Linux is a free operating system that needs little introduction. It powers many of the pieces of technology from the phone you’re holding to read this to the server rendering the HTML and probably every hop in between. By most metrics it’s the most used system of that type.

California passed its Digital Age Assurance Act which creates penalties for non-compliance ranging from $2,500 to $7,500 per affected child, with Colorado proposing a similar bill with SB26-051. These are political problems, which many of us often shy away from discussing publicly, but they obviously intersect with FOSS as a whole. We have seen comments from vendors like System76 that face hard decisions about how to comply with these laws to keep their business operating. On the other side of the spectrum there are obscure calculators like db48x that exist outside of those influences, having carved themselves out of the problem. Somewhere in the mix Ubuntu users are discussing potential compliance.

We’ve been here before.

Linux has faced many legal challenges in the past. Often these are bitter competitors that are upset their bottom lines are affected. These companies often lash out by going through a list of who is using Linux successfully and targeting them with lawsuits. Sometimes these are patent-related threats involving media codecs or file systems. Most of the time, the community scoffs, moves some code to a different server outside some jurisdiction and then makes it optional.

As a community we will see the same thing play out again with different players at the table and a slightly different opening moveset. However, the devil is in the details and it’s important we in the FOSS community get this right. We must ensure that the work is always done by those creating these problems and they get to keep both pieces when it breaks.

Firstly, never fork and maintain code for surveillance states. Users who want surveillance by their government can already use RedStarOS if they desire. Users who want these kinds of activities are free to create and maintain the patches needed to support this kind of functionality themselves. This means a regular user of Fedora Linux must never see an age identification question during install or setup. A user who wants that functionality must install a hypothetical California Linux or Colorado Linux. Are those distros trustworthy? Can they keep up with the patching to stay secure? Are these legal modifications or derivative products under the GPL or other FOSS licenses? Those are interesting questions that must be answered by the parties involved, not some task that you must participate in because someone with a pen wanted votes or got bored.

Second, never operate infrastructure that supports surveillance states. Users who want to be surveilled need to be talking to servers controlled by the surveyors. The FOSS community would typically label these kinds of programs and services as malware and remove them from their repositories to protect users. How to protect users while abusing them is a rather stupid riddle that you don’t have to solve. Don’t turn your repositories into less trusted sources of software searching for a solution that might not exist, wasn’t on your roadmap, and that your users have demonstrated they don’t want.

Lastly, never absorb these problems in a vain effort to make your customers happy with being abused. You’re not going to erase the abuse and you will only be left entangled in it. At some point you’ll absorb some of the fallout when it blows up in their faces. Nobody is going to be shocked if something like a California Linux becomes untouched trash pile forgotten to time and relegated to a meme. They will be shocked to see Debian violating the principles that have guided the project for over 30 years.