>Who is paying FOSS devs who will be implementing this?
honestly if they let it be known they'd do it for payment the same person who's paying off the politicians to push this through would probably pay them too.
This is a neat attack (in that it is obvious and a big flaw but also it makes sense that the lawmakers wouldn’t have thought of it), but it would only affect users who have an age-bucket transition while your application is running, right?
Edit: as folks have pointed out, the attacking application doesn’t actually have to be running while the age-transition takes place. The attacker just has to have logs from before and after the age transition, and then they can narrow the birth-date down.
Not necessarily, depending on how the application is logging it just means the resolution to which you know a birth date is limited by how often the application is run. If i check my email every morning at 8am, and my email app logs my "age bucket", then it can know to a resolution of one day. If i only check my email on Monday mornings, it knows to a resolution of one week, etc...
The size of the age bracket also puts practical limitations on it. There is only one mandated bracket for everyone who's at least 18, preventing that attack on anyone who starts using your software after their 18th birthday. And if a 13 year old signs up it takes three years for you to observe the switch to the >=16,<18 bucket
> And if a 13 year old signs up it takes three years for you to observe the switch to the >=16,<18 bucket
I think this is the big vulnerability in the scheme. This information is easy to track and log, so it is basically equivalent in the giving away the DOB of everybody who is currently under 18 (at least, everybody who uses the system as intended). In the long run that’s everybody.
We could have a discussion about whether or not it would be fine for services to know every user’s DOB, but it is clearly giving away more information than the law intended.
> There is only one mandated bracket for everyone who's at least 18, preventing that attack on anyone who starts using your software after their 18th birthday.
I don’t think that fully recognizes the size of the problem, “using your software” is fuzzy. Companies get bought, identities get correlated, ad services collect and log more information than needed. I think it is better to assume the attacker will have logs of these queries from the start date of a person’s first account.
Then you store the user age every time it's run and check for changes on start. Maybe that only gives you a 7 day range for birthdays, but you can narrow that over time and it's still good enough for targeting.
I agree, sorry, I think my original comment was a little imprecise. My point was that the app can get the “exact” age only for users who undergo an age-bucket transition in an era that the app has logs for.
I mean, the app can query on a weekly basis, and then if you go from “under 18” to “over 18” it knows the week that you were born in. But, if the user was already an adult when the logging started, there isn’t a transition to go off.
The UI can be implemented using the user's date of birth, but it can also be implemented by selecting an age bracket and then all it tells you is that the user changed the age bracket setting.
is there any mention of granularity? so if the user sets their age bracket, then there's no DoB stored. if the user is old enough to fall into some other age bracket they can set that if they want. (and then somehow making this a bit more data driven - ie "verifying" - is a different matter altogether.)
IIRC the age buckets were defined in the California law. They were something along the lines of age ranges that would intuitively map to adults, teenagers, and kids, I forget the exact borders.
I think the intent was for the OS to know the user age, but only provide an age range, so it could automatically upgrade people as they aged (but I could be wrong about that).
Proper grammar on formulaic language is a proof-of-work system. Difficult to achieve but easy to check. It suggests that the author cared enough to put in the time. When the cost of graduate labor is low, careful editing suggests that you can burn a student's time to demonstrate the message is worth reading.
None of this is for what you're describing though, there is no reality where such wildly different countries and states in different corners of the world all decided coincidentally to all do this within 6 months of each other. We know it's not "well maybe they saw X country and thought it was a good idea" because even percolating the policy would have taken over a year.
Protecting kids is just the PR reason, the real goal is requiring ID auth for every action taken on a computer. If we normalize it for downloading apps or using websites the next step is to authorize it for connecting to HTTPS at all and then the next step is requiring it to unlock your CPU cores.
If people don't push back on this now there is no world where we get out of 2030 without requiring government ID auth to install linux on your own computer not connected to the internet.
End to end silicon to server auth is absolutely possible and someone is working really hard to make it a reality.
Begging open source projects to stop with the libre<name> convention, it's awkward to say, it's cringe and seems to spiritually doom a project to fail.
The "libre" terms originates from the "free software" movement which does not like the term "open source" on philosophical grounds. In English, "free" has multiple meanings, and the romance language-derived "libre" was chosen in the past to distinguish the movement's ideals from the use of "free as in beer".
I just wish more of these projects would be a bit more ambitious and put more focus in their communication on being good at what they do, rather than being free and made by idealists. They're branding themselves in a way that only really appeals to other techy idealists, while accidentally putting off a lot of potential users who are neither technical nor philosophical enough to know or care what a term like libre means. There's a lot of good, free software that is selling itself short by communicating more about being the latter than the former.
I think there's some truth to what you say - at the same time, a lot of successful products have names that basically have no meaning at all, or at least none that's related to what the project actually does ("Windows", "Cursor", "Firefox", etc...)
Of course, a point could be made that any inoffensive but basically fluffy name is still better than a geeky sounding tech babble name...
"Windows" actually is related to what it does. As you might already know, before Windows, you just had DOS, which was 100% full screen all the time. Then Windows came along an let you run DOS programs (and Windows programs, of course) inside of their own windows, and let you have multiple windows open at once. Then, only after that was hugely successful, it became its own standalone OS. So at least at the time it was created and became popular, its name was very related to what it did.
The most succesful open source projects (firefox, blender, linux, krita,..) do not have libre in their name, the most famous of those who have is probably libreoffice, but it is not exactly loved.
So I totally agree on rather having a name that appeals normal users, than a certain tech bubble who will rather use the terminal wherever they can anyway ..
You're not wrong but neither IMO is the person you're responding to. emacs wasn't renamed LibrEmacs. gcc wasn't renamed Librecc. "Libre" can both be trying to convey something, and an arguably a bad name that turn lots of people off.
One example that really sticks in my mind was "Libreboot". Yes, it's supposed to represent a free BIOS/booting system. But it also sounds like the name of a library dedicated to rebooting your computer.
I kind of agree. When nothing's Libre, naming your project Libre<something> is fine, I believe. But imagine OSS succeeds, and everything is named Libre<something>. Then that's terrible.
"Did you open libreterminal and use librels and libreget to download librebrowser to open libresearch?"
It lacks identity (just a little bit is fine) and distinctiveness, imo.
I speak two languages (English and Russian) and have never found their name to be awkward. This is the first time, actually, that I've seen somebody say they don't like their name.
Curious on what languages have a hard time saying Libre.
Every latin-derived language (which are most of the western languages) can pronounce it naturally, and even English speakers can approximate it well enough to be understood (even though they're incapable of pronouncing the non-retroflex `r`).
The "bre" in "libre" is pronounced similarly to "zebra". Kinda. It'll get you in the ballpark, which is good enough for an Anglo.
"This Hour has 22 Minutes" had a great sketch where both a Francophone (Gavin Crawford impersonating Chantal Hebert) and an Anglo (I forget who) were stumbling over proper nouns from the opposite language. The joke was that both were trying too hard to pronounce things "properly". It came off as inauthentic and awkward.
What if 1/3 of US states and some EU countries joins them? Will they block so many users? Also blocking is easier for smaller distros, not so much for Valve, Red Hat and Ubuntu.
We’re heading to needed ID verification to even run code on a computer so why should I care if a few people can’t download Linux for a while, you need them to be inconvenienced to push back.
honestly if they let it be known they'd do it for payment the same person who's paying off the politicians to push this through would probably pay them too.
reply