On Sun, 1 Mar 2026 22:04:35 +0100 Gioele Barabucci <[email protected]> wrote:
> On 01/03/26 20:48, Aaron Rainbolt wrote: > > At its core, the law seems to require that an "operating system" > > (I'm guessing this would correspond to a Linux distribution, not an > > OS kernel or userland) request the user's age or date of birth at > > "account setup". The OS is also expected to allow users to set the > > user's age if they didn't already provide it (because the OS was > > installed before the law went into effect), and it needs to provide > > an API somewhere so that app stores and application distribution > > websites can ask the OS "what age bracket does this user fall > > into?" > > Hi, thanks for starting this conversation. The text of the bill is > quite clear and I think it is easier to read it than to paraphrase it. > > The bill not only imposes obligations on «operating system > provider[s]» (section 1798.501. (a)) but also on «[application] > developer[s]» (ibid (b)). > > The main obligation for the developer is: > > > 1798.501. (b) (1) A developer shall request a signal with respect to > > a particular user from an operating system provider or a covered > > application store when the application is downloaded and launched. > In my reading this means that, at least: > > 1. the developer of `cp` (as in coreutils' `cp`) must add code to > `cp`, 2. so that `cp` fetches age-related information of the current > user from the OS, > 3. every time a user runs `cp`. > > I don't see in the bill's text anything that would exclude the > developer(s) of `cp` from the need to at least make a request for > this age-related information. > > (Obviously I'm using `cp` here as a silly example to make a point.) It's a good point though. One could make an argument that `cp` is an OS component rather than an application, and I *think* the OS provider isn't held liable if something that is considered an application fails to follow the rules properly (though admittedly section 1798.503b doesn't mention conduct by developers who fail to request a "signal", it only mentions conduct by developers that do receive a signal, which raises the question of if operating systems are expected to send signals to applications that don't request them, and what that would even look like on a technical level. Given that this is the same bill that seems to indicate users won't ever be 18 or older, I'm hoping this was an accident). -- Aaron > Regards, >
pgpiP0GYSRkIB.pgp
Description: OpenPGP digital signature
