The team behind Arch-based Garuda Linux has issued a statement regarding the controversy surrounding age-verification laws and their impact on Linux distributions, confirming that it will not implement such measures unless legally required.
A Garuda developer stated in a forum post that the distribution is not obligated to comply with laws such as California’s Digital Age Assurance Act, as it operates outside that jurisdiction. The project’s infrastructure is located in Finland and Germany, and contributors adhere to their local laws. Therefore, Garuda does not consider itself subject to U.S. state-level legislation.
“Garuda Linux will not implement any age verification measures, since Garuda Linux’s legal jurisdictions have no laws mandating age verification.”
The statement adds that authorities in regions like California should restrict access locally, rather than expect global compliance from projects without a legal presence there.
Garuda Linux states that its current position is based on jurisdiction. The project acknowledges this stance may change if similar laws are enacted in the European Union or enforced in its operating countries. In such cases, it would be prudent to avoid fines or legal consequences.
The developers indicate that any required compliance would be minimal, such as implementing simple self-declaration mechanisms instead of strict identity-verification systems, which raise privacy and data-security concerns.
The discussion is tied to recent changes in systemd (the init system used in Garuda), which introduced support for storing user metadata, including age-related fields. Garuda states that this does not mandate age verification but provides a standardized interface for distributions that are required to implement it.
Moreover, the project confirms it will not abandon systemd over this issue, stating that userdb is intended to manage user information and that adding these fields does not impose requirements on distributions that do not need them.
So, in short, Garuda Linux’s position can be defined by three points: no implementation without a legal obligation, compliance if required, and opposition to pressure directed at developers rather than policymakers.
Finally, I’d just like to point out that a similar (albeit much more definitive) stance has been taken by GrapheneOS, an open-source Android-based mobile operating system with a strong focus on security and privacy. Read more about it here.
