Resistance to operating system age checks coming from *checks notes* open source calculator and an OS that may just exclude Californians altogether
California has adopted a bill that requires operating systems to ask for a user's age or date of birth during setup. The bill, which will become enforced legislation from January 1, 2027, says an OS should use this to determine the availability of applications in a storefront and share this information with any developer that requests it in real-time. All of which sounds incompatible with many of today's open source software, including Linux—so what are they to do?
Jef Spaleta, project leader for popular Linux distribution, Fedora, has said they are still trying to get to grips with the legislation and what it requires. However, in their measured response, they have noted that age information may need to be tied to account creation and that information stored in a file somewhere easily accessible to applications.
"End of the day.. this might be as simple as extending how we currently map uid to usernames and group membership and having a new file in /etc/ that keeps up with age," Spaleta says in a discussion over at the Fedora Project.
"It might be as simple as that and we extend the administrative cli and gui tools to populate that file as part of account creation. That might be simplest and it solves the problem for the full ecosystem of Linux OSes. Then applications just have to start choosing to look at the file."
"No telemetry… just a way for applications to query the OS… a local API… sounds a lot like a dbus service to me," Spaleta says.
A D-Bus service (allowing for communication between programs) is also suggested by another developer on the ubuntu-devel mailing list.
Aaron Rainbolt contributes to Kicksecure and Whonix, two security-focused Debian-based distros, and says these "aren't particularly interested in blocking everyone in California and Colorado from using our OSes, so we're currently looking into how to implement an API that will comply with the laws while also not being a privacy disaster."
A reply to that thread is someone suggesting the law is completely unenforceable, so there's definitely going to be some back and forth on any potential compliance here.
There is another valid response: simply reject users from California. Or, at least, nominally do as such. That's what the developers of the MidnightBSD OS have suggested they'll be doing, by excluding residents of California from using the OS from January 1, 2027—the same day the bill becomes active in the state.
Ironic, really, as the 'BSD' in MidnightBSD stands for Berkeley Software Distribution, for the University of California, Berkeley. This is where one of the earliest Unix forks was created, and it remains the basis for many today, including FreeBSD. FreeBSD is part of the foundation of another California-based institution's product, Apple's macOS.
It's not a petty means of targeting Californian citizens, however. It means the job of checking whether people have installed its OS falls onto Californian authorities to deal with. How might they go about that? Again, seems practically impossible, and boggles the mind to even suggest such a thing could occur.
Until we have a better plan, we modified our license to exclude residents of California from using MidnightBSD for desktop use, effective January 1, 2027. This is due to https://t.co/jvo7ZBLqyC?February 26, 2026
Though MidnightBSD has since drafted what an alternative (a better plan) might look like. It suggests writing a user's age to a file readable by root only. Though in the Google Doc for the potential change, it is noted:
"Would it be legal to ask if you want to turn this feature off and skip this crap outside the US?"
As an exercise, we've attempted to come up with a plan to implement the age verification law. This is a draft of that plan. There are a few issues with this plan.https://t.co/3rFWvLnvwRMarch 1, 2026
It's not just California that's rolling out age verification methods affecting operating systems. A bill is under consideration in Colorado, SB26-051, that would require a similar thing, but only if it passes into law. The Colorado bill would take effect from January 1, 2028.
The pair of bills (derogatory) are the subject of fierce resistance from an unlikely source: the creators of an open source calculator. DB48X is a project to rebuild and improve upon the "legendary" HP48 family of calculators and RPL programming language, and for modding newer calculators to utilise it.
The legal-notice file for the project now reads:
"As a consequence of recent legislative activity in [California][cal]
and [Colororado][col]:
* California residents may no longer use DB48x after Jan 1st, 2027.
* Colorado residents may no longer use DB48x after Jan 1st, 2028.
DB48x is probably an operating system under these laws. However, it does not, cannot and will not implement age verification."
You know you've messed up when you've angered the math lot.
It's worth noting that both bills, California's and Colorado's, set out a proviso that an operating system must not collect or share information beyond the scope of the bill. That's either age or date of birth, nothing else. Though it seems to me that it's touched a nerve for the assumed overreach it represents, rather than what it actually means in practice or implementation.
There are a few obvious problems with the legislation, too. The sort of problems that make you wonder whether it's being rolled to do something effectively or look like something is being done.
The first being that neither bill, as far as I can tell, specifies what level of verification is required of a user's age. All they require is a user's age or date of birth. A simple dropdown interface may suffice. So, beyond being a headache for open source developers to figure out how to implement it in distros that often collect little to no personal information, the effectiveness of such a system appears to be based on an honour system.
Then there's enforcement, which appears shaky at best. Both Californian and Coloradan bills set out civil fines of $2,500 for unintentional breaches and $7,500 for intentional breaches, but how would the majority of breaches be discovered in the first place?
It's all a bit wishy-washy. Moreover, it is coming at a time when age verification is being rolled out more widely across the globe and facing stern criticism, such as an open letter from scientists and researchers that notes the many pitfalls of ill-thought-out verification methods, including for privacy and security, and their overall effectiveness.