Re: What will NetBSD do about the age verification law?

To: Isac Monção <isacmoncao%disroot.org@localhost>, Netbsd-Users-List <netbsd-users%netbsd.org@localhost>
Subject: Re: What will NetBSD do about the age verification law?
From: Matthias Petermann <matthias%d2ux.net@localhost>
Date: Tue, 17 Mar 2026 07:57:57 +0100

Hi Isac, hi all,

On 3/10/26 00:06, Isac Monção wrote:

I don't know if this is already answered somewhere else.

given the recent developments around age verification laws (especiallyin the US), I was wondering whether this has any implications forsystems like NetBSD, too - or whether it should have.


My current understanding is: probably not, at least not at the base OS
level(?)

A default NetBSD installation:

- does not ship a browser
- does not provide direct access to regulated content
- is not a service or platform provider

So from a regulatory perspective, it seems clear that:

NetBSD itself is not in scope, and should not try to become part of that
layer.

Even if a user accesses something via SSH or installs additional
software, that responsibility clearly sits above the OS.

That said, NetBSD is often used as a foundation for:

- custom desktop systems
- embedded devices
- appliances or consoles

In those scenarios, the overall system might end up in scope, even ifthe base OS is not.

So the question I have been thinking about is not: "Should NetBSDimplement age verification?" (I think clearly no)


but rather:

"Is there a small, optional mechanism the OS could provide that higher
layers could use if needed?"

One idea (very rough) would be to allow optional user attributes,without introducing any policy into base.


Something along the lines of:

```/etc/userattrs
alice: age_class=adult
bob: age_class=minor
```

with a minimal interface like:

```
getuserattr("alice", "age_class") -> "adult"
```

Key properties of such an approach would be:

- completely optional
- no enforcement in base
- no assumptions about how the attribute is derived

purely local, no external dependencies.

This would keep the OS in a "mechanism, not policy" role, while still
giving downstream systems something simple to build on.

An alternative would be storing something like a date of birth instead,
e.g.:

```
alice: dob=2001-05-12
```

but that feels less attractive to me, because:

- it introduces more sensitive personal data into base system files
- it raises questions about correctness/verification that the OS cannot
solve anyway
- most use cases likely only need a coarse classification (minor/adult)

From a Unix perspective, it seems cleaner to store derived attributes
rather than raw identity data.

Of course, one could also argue that this is entirely out of scope for
the base system, and should be handled purely in userland or by
higher-level frameworks.

So I would be interested in opinions on:

- whether this is worth considering at all
- whether existing mechanisms (e.g. login classes) are already sufficient
- or whether even a minimal attribute mechanism would be unnecessary
complexity

To be clear: I do not think NetBSD needs to "do" anything here today.

I am mostly curious whether it makes sense to think about this early, in
a minimal and NetBSD-like way, before more opinionated solutions appear
elsewhere.

Thanks for any thoughts.

Kind regards
Matthias


--
Für alle, die digitale Systeme verstehen und gestalten wollen:
jede Woche neue Beiträge zu Architektur, Souveränität und Systemdesign.
👉 https://www.petermann-digital.de/blog

References:
- What will NetBSD do about the age verification law?
  - From: Isac Monção

Prev by Date: Re: xinput for mouse button mapping
Previous by Thread: What will NetBSD do about the age verification law?
Next by Thread: Pkgin to cdn.netbsd.org Very Slow?
Indexes:

Home | Main Index | Thread Index | Old Index