With age verification/attestation laws down to the OS level enacted by California and being decided upon by other US states, it’s been a hot topic of discussion in the open-source world. For the Debian project that is strictly volunteer/community-driven unlike various commercial Linux platforms, they are figuring out how such laws will impact them.
Current Debian Project Leader Andreas Tille touched on this topic in his latest mailing list update. With many of the soon-to-be-enacted or proposed laws requiring age attestation at the OS level and exposing the information/signals to apps and package managers, Debian may be impacted. But unlike many of the other more prominent Linux distributions that are backed by corporate entities and commercial-focused, it’s not clear at this stage how Debian could be impacted in being a volunteer-driven project.
Debian and Software in the Public Interest (SPI) and other parties are currently seeking guidance on dealing with the changing legal landscape. Tille wrote in the mailing list update:/a> on the matter:
“Recent discussions have started around new age verification legislation that may affect free software operating systems. In particular, the California Digital Age Assurance Act (AB 1043), expected to take effect in 2027, raises questions about whether operating systems and package distribution mechanisms could be required to provide age-related information to applications. In parallel, a recently adopted law in Brazil appears to introduce similar requirements and is already in force, with initial interpretations suggesting it could apply to components such as package management tools. These developments are currently under discussion within Debian and other projects, and SPI has initiated efforts to obtain legal guidance. At this stage, the situation remains unclear, and further analysis is ongoing.
From a non-lawyer perspective, it is not yet clear how such regulations apply to a non-commercial, volunteer-driven project like Debian, which does not sell software and provides it in a highly decentralized way. It seems plausible that obligations, if any, may primarily affect redistributors or commercial entities building products on top of Debian. In such cases, Debian would as usual be open to contributions that help downstreams meet their requirements, while keeping such features optional and respecting the needs of users in other jurisdictions. However, this is an area where proper legal analysis is still required.”
We’ll see what happens and hope for the best.
