornings to complete, while not doing my day job or being Dad to an amazing, but demanding toddler. I simply could not have built this project as well or as quickly without help. And as other developers have noted, this is the help that’s showing up. I’m not entirely onboard with Mike Masnick’s optimistic view of this technology’s democratizing power. I don’t think it’s as easy to separate the tech from its provenance or corporate control. But CertGen, my certificate application, exists now. It didn’t and couldn’t without the help of a tool like Claude Code. Open source in particular needs to reckon with this, because the current situation of demanding developers starve and bleed themselves dry without support isn’t tenable. We need to grapple with this. I’m not yet sure how it all breaks down, and anyone who says they do is lying, foolish, or fanatical. ↫ Michael Taggart If you disregard that “AI” models are trained on stolen data, that such data was prepared by exploited workers, that “AI” data centres have a hugely negative impact on the environment, that “AI” data centers are distorting the entire computing market, that “AI” models they feed the endless firehose of intentional misinformation, that they are wreaking havoc in education, that they increase your reliance on American big tech companies, that you pay “AI” companies for taking your work, that “AI” models are a vital component in the technofascist wet dreams of their creators, that they are the cornerstone of politicians’ dream of ending anonymity, and that they contribute to racist and abusive policing, then yes, sometimes, they produce code that works and isn’t total horseshit. It’s a deeply depressing reversed “what have the Romans ever done for us?” that makes me sad, more than anything. I’ve seen so many otherwise smart, caring, and genuine people just shove all of these massive downsides aside for the mere novelty, the peer pressure, the occasional sense that their “lines of code” metric is going up. It’s the digital equivalent of rolling coal.
If you’re using Windows or macOS and have Adobe Creative Cloud installed, you may want to take a peek at your hosts file. It turns out Adobe adds a bunch of entries into the hosts file, for a very stupid reason. They’re using this to detect if you have Creative Cloud already installed when you visit on their website. When you visit https://www.adobe.com/home, they load this image using JavaScript: https://detect-ccd.creativecloud.adobe.com/cc.png If the DNS entry in your hosts file is present, your browser will therefore connect to their server, so they know you have Creative Cloud installed, otherwise the load fails, which they detect. They used to just hit http://localhost:<various ports>/cc.png which connected to your Creative Cloud app directly, but then Chrome started blocking Local Network Access, so they had to do this hosts file hack instead. ↫ thenickdude at Reddit At what point does a commercial software suite become malware?
RNG systems have a far stronger effect on the platforms we use every day than most people realize. Every time you shuffle a Spotify playlist, the order you get isn’t chosen by a human or a fixed sequence; it is generated by a random number generator working silently in the background. That single shuffle call touches cryptographic logic engineered to be genuinely unpredictable, and the same class of technology powers everything from secure logins to financial transactions. RNG systems are also a cornerstone of the entertainment industry, especially when you look at the casino space. Popular platforms like MrQ Casino use verified random number generators so that every game outcome is fair and cannot be manipulated in advance. But how do these systems actually work? That question rarely gets a straight answer, and the mechanics behind it are worth understanding properly. What Makes a Number Truly Random Most people assume that computers, being deterministic machines, cannot produce real randomness. That assumption is largely correct; standard software algorithms produce what are called pseudo-random numbers. A pseudo-random number generator (PRNG) takes a starting value, called a seed, and runs it through a mathematical formula that produces a sequence of numbers that appears random but is entirely repeatable if you know the seed. This is useful for many applications, but it has an obvious weakness: if someone can figure out or predict the seed, they can predict every number the system will produce. For low-stakes tasks like generating a random color in a UI element, that risk is acceptable. For anything involving money, security, or fairness, it is not. Cryptographically secure pseudo-random number generators solve this problem. They combine traditional algorithmic generation with entropy: unpredictable data collected from the hardware’s physical environment. Sources of entropy include the precise timing of keystrokes, mouse movement patterns, variations in disk read latency, and even thermal noise from hardware components. The result is a seed that no outside observer can realistically reconstruct, which makes the output statistically and practically indistinguishable from true randomness. RNG in Financial Systems and Cryptography The most obvious use of RNG is in public-key cryptography, which underpins virtually all secure communication on the internet. When your browser establishes an HTTPS connection, both sides generate large random numbers to create session keys. These keys encrypt the data traveling between you and the server. If the random numbers used to generate those keys were predictable in any way, an attacker could decrypt the entire session. Financial trading platforms face a different but related challenge. The quality of the random numbers used to feed those simulations directly affects the accuracy of the risk models. Poor RNG means poor risk assessment, which can translate into real financial losses at scale. RNG Verification and Auditing For any system where fairness is a public concern, whether that is a gaming platform, a lottery, or a randomized clinical trial, independent verification of the RNG is standard practice. Testing labs use statistical test suites, the most established being the NIST SP 800-22 suite, which runs a battery of tests designed to detect non-randomness in generated sequences. Passing these tests does not prove a sequence is random, but it does confirm that no detectable pattern exists across millions of samples. Beyond statistical testing, some platforms use provably fair systems where the random seed for an outcome is committed to before the event and revealed afterward. Users can then verify that the outcome was determined by the committed seed and was not changed after the fact. This approach gives users genuine cryptographic proof of fairness, rather than asking them to simply trust the platform’s claims. Hardware random number generators, or HRNGs, take a different approach entirely. Rather than using software algorithms, they measure genuinely non-deterministic physical phenomena (quantum events, radioactive decay, or photon behavior). HRNGs are used in high-security environments where even the theoretical predictability of a CSPRNG is unacceptable. Why This Technology Will Only Grow in Importance As digital systems take on more consequential roles (managing healthcare records, executing financial contracts, running infrastructure), the integrity of their random number systems becomes more critical. Quantum computing adds a new dimension to this concern. Many current cryptographic protocols rely on mathematical problems that quantum computers could, in theory, solve quickly. The cryptography community is actively developing post-quantum algorithms, and secure random number generation sits at the foundation of all of them. Understanding RNG is not just a technical curiosity. It is the basis of trust in digital systems. Every time a platform makes a decision that affects you, there is a good chance a random number is involved. The quality of that number determines whether the system is truly fair or merely claims to be.
An ultra-lightweight real-time operating system for resource-constrained IoT and embedded devices. Kernel footprint under 10 KB, 2 KB minimum RAM, preemptive priority-based scheduling. ↫ TinyOS GitHub page Written in C, open source, and supports ARM and RISC-V.
Another major improvement in Redox: a brand new scheduler which improves performance under load considerably. We have replaced the legacy Round Robin scheduler with a Deficit Weighted Round Robin scheduler. Due to this, we finally have a way of assigning different priorities to our Process contexts. When running under light load, you may not notice any difference, but under heavy load the new scheduler outperforms the old one (eg. ~150 FPS gain in the pixelcannon 3D Redox demo, and ~1.5x gain in operations/sec for CPU bound tasks and a similar improvement in responsiveness too (measured through schedrs)). ↫ Akshit Gaur Work is far from over in this area, as they’re now moving on to “replacing the static queue logic with the dynamic lag-calculations of full EEVDF“.
You’d think if there was one corner of the open source world where you wouldn’t find drama it’d be open source office suites, but it turns out we could not have been more wrong. First, there’s The Document Foundation, stewards of LibreOffice, ejecting a ton of LibreOffice contributors. In the ongoing saga of The Document Foundation (TDF), their Membership Committee has decided to eject from membership all Collabora staff and partners. That includes over thirty people who have contributed faithfully to LibreOffice for many years. It is interesting to see a formal meritocracy eject so many, based on unproven legal concerns and guilt by association. This includes seven of the top ten core committers of all time (excluding release engineers) currently working for Collabora Productivity. The move is the culmination of TDF losing a large number of founders from membership over the last few years with: Thorsten Behrens, Jan ‘Kendy’ Holesovsky, Rene Engelhard, Caolan McNamara, Michael Meeks, Cor Nouws and Italo Vignoli no longer members. Of the remaining active founders, three of the last four are paid TDF staff (of whom none are programming on the core code). ↫ Micheal Meeks The end result seems to be that Collabora is effectively forking LibreOffice, which feels like we’re back where we were 15 years ago when LibreOffice forked from OpenOffice. There seems to be a ton of drama and infighting here that I’m not particularly interested in, but it’s sad to see such drama and infighting result in needless complications for developers, end users, and distributors alike. As if this wasn’t enough, there’s also forking drama in OnlyOffice land, the other open source office suite, licensed under the AGPL. This ope source office suite has been forked by Nextcloud and IONOS into Euro-Office, in pursuit of digital sovereignty in the EU. It’s also not an entirely unimportant detail that OnlyOffice is Russian, with most of its developers residing in Russia. Anyway, the OnlyOffice team has not taken this in stride, claiming there’s a violation of the AGPL license going on here, specifically because OnlyOffice adds contradictory attribution terms to the AGPL. It’s a complicated story, but it does seem most experts in this area seem to disagree with OnlyOffice’s interpretation. We’re in for another messy time.
This is the first of a series of articles in which you will learn about what may be one of the silliest, most preventable, and most costly mishaps of the 21st century, where Microsoft all but lost OpenAI, its largest customer, and the trust of the US government. ↫ Axel Rietschin It won’t take long into this series of articles before you start wondering how anyone manages to ship anything at Microsoft. If even half of this is accurate, this company should be placed under some sort of external oversight.
I assume I don’t have to explain the difference between big-endian and little-endian systems to the average OSNews reader, and while most systems are either dual-endian or (most likely) little-endian, it’s still good practice to make sure your code works on both. If you don’t have a big-endian system, though, how do you do that? When programming, it is still important to write code that runs correctly on systems with either byte order (see for example The byte order fallacy). But without access to a big-endian machine, how does one test it? QEMU provides a convenient solution. With its user mode emulation we can easily run a binary on an emulated big-endian system, and we can use GCC to cross-compile to that system. ↫ Hans Wennborg If you want to make sure your code isn’t arbitrarily restricted to little-endian, running a few tests this way is worth it.
I don’t like to cover “current events” very much, but the American government just revealed a truly bewildering policy effectively banning import of new consumer router models. This is ridiculous for many reasons, but if this does indeed come to pass it may be beneficial to learn how to “homebrew” a router. Fortunately, you can make a router out of basically anything resembling a computer. ↫ Noah Bailey I genuinely can’t believe making your own router with Linux or BSD might become a much more widespread thing in the US. I’m not saying it’s a bad thing – it’ll teach some people something new – but it just feels so absurd.
Why do so many people keep falling for the same trick over and over again? With an over $400 billion gap between the money invested in AI data centers and the actual revenue these products generate, Silicon Valley slowly returned to the tested and trusted playbook: advertising. Now, ads are starting to appear in pull requests generated by Copilot. According to Melbourne-based software developer Zach Manson, a team member used the AI to fix a simple typo in a pull request. Copilot did the job, but it also took the liberty of editing the PR’s description to include this message: “⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.” ↫ David Uzondu at Neowin It turns out that Microsoft has added ads to over 1.5 million Copilot pull requests on GitHub, and they’re even appearing on GitLab, one of the GitHub alternatives. The reasoning is clear, too, of course: “AI” companies and investors have poured ungodly amounts of money in “AI” that is impossible to recover, even with paying customers. As such, the logical next step is ads, and many “AI” companies are already starting to add advertising to their pachinko machines. It was only a matter of time before Copilot would start inserting ads into the pull requests it ejaculates over all kinds of projects. This isn’t the first time a once-free service turns on its users, but it’s definitely one of the quickest turnarounds I’ve ever seen. Usually it takes much longer before companies reach the stage of putting ads in their products to plug any financial bleeding, but with the amount of money poured into this useless black hole, it really shouldn’t be surprising we’re already there. I’m sure Copilot’s competitors, like Claude, will soon follow suit. They’re enshittifying Git, and developers are just letting it happen. No wonder worker exploitation is so rampant in Silicon Valley.
By reimplementing these features using capabilities, we made the kernel simpler by moving complex scheme and namespace management out of it which improved security and stability by reducing the attack surface and possible bugs. At the same time, we gained a means to support more sandboxing features using the CWD file descriptor. This project leads the way for future sandboxing support in Redox OS. As the OS continues to move toward capability-based security, it will be able to provide more modern security features. ↫ Ibuki Omatsu Redox seems to be making the right decisions at, crucially, the right time.
Of course, it was only a matter of time before the time-honoured tradition of the demoscene also got infected by “AI”. For me personally, generative AI ruins much of the fun. I still enjoy creating pixel art and making little animations and demos. My own creative process remains satisfying as an isolated activity. Alas, obvious AI generated imagery – as well as middle-aged men plagiarizing other, sometimes much younger, hobbyist artists – makes me feel disappointed and empty. It’s not as much about effort as it is about the loss of style and personality; soul, if you will. The result is defacement, to echo T. S. Eliot, rather than inspired improvement. Even in more elaborate AI-based works, it’s hard to tell where the prompt ends and the pixelling begins. ↫ Carl Svensson A wonderful explanation of the rather unique views on originality, stealing, plagiarism, and related topics within the demoscene, which certainly diverge from many other places.
There’s a quiet philosophical change happening in how software systems think about the people using them. For most of computing’s history, the assumption was simple: identify yourself, then get access. But that default is eroding, and not because of any single decision. It’s the accumulated result of years of design choices that prioritize function over identity. Linux has always been the clearest example. Install any major distribution today, and you’ll encounter zero mandatory identity checks. No account linked to a phone number. No government ID. Just a username you invented five minutes ago and a password. That design philosophy, anonymous by default, was once considered a quirk of open-source culture. Increasingly, it looks like a template. Why have OS setup screens stopped asking who you are The transition away from identity-linked setup flows started with a practical problem: verification creates friction, and friction drives users away. Early versions of Windows and macOS tied activation to hardware fingerprints and product keys, but neither actually confirmed human identity. Over time, optional cloud accounts replaced mandatory registration, and many users simply skipped them entirely. What drove this further was developer pressure. Distributing software through curated stores meant the platform, not the individual app, handled authentication. The app itself no longer needed to know who you were, only whether you had a valid install. That separation quietly removed identity from the core OS experience. How sandboxing replaced trust-based identity models Sandboxed environments, think macOS app containers or Flatpak on Linux, operate on a different logic entirely. Instead of trusting a user’s identity, the system trusts nothing by default and grants access only to explicitly declared resources. It’s a permission model, not an identity model. The difference matters enormously in practice. This same logic has spread well beyond desktop software. Platforms built around pseudonymous or permissionless access now span everything from developer APIs to financial tools. No KYC Casinos, for example, are one visible example in the online casino space, where operators have adopted the same permissionless-access philosophy. Using blockchain and crypto’s decentralised nature, these online platforms are validating capability rather than identity. It’s similar to how sandboxed apps request only what they need, without requiring the user to prove who they are first. Where anonymous access is spreading beyond computing The irony is that this drift toward anonymous-by-default design is now colliding with serious legislative pushback. A bipartisan US House bill introduced in April 2026 would require OS providers running Windows, macOS, and Linux distributions to verify every user’s age at setup. California has already moved separately, mandating that OS providers collect age data and share categorized results with apps. Privacy researchers have flagged real concerns here. Moving verification into the OS layer hands an extraordinary amount of user data to a small number of platform companies, Apple, Google, and Microsoft, whose decisions then affect billions of people. The Proton blog analysis from 2026 outlines how this concentration of identity infrastructure creates systemic privacy risks that app-level verification never could. What this means for software design going forward The tension between these two directions, systems engineered to know less about you versus legislation demanding they know more, is going to define OS development through the rest of this decade. Developers building on Linux or creating cross-platform apps will increasingly need to architect around compliance requirements that sit at the OS level, not the application level. That’s a significant structural change. What’s clear is that “identity-lite” design was never ideological for most engineers; it was simply practical. Age attestation meant fewer identity dependencies mean fewer failure points, fewer regulatory surface areas, and faster deployment. Whether that practical advantage survives the current legislative moment is an open question. But the underlying logic isn’t going away, and the platforms that figure out how to satisfy compliance demands without centralizing identity data will have a meaningful architectural edge.
This guide describes how you can install a Plan 9 network on an OpenBSD machine (it will probably work on any unix machine though). The authentication service (called “authsrv” on Plan 9) is provided by a unix version: authsrv9. The file service is provided by a program called “u9fs”. It comes with Plan 9. Both run from inetd. The (diskless) cpu server is provided by running qemu, booted from only a floppy (so without local storage). Finally, the terminal is provided by the program drawterm. The nice thing about this approach is that you can use all your familiar unix tools to get started with Plan 9 (e.g. you can edit the Plan 9 files with your favorite unix editor). I’m assuming you have read at least something about Plan 9, for example the introduction paper Plan 9 from Bell Labs. ↫ Mechiel Lukkien If you’re running OpenBSD, you’re already doing something better than everyone else, and if you want to ascend to the next level, this is a great place to start. Of course, the final level, where you leave your earthly roots behind and become a being of pure enlightened energy, is running Plan 9 on real hardware as the universe intended, but let’s not put the cart before the horse. One day, all of humanity will just be an endless collection of interconnected cosmic Plan 9 servers, more plentiful than the stars in the known universe.
Towards the end of 2024, Dennis Biesma decided to check out ChatGPT. The Amsterdam-based IT consultant had just ended a contract early. “I had some time, so I thought: let’s have a look at this new technology everyone is talking about,” he says. “Very quickly, I became fascinated.” Biesma has asked himself why he was vulnerable to what came next. He was nearing 50. His adult daughter had left home, his wife went out to work and, in his field, the shift since Covid to working from home had left him feeling “a little isolated”. He smoked a bit of cannabis some evenings to “chill”, but had done so for years with no ill effects. He had never experienced a mental illness. Yet within months of downloading ChatGPT, Biesma had sunk €100,000 (about £83,000) into a business startup based on a delusion, been hospitalised three times and tried to kill himself. ↫ Anna Moore at The Guardian These stories are absolutely heart-wrenching, and it doesn’t just happen to people who have had a history of mental illness or other things you might associate with priming someone for “falling for” an “AI” chatbot. Just a few years in, and it’s already clear that these tools pose a real danger to a group of people of indeterminate size, and proper research into the causes is absolutely warranted and needed. On top of that, if there’s any evidence of wrongdoing from the companies behind these chatbots – intentionally making them more addictive, luring people in, ignoring established dangers, covering up addiction cases, etc. – lawsuits and regulation are definitely in order. Only yesterday, Facebook and Google lost a landmark trial in the US, ruling the companies intentionally made social media as addictive as possible, thereby destroying a person’s life in the process. Countless similar lawsuits are underway all over the world, and I have a feeling that in a few years to decades, we’ll look at unregulated, rampant social media the same way we look at tobacco now. Perhaps “AI” chatbots will join their ranks, too.
Today, we’re excited to announce a significant step forward in our ongoing commitment to Windows security and system reliability: the removal of trust for all kernel drivers signed by the deprecated cross-signed root program. This update will help protect our customers by ensuring that only kernel drivers that the Windows Hardware Compatibility Program (WHCP) have passed and been signed can be loaded by default. To raise the bar for platform security, Microsoft will maintain an explicit allow list of reputable drivers signed by the cross-signed program. The allow list ensures a secure and compatible experience for a limited number of widely used, and reputable cross-signed drivers. This new kernel trust policy applies to systems running Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025 in the April 2026 Windows update. All future versions of Windows 11 and Windows Server will enforce the new kernel trust policy. ↫ Peter Waxman at the Windows IT Pro Blog The cross-signed root program was discontinued in 2021, and ran since the early 2000s, so I think it’s fair to no longer automatically assume such possibly old and outdated drivers are still to be trusted.
I’ll never grow tired of reading about the crazy tricks the Windows 95 development team employed to make the user experience as seamless as they could given the constraints they were dealing with. During the 16bit Windows days, application installers could replace system components with newer versions if such was necessary. Installers were supposed to do a version check, but many of them didn’t follow this guidance. When moving to Windows 95, this meant installers ended up replacing Windows 95 system components with Windows 3.x versions, which wasn’t exactly a goods thing. So, they came up with a solution. Windows 95 worked around this by keeping a backup copy of commonly-overwritten files in a hidden C:\Windows\SYSBCKUP directory. Whenever an installer finished, Windows went and checked whether any of these commonly-overwritten files had indeed been overwritten. If so, and the replacement has a higher version number than the one in the SYSBCKUP directory, then the replacement was copied into the SYSBCKUP directory for safekeeping. Conversely, if the replacement has a lower version number than the one in the SYSBCKUP directory, then the copy from SYSBCKUP was copied on top of the rogue replacement. ↫ Raymond Chen All of this happened entirely silently, and neither the installers nor the user had any idea this was happening. The Windows 95 team tried other solutions, like just making it impossible to replace system components with older versions entirely, but that caused many installers to break. Some installers apparently even went rogue and would create a batch file that would replace the system components upon a reboot, before Windows 95 could perform its silent fixes. Wild. I used Windows 95 extensively, and had no idea this was a thing.
The U.S. Federal Communications Commission said on Monday it was banning the import of all new foreign-made consumer routers, the latest crackdown on Chinese-made electronic gear over security concerns. China is estimated to control at least 60% of the U.S. market for home routers, boxes that connect computers, phones, and smart devices to the internet. ↫ David Shepardson at Reuters I’m sure the American public will be thrilled to find out yet another necessity has drastically increased in price.
It’s the end of an era: Apple has confirmed to 9to5Mac that the Mac Pro is being discontinued. It has been removed from Apple’s website as of Thursday afternoon. The “buy” page on Apple’s website for the Mac Pro now redirects to the Mac’s homepage, where all references have been removed. Apple has also confirmed to 9to5Mac that it has no plans to offer future Mac Pro hardware. ↫ Chance Miller at 9To5Mac If a Mac Pro falls in the back of the Apple Store and there’s no one around to hear it, does it make a sound?
Several US states, the country of Brazil, and I’m sure other places in the world have enacted or are planning to enact laws that would place the burden of age verification of users on the shoulders of operating system makers. The legal landscape is quite fragmented at this point, and there’s no way to tell which way these laws will go, with tons of uncertainties around to whom these laws would apply, if it targets accounts for application store access or the operating system as a whole, what constitutes an operating system in the first place, and many more. Still, these laws are already forcing major players like Apple to implement sharing self-reported age brackets with application developers (at least in iOS), so there’s definitely something happening here. In recent weeks, the open source world has also been confronted with the first consequences of these laws, as both systemd and xdg-desktop-portal have responded to operating system-level age verification laws in, among other places, California and Colorado, by adding birthDate to userdb (on systemd’s side) and developing an age verification portal (on xdg-desktop-portal’s side) for use by Flatpaks. The age verification portal would then use the value set in usrdb’s birthDate as its data source. The value in birthDate would only be modifiable by an administrator, but can be read by users, applications, and so on. Crucially, this field is entirely optional, and distributions, desktop environments, and users are under zero obligation to use it or to enter a truthful value. In fact, contrary to countless news items and comments about these additions, nothing about this even remotely constitutes as “age verification”, as nothing – not the government, not the distribution or desktop environments, not the user – has to or even can verify anything. If these changes make it to your distribution, you don’t have to suddenly show your government ID, scan your face, or link your computer to some government-run verification service, or even enter anything anywhere in the first place. Furthermore, while the xdg-desktop-portal’s proposals are still fluid and subject to change, consensus seems to be to only share age brackets with applications, instead of full birth dates or specific ages – assuming anything has even been entered in the birthDate field in the first place. Even if your Linux distribution and/or desktop environment implements everything needed to support these changes and expose them to you in a nice user interface, everything about it is optional and under your full control. The field is of the same type as the existing fields emailAddress, realName, and location, which are similarly entirely optional and can be left empty if desired. Taken in isolation, then, as it currently stands, there’s really not much meat to these changes at all. The primary reason to implement these changes is to minimally comply with the new laws in California, Colorado, Brazil, and other places, and it’s understandable why the people involved would want to do so. If they do not, they could face lawsuits, fines, or worse, and I don’t know about you, but I wouldn’t want to be on the receiving end of the western world’s most incompetent justice system. Aside from that, these changes make it possible to build robust parental controls, which isn’t mentioned in the original commits to systemd, but is clearly the main focal point of xdg-desktop-portal’s proposal. This all seems well and good, but given today’s political climate in the United States, as well as the course of history, that “as it currently stands” is doing a lot of heavy lifting. Rightfully so, a lot of people are worried about where this could lead. Sure, today these are just inconsequential, optional changes in response to what seems to be misguided legislation, but what happens once these laws are tightened, become more demanding, and start requiring a lot more than just a self-reported age bracket? In Texas, for instance, H.B. 1131 requires any commercial entity, including websites, that contains more than one-third “sexual material harmful to minors” to implement age verification tools using things like government-issued IDs or bank transaction data to verify visitors’ ages before allowing them in. The UK has a similar law on the books, too. It’s not difficult to imagine how some other law will eventually shift this much stricter, actual age verification from websites and applications into operating systems instead. What will systemd’s and xdg-desktop-portal’s developers do, then? Will they comply as readily then as they do now? This is a genuine worry, especially if you already belong to a group targeted by the current US administration, or were face-scanned by ICE at a protest. Large groups of especially religious extremists consider anything that’s LGBTQ+ to be “sexual material harmful to minors”, even if it’s just something normal like a gay character in a TV show. It’s not hard to imagine how age verification laws, especially if they force age verification at the operating system level, can become weaponised to target the LGBTQ+ community, other minorities, and people protesting the Trump regime. You may think this won’t affect you, since you’re using an open source operating system like desktop Linux or one of the BSDs, and surely they are principled enough to ignore such dangerous laws and simply not comply at all, right? Sadly, here’s where the idealism and principles of the open source world are going to meet the harsh boot of reality; while open source software has a picturesque image of talented youngsters hacking away in their bedrooms, the reality is that most of the popular open source operating systems are actually hugely complex operations that require a ton of funding, and that funding is often managed by foundations. And guess where most popular Linux distributions’ and BSD variants’ foundations are located? Developers from all over the world may contribute to Debian, but all of its financials and trademarks are managed by Software in the Public Interest, domiciled in New York State. Fedora is part of Red Hat, owned by IBM, and
