On Sat, 14 Mar 2026 at 12:59, Richard Lewis < [email protected]> wrote:
> Martinx - ジェームズ <[email protected]> writes: > > > I think that last point matters as much as the others. The false choice > > between “implement it” and “exclude users by jurisdiction” should be > > rejected. > > It's a good project to track this stuff for sure, i dont mean to > discourage that > > but can you explain why this is a "false choice" and how debian can > > really "reject" it in practice. not implementing means users who want to > follow the law are excluded. has anyone asked any users what they would > like debian to do? > > eg do you mean > > - debian should decide the law doesnt apply to it > - debian should accept the consequences of breaking laws it doesnt agree > with > - debian should choose to break laws it doesnt agree with > - debian should encourage users to break a law > - debian should encourage users who do not like a law to live somewhere > with different lawss > - debian should encourage users who not agree with a law to not use debian > - debian should somehow get the law changed > - something else? > > (and how will any of that happen in practice?) > > has anyone looked at the risks and consequences of not implementing > something? > Thank you. This is a fair question, and I should define more precisely what I mean by calling it a false choice. I do not mean that Debian should pretend laws do not exist, casually ignore legal consequences, encourage users to break laws, or tell people to move somewhere else. What I mean is that the discussion can too easily collapse into the idea that Debian must either implement the mechanism or exclude users by jurisdiction: 1. implement the mechanism in the base system, or 2. exclude users by jurisdiction. I do not think those are the only options, and I do not think Debian should accept that framing. What “reject” means in practice, to me, is that Debian should not standardize, ship, or normalize OS-level age-signaling mechanisms in the base system. It should not build them into account metadata, user records, portals, or other standard interfaces, and it should not preemptively redesign Debian around the broadest or most coercive interpretation of external law. Debian is not Apple, not Google, not an app store, and not a hosted platform. It is a volunteer free software project, and that matters here. That is exactly why I do not think Debian should internalize this kind of pressure by turning itself into an OS-level classification and policy-enforcement system. Debian’s Social Contract points toward broad usability, free redistribution, non-discrimination, and an integrated system without legal restrictions that would prevent use of the system. I do not think those principles support redesigning Debian around OS-level age-classification and access-control mandates. And yes, the risks and consequences of refusal should be examined seriously. But the risk analysis cannot stop at legal exposure. It also has to include the risks of implementation itself: creating OS-level classification, creating new disclosure mechanisms, normalizing policy-enforcement endpoints, and building infrastructure that is likely to be widened and reused later. So my point is not that refusal has no consequences. My point is that legal pressure does not create a point at which converting Debian into a surveillance mechanism becomes acceptable. If the only path left is to turn Debian into that kind of system, Debian should still refuse.
