Linux is the kernel, it has nothing to do with this.
The law apparently seems to target the packager/distributor of the distribution. Many small distros are hobby distros!
> The US is a federal system. It's part of our checks and balances.
Nonsensical answer. Different states are passing different requirements that often contradict each other. This is going to be a nightmare.
> No one. This is why organizations with actual security requirements do their own dependency checks.
So you’re saying that we should expect those laws too? Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work. If this is the direction we’re headed in, we need to organize and fight like hell.
Then region lock. You don't have to support California or NY or ...
> Different states are passing different requirements that often contradict each other. This is going to be a nightmare
Create regional feature flags or region lock. It's a solved problem.
> So you’re saying that we should expect those laws too
They already de facto exist contractually speaking.
> Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work
The mindset around tech regulation shifted after the 2016 election and Jan 6th. The maximalist tech civil libertarian view on privacy was an anomaly from the late 1990s to early 2010s when tech was viewed as inconsequential.
The 2016 election and Jan 6th showed otherwise.
---
The overlap between Linux daily drivers and "voters who can flip an election in California, NY, or <insert_state_here>" is nonexistent.
This also appears to be a front-run at reducing the risk of an Australia-style regulation being proposed.
Edit: can't reply
> Europe realized this with their new infosec liability regulations
European organizations (from private sectors to government agencies) sidestep this by contractually mandating SBOM and dependency requirements.
You end up with the same result, but it's essentially regulated via contracts instead of the law.
> Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them
That's a decision a lot of governments and organizations are fine with.
OSS where maintainers are hired by sponsor organizations is already the norm, and government-backed OSS is becoming increasingly common in the EU and much of Asia.
Hobbyists who don't wish to comply can region gate within their license - that solves your liability risk and will keep regulators happy.
This isn't just a kernel thing. Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them.
Europe realized this with their new infosec liability regulations. If you're giving your labor away, you're not liable for your software; if you're making money off your software, step up and do better. Maybe California and the others should learn more from the EU.
> Expecting volunteers to dump time into compliance is ridiculous.
Exactly, so any distribution that relies on volunteers will likely include a region-locking clause in their documentation (which may or may not be a GPL violation)
Many big distributions (Ubuntu, Suse, Fedora) are sponsered by big tech companies, and are not maintained by volunteers.
I think it would be better to create a parallel economy of underground unrestricted distributions while encouraging everyone to openly flaunt the law, and simultaneously fighting via lawfare and media. But maybe that’s just me!
If you are fine taking the legal liability and are open to civil and criminal prosecution, go right ahead.
Western jurisdictions tend to cooperate on extradition as well, and American free speech laws are significantly more expansive than those in the EU, Canada, or ANZ so taking a principled approach wouldn't be a viable defense if you decided to go and incite via that route.
Fine by me, I’m willing to fight. The freedom to compute is one of our most fundamental freedoms, connected inherently with freedom of thought and speech. Cowards like you don’t deserve the benefits you enjoy, and you will surely complain about their absence when they are gone!
This is not the first time I read comments from you, I just want to tell you you're probably one of the most annoyingly, reasonably correct person I read. And take it as a compliment, because each time I disagree with you I have to look at my position because I fear being on the wrong side of the argument (which is probably what I find annoying. I want to be unreasonable sometimes!).
Most Linux maintainers are employed by Google, IBM, Facebook, and other similarly sized organizations.
> Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place
The US is a federal system. It's part of our checks and balances.
> Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption
No one. This is why organizations with actual security requirements do their own dependency checks.