From the be­gin­ning, our goal has been to build tools that rad­i­cally change what it feels like to work with Python — tools that feel fast, ro­bust, in­tu­itive, and in­te­grated.

Today, we’re tak­ing a step for­ward in that mis­sion by an­nounc­ing that we’ve en­tered into an agree­ment to join OpenAI as part of the Codex

team.

Over the past few years, our tools have grown from zero to hun­dreds of mil­lions of down­loads per month across Ruff, uv, and

ty. The Astral tool­chain has be­come foun­da­tional to mod­ern Python de­vel­op­ment. The num­bers — and the im­pact — went far be­yond my most am­bi­tious ex­pec­ta­tions at every step of the way.

Open source is at the heart of that im­pact and the heart of that story; it sits at the cen­ter of every­thing we do. In line with our phi­los­o­phy and

OpenAI’s own an­nounce­ment, OpenAI will con­tinue sup­port­ing our open source tools af­ter the deal closes. We’ll keep build­ing in the open, along­side our com­mu­nity — and for the broader Python ecosys­tem — just as we have from the start.

I view build­ing tools as an in­cred­i­bly high-lever­age en­deavor. As I wrote in our

launch post three years ago: “If you could make the Python ecosys­tem even 1% more pro­duc­tive, imag­ine how that im­pact would com­pound?”

Today, AI is rapidly chang­ing the way we build soft­ware, and the pace of that change is only ac­cel­er­at­ing. If our goal is to make pro­gram­ming more pro­duc­tive, then build­ing at the fron­tier of AI and soft­ware feels like the high­est-lever­age thing we can do.

It is in­creas­ingly clear to me that Codex is that fron­tier. And by bring­ing Astral’s tool­ing and ex­per­tise to OpenAI, we’re putting our­selves in a po­si­tion to push it for­ward. After join­ing the Codex team, we’ll con­tinue build­ing our open source tools, ex­plore ways they can work more seam­lessly with Codex, and ex­pand our reach to think more broadly about the fu­ture of soft­ware de­vel­op­ment.

Through it all, though, our goal re­mains the same: to make pro­gram­ming more pro­duc­tive. To build tools that rad­i­cally change what it feels like to build soft­ware.

On a per­sonal note, I want to say thank you, first, to the Astral team, who have al­ways put our users first and shipped some of the most beloved soft­ware in the world. You’ve pushed me to be a bet­ter leader and a bet­ter pro­gram­mer. I am so ex­cited to keep build­ing with you.

Second, to our in­vestors, es­pe­cially

Casey Aylward from Accel, who led our Seed and Series A, and Jennifer Li from Andreessen Horowitz, who led our Series B. As a first-time, tech­ni­cal, solo founder, you showed far more be­lief in me than I ever showed in my­self, and I will never for­get that.

And third, to our users. Our tools ex­ist be­cause of you. Thank you for your trust. We won’t let you down.

The ver­dict was the ic­ing on the cake.

Afroman did not de­fame Ohio cops in a satir­i­cal mu­sic video that fea­tured footage of them fruit­lessly raid­ing the rap­per’s house, a jury found on Wednesday.

The 51-year-old “Because I Got High” rap­per, whose real name is Joseph Foreman, held up his hands in tri­umph and hugged peo­ple in the court­room af­ter he was found not li­able for defama­tion, or in­va­sion of pri­vacy false light pub­lic­ity.

Foreman was sued by the Adams County Sheriff’s Office over a drug search at his home in August 2022 that re­sulted in no crim­i­nal charges.

The hip hop star wrote the satir­i­cal song “Lemon Pound Cake” and made a mu­sic video with real footage of the raid taken from his home sur­veil­lance cam­eras to raise money for prop­erty dam­age caused dur­ing the search, he has said.

Seven cops with the sher­if­f’s of­fice then sued him in March 2023, al­leg­ing the mu­sic video de­famed them, in­vaded their con­sti­tu­tional pri­vacy, and was an in­ten­tional in­flic­tion of emo­tional dis­tress.

The video fea­tures footage of the cops bust­ing down his door dur­ing, and of one of­fi­cer eye­ing his “mama’s lemon pound­cake” with his gun drawn.

After mak­ing the mu­sic video, Foreman al­legedly con­tin­ued putting up so­cial me­dia posts with names of the of­fi­cers in­volved, the law­suit states.

Several of the posts al­legedly falsely claimed that the cops “stole my money” and were “criminals dis­guised as law en­force­ment,” ac­cord­ing to the suit.

They also falsely stated that the of­fi­cers are “white su­prema­cists,” that Officer Brian Newman “used to do hard drugs” be­fore “snitching” on his friends, and that Officer Lisa Phillips is “biologically male,” ac­cord­ing to the law­suit.

Foreman’s lawyer had ar­gued the song, which he de­scribed as a com­bi­na­tion of com­edy and mu­sic, was sim­ply free speech.

“We see pub­lic of­fi­cials all the time that are made fun of,” lawyer David Osborne said in a clos­ing state­ment Wednesday. “They are go­ing to be held to higher stan­dards, their work is go­ing to be crit­i­cized, that’s just what hap­pens when you’re a pub­lic of­fi­cial.”

“It’s a so­cial com­men­tary on the fact that they did­n’t do things cor­rectly,” he said of the of­fi­cers.

An at­tor­ney for the po­lice, mean­while, de­manded a to­tal of $3.9 mil­lion in dam­ages — di­vided among the seven of­fi­cers in­volved.

“[Foreman]  per­pet­u­ated lies in­ten­tion­ally re­peat­edly over 3 1/2 years on the in­ter­net about these seven brave deputy sher­iffs,” lawyer Robert Klingler said in clos­ing re­marks Wednesday. “[He] knew that what he posted on  the in­ter­net were lies.”

“He says he’s not go­ing to stop…tell him through your ver­dict that he needs to stop,” Klingler added.

“All of this is their fault,” Foreman tes­ti­fied in court Tuesday, ac­cord­ing to WCPO.

“If they had­n’t wrongly raided my house, there would be no law­suit, I would not know their names, they would­n’t be on my home sur­veil­lance sys­tem, and there would be no songs … my money would still be in­tact.”

Zen gives you ac­cess to a hand­picked set of AI mod­els that OpenCode has tested and bench­marked specif­i­cally for cod­ing agents. No need to worry about in­con­sis­tent per­for­mance and qual­ity across providers, use val­i­dated mod­els that work.

The “advanced flow” will be avail­able be­fore ver­i­fi­ca­tion en­force­ment be­gins later this year.

Google is plan­ning big changes for Android in 2026 aimed at com­bat­ing mal­ware across the en­tire de­vice ecosys­tem. Starting in September, Google will be­gin re­strict­ing ap­pli­ca­tion side­load­ing with its de­vel­oper ver­i­fi­ca­tion pro­gram, but not every­one is on board. Android Ecosystem President Sameer Samat tells Ars that the com­pany has been lis­ten­ing to feed­back, and the re­sult is the newly un­veiled ad­vanced flow, which will al­low power users to skip app ver­i­fi­ca­tion.

With its new lim­its on side­load­ing, Android phones will only in­stall apps that come from ver­i­fied de­vel­op­ers. To ver­ify, devs re­leas­ing apps out­side of Google Play will have to pro­vide iden­ti­fi­ca­tion, up­load a copy of their sign­ing keys, and pay a $25 fee. It all seems rather oner­ous for peo­ple who just want to make apps with­out Google’s in­ter­ven­tion.

Apps that come from un­ver­i­fied de­vel­op­ers won’t be in­stal­lable on Android phones—un­less you use the new ad­vanced flow, which will be buried in the de­vel­oper set­tings.

When side­load­ing apps to­day, Android phones alert the user to the “unknown sources” tog­gle in the set­tings, and there’s a flow to help you turn it on. The ver­i­fi­ca­tion by­pass is dif­fer­ent and will not be re­vealed to users. You have to know where this is and proac­tively turn it on your­self, and it’s not a quick process. Here are the steps:

Enable de­vel­oper op­tions by tap­ping the soft­ware build num­ber in About Phone seven times

In Settings > System, open Developer Options and scroll down to “Allow Unverified Packages.”

Flip the tog­gle and tap to con­firm you are not be­ing co­erced

Return to the un­ver­i­fied pack­ages menu at the end of the se­cu­rity de­lay

Scroll past ad­di­tional warn­ings and se­lect ei­ther “Allow tem­porar­ily” (seven days) or “Allow in­def­i­nitely.”

Check the box con­firm­ing you un­der­stand the risks.

You can now in­stall un­ver­i­fied pack­ages on the de­vice by tap­ping the “Install any­way” op­tion in the pack­age man­ager.

The ac­tual leg­work to ac­ti­vate this fea­ture only takes a few sec­onds, but the 24-hour count­down makes it some­thing you can­not do spur of the mo­ment. But why 24 hours? According to Samat, this is de­signed to com­bat the ris­ing use of high-pres­sure so­cial en­gi­neer­ing at­tacks, in which the scam­mer con­vinces the vic­tim they have to in­stall an app im­me­di­ately to avoid se­vere con­se­quences.

You’ll have to wait 24 hours to by­pass ver­i­fi­ca­tion.

You’ll have to wait 24 hours to by­pass ver­i­fi­ca­tion.

“In that 24-hour pe­riod, we think it be­comes much harder for at­tack­ers to per­sist their at­tack,” said Samat. “In that time, you can prob­a­bly find out that your loved one is­n’t re­ally be­ing held in jail or that your bank ac­count is­n’t re­ally un­der at­tack.”

But for peo­ple who are sure they don’t want Google’s ver­i­fi­ca­tion sys­tem to get in the way of side­load­ing any old APK they come across, they don’t have to wait un­til they en­counter an un­ver­i­fied app to get started. You only have to se­lect the “indefinitely” op­tion once on a phone, and you can turn dev op­tions off again af­ter­ward.

According to Samat, Google feels a re­spon­si­bil­ity to Android users world­wide, and things are dif­fer­ent than they used to be with more than 3 bil­lion ac­tive de­vices out there.

“For a lot of peo­ple in the world, their phone is their only com­puter, and it stores some of their most pri­vate in­for­ma­tion,” Samat said. “Over the years, we’ve evolved the plat­form to keep it open while also keep­ing it safe. And I want to em­pha­size, if the plat­form is­n’t safe, peo­ple aren’t go­ing to use it, and that’s a lose-lose sit­u­a­tion for every­one, in­clud­ing de­vel­op­ers.”

But what does that safety look like? Google swears it’s not in­ter­ested in the con­tent of apps, and it won’t be check­ing proac­tively when de­vel­op­ers reg­is­ter. This is only about iden­tity ver­i­fi­ca­tion—you should know when you’re in­stalling an app that it’s not an im­poster and does not come from known pur­vey­ors of mal­ware. If a ver­i­fied de­vel­oper dis­trib­utes mal­ware, they’re un­likely to re­main ver­i­fied. And what is mal­ware? For Samat, mal­ware in the con­text of de­vel­oper ver­i­fi­ca­tion is an ap­pli­ca­tion pack­age that “causes harm to the user’s de­vice or per­sonal data that the user did not in­tend.”

So a rootkit can be mal­ware, but a rootkit you down­loaded in­ten­tion­ally be­cause you want root ac­cess on your phone is not mal­ware, from Samat’s per­spec­tive. Likewise, an al­ter­na­tive YouTube client that by­passes Google’s ads and fea­ture lim­its is­n’t caus­ing the kind of harm that would lead to is­sues with ver­i­fi­ca­tion. But these are just broad strokes; Google has not com­mented on any spe­cific apps.

Google says side­load­ing is­n’t go­ing away, but it is chang­ing.

Google says side­load­ing is­n’t go­ing away, but it is chang­ing.

Google is pro­ceed­ing cau­tiously with the ver­i­fi­ca­tion roll­out, and some de­tails are still spotty. Privacy ad­vo­cates have ex­pressed con­cern that ver­i­fi­ca­tion will cre­ate a data­base that puts in­de­pen­dent de­vel­op­ers at risk of le­gal ac­tion. Samat says that Google does push back on ju­di­cial or­ders for user data when they are im­proper. The com­pany fur­ther sug­gests it’s not in­tend­ing to cre­ate a per­ma­nent list of de­vel­oper iden­ti­ties that would be vul­ner­a­ble to le­gal de­mands. We’ve asked for more de­tail on what data Google re­tains from the ver­i­fi­ca­tion process and for what length of time.

There is also con­cern that de­vel­op­ers liv­ing in sanc­tioned na­tions might be un­able to ver­ify due to the re­quired fee. Google notes that the ver­i­fi­ca­tion process may vary across coun­tries and was not cre­ated specif­i­cally to bar de­vel­op­ers in places like Cuba or Iran. We’ve asked for de­tails on how Google will han­dle these edge cases and will up­date if we learn more.

Rolling out in 2026 and be­yond

Android users in most of the world don’t have to worry about de­vel­oper ver­i­fi­ca­tion yet, but that day is com­ing. In September, ver­i­fi­ca­tion en­force­ment will be­gin in Brazil, Singapore, Indonesia, and Thailand. Impersonation and guided scams are more com­mon in these re­gions, so Google is start­ing there be­fore ex­pand­ing ver­i­fi­ca­tion glob­ally next year. Google has stressed that the ad­vanced flow will be avail­able be­fore the ini­tial roll­out in September.

Google stands by its as­ser­tion that users are 50 times more likely to get mal­ware out­side Google Play than in it. A big part of the gap, Samat says, is Google’s de­ci­sion in 2023 to be­gin ver­i­fy­ing de­vel­oper iden­ti­ties in the Play Store. This pro­vided a frame­work for uni­ver­sal de­vel­oper ver­i­fi­ca­tion. While there are cer­tainly rea­sons Google might like the con­trol ver­i­fi­ca­tion gives it, the Android team has felt real pres­sure from reg­u­la­tors in ar­eas with mal­ware is­sues to ad­dress plat­form se­cu­rity.

“In a lot of coun­tries, there is chat­ter about if this is­n’t safer, then there may need to be reg­u­la­tory ac­tion to lock down more of this stuff,” Samat told Ars Technica. “I don’t think that it’s well un­der­stood that this is a real se­cu­rity con­cern in a num­ber of coun­tries.”

Google has al­ready started de­liv­er­ing the ver­i­fier to de­vices around the world—it’s in­te­grated with Android 16.1, which launched late in 2025. Eventually, the ver­i­fier and ad­vanced flow will be on all cur­rently sup­ported Android de­vices. However, the UI will be con­sis­tent, with Google pro­vid­ing all the com­po­nents and scare screens. So what you see here should be sim­i­lar to what ap­pears on your phone in a few months, re­gard­less of who made it.

Ryan Whitwam is a se­nior tech­nol­ogy re­porter at Ars Technica, cov­er­ing the ways Google, AI, and mo­bile tech­nol­ogy con­tinue to change the world. Over his 20-year ca­reer, he’s writ­ten for Android Police, ExtremeTech, Wirecutter, NY Times, and more. He has re­viewed more phones than most peo­ple will ever own. You can fol­low him on Bluesky, where you will see pho­tos of his dozens of me­chan­i­cal key­boards.

Once again, ULA can’t de­liver when the US mil­i­tary needs a satel­lite in or­bit

You’re likely al­ready in­fected with a brain-eat­ing virus you’ve never heard of

NASA wants to know how the launch in­dus­try’s chic new rocket fuel ex­plodes

Rocket Report: Canada makes a ma­jor move, US Space Force says ac­tu­ally, let’s be hasty

Microsoft keeps in­sist­ing that it’s deeply com­mit­ted to the qual­ity of Windows 11

Rule 1. You can’t tell where a pro­gram is go­ing to spend its time. Bottlenecks oc­cur in sur­pris­ing places, so don’t try to sec­ond guess and put in a speed hack un­til you’ve proven that’s where the bot­tle­neck is.

Rule 2. Measure. Don’t tune for speed un­til you’ve mea­sured, and even then don’t un­less one part of the code over­whelms the rest.

Rule 3. Fancy al­go­rithms are slow when n is small, and n is usu­ally small. Fancy al­go­rithms have big con­stants. Until you know that n is fre­quently go­ing to be big, don’t get fancy. (Even if n does get big, use Rule 2 first.)

Rule 4. Fancy al­go­rithms are bug­gier than sim­ple ones, and they’re much harder to im­ple­ment. Use sim­ple al­go­rithms as well as sim­ple data struc­tures.

Rule 5. Data dom­i­nates. If you’ve cho­sen the right data struc­tures and or­ga­nized things well, the al­go­rithms will al­most al­ways be self-ev­i­dent. Data struc­tures, not al­go­rithms, are cen­tral to pro­gram­ming.

Pike’s rules 1 and 2 re­state Tony Hoare’s fa­mous maxim “Premature op­ti­miza­tion is the root of all evil.”

Ken Thompson rephrased Pike’s rules 3 and 4 as “When in doubt, use brute force.”.

Rules 3 and 4 are in­stances of the de­sign phi­los­o­phy KISS.

Rule 5 was pre­vi­ously stated by Fred Brooks in The Mythical Man-Month. Rule 5 is of­ten short­ened to “write stu­pid code that uses smart ob­jects”.

For var­i­ous rea­sons, I have de­cided to move as many ser­vices and sub­scrip­tions as pos­si­ble from non-EU coun­tries to the EU or to switch to European ser­vice providers. The rea­sons for this are the cur­rent global po­lit­i­cal sit­u­a­tion and im­proved data pro­tec­tion. I don’t want to go into the first point any fur­ther for var­i­ous rea­sons, but the sec­ond point should be im­me­di­ately ob­vi­ous, since the EU cur­rently has the most user-friendly laws when it comes to data pro­tec­tion. Below, I will list both the old and new ser­vice providers; this is not an ad­ver­tise­ment, but sim­ply the re­sult of my re­search, which was aimed at achiev­ing the same or bet­ter qual­ity at af­ford­able prices.

I would call this post an in­terim re­port, and I will ex­pand on it if I end up mi­grat­ing more ser­vices.

In my opin­ion, Fastmail is one of the best email providers. In all the years I’ve had my email ac­counts there, I’ve never had any prob­lems. I paid 10 eu­ros a month for two ac­counts, could use an un­lim­ited num­ber of my own do­mains, and could not only set up catch-all ad­dresses but also send emails from any email ad­dress I wanted. This is im­por­tant for my email setup. The cal­en­dar is also solid and was used within the fam­ily. All of this was also avail­able in a well-de­signed Android app. Finding a European al­ter­na­tive that of­fers all of this proved dif­fi­cult. First, I tried mail­box.org, which I can gen­er­ally rec­om­mend with­out reser­va­tion. Unfortunately, you can’t send emails from any ad­dress on your own do­main with­out a workaround, so the search con­tin­ued. Eventually, I landed on Uberspace. This “pay what you want” provider of­fers a shell ac­count, web host­ing, email host­ing, and more at fair prices. In ad­di­tion, you can use as many of your own do­mains as you like for both web and email, and send emails from any sender ad­dress. There is­n’t a ded­i­cated app, which is why I now use Thunderbird for Android and am very sat­is­fied with it.

Uberspace does­n’t of­fer a built-in cal­en­dar so­lu­tion. So I tried in­stalling var­i­ous CalDAV servers, but none of them re­ally con­vinced me. In the end, I sim­ply in­stalled NextCloud on my Uberspace Asteroid, which has CalDAV and CardDAV built in. On my desk­top, I use Thunderbird as a client; on Android, I use DAVx5 and Fossil Calendar. It works great, even if NextCloud does come with some over­head. In re­turn, I can now eas­ily share files with oth­ers and, in the­ory, also use NextCloud’s on­line of­fice func­tion­al­ity.

Now that I’m al­ready us­ing Uberspace for my email and cal­en­dar, I was able to host this web­site there as well. I pre­vi­ously had a VPS with Hetzner for this pur­pose, which I no longer need. The only mi­nor hur­dle was that I use SSI on this site to man­age the header cen­trally. I had pre­vi­ously used Nginx, but Uberspace hosts on Apache, where the SSI im­ple­men­ta­tion is han­dled slightly dif­fer­ently. However, adapt­ing my HTML code was quite sim­ple, so I was able to quickly mi­grate the site to Uberspace.

For a long time, I was a sat­is­fied Namecheap cus­tomer. They of­fer good prices, a wide se­lec­tion of avail­able do­mains, their DNS man­age­ment has every­thing you need, and their sup­port team has helped me quickly on sev­eral oc­ca­sions. But now it was time to look for a com­pa­ra­ble provider in the EU. In the end, I set­tled on host­ing.de. Some of the rea­sons were the prices, re­views, the lo­ca­tion in Germany, and the avail­abil­ity of .is do­mains. So far, every­thing has been run­ning smoothly; sup­port helped me quickly and com­pe­tently with one is­sue; and while prices for non-Ger­man do­mains are slightly higher, they’re still within an ac­cept­able range.

At some point, pretty much every­one had their code on GitHub (or still does). I was no ex­cep­tion, though I had also hosted my own Gitea in­stance. Eventually, I got tired of that too and mi­grated all my Git repos­i­to­ries to code­berg.org. Codeberg is a German-based non­profit or­ga­ni­za­tion, and it’s hard to imag­ine go­ing wrong with this choice.

No changes here. I’ve al­ways been a happy Mullvad cus­tomer. For 5 eu­ros a month, I pay a Swedish com­pany that has proven it does­n’t log any data and does­n’t even re­quire me to cre­ate an ac­count. No sub­scrip­tion traps, no weird Black Friday deals, no dis­counts: just 5 eu­ros a month for a re­li­able, trust­wor­thy ser­vice.

For many years, I used my work smart­phone for per­sonal use as well. I was more than sat­is­fied with the Pixel 6, but un­der­stand­ably, I was­n’t al­lowed to in­stall a cus­tom ROM or use al­ter­na­tive app stores like F-Droid. That’s why I de­cided to buy a sep­a­rate per­sonal smart­phone. I chose the Pixel 9a, which is sup­ported by Graphene OS. I still in­stalled the Google Play Store so I could in­stall a sig­nif­i­cant num­ber of apps that are only avail­able there. However, I can now use al­ter­na­tive app stores, which al­lows me to in­stall and use apps like NewPipe. This way, I can en­joy YouTube ad-free and with­out an ac­count.

For ca­sual use on the couch, a Chromebook has been un­beat­able for me so far. It’s af­ford­able, the bat­tery lasts for­ever, and it wakes up from sleep mode ex­tremely quickly. To break away from Google here as well, I re­cently bought a cheap used 11-inch MacBook Air (A1465) to in­stall MX Linux with Fluxbox on it and use it for brows­ing and watch­ing videos. I haven’t had a chance to test it out yet, but I’m hop­ing it will be able to re­place the Chromebook.

Look, I get it. The foun­da­tions of the in­ter­net are bro­ken and we’ve some­how got­ten to a place where hav­ing a web­site is ei­ther ex­pen­sive, com­pli­cated, or per­ceived as un­nec­es­sary, whereas so­cial me­dia plat­forms are cheap and easy. But still, please, if you are a busi­ness or an in­di­vid­ual artist or cre­ator, have a fuck­ing web­site. “But-” fuck you, have a fuck­ing web­site.

I haven’t had a Facebook ac­count in a decade. I have Instagram blocked for most of the day so I don’t waste time scrolling it. If you’re a hair sa­lon, or a tat­too artist, or a restau­rant, or what­ever, please just have a fuck­ing web­site where I can go and see your rates and hours. Not all of your po­ten­tial clients are on these plat­forms, and I sus­pect that even many of the ones who are ap­pre­ci­ate a sim­ple, un­adorned site that tells them what they need to know at a glance.

Not only that, but as we saw with Twitter a few years ago, plat­forms can change the rules overnight so that the fol­low­ing you’ve built up is sud­denly worth­less. Or they can de­cide to boot you for no rea­son and you’ll have no re­course. I get that IG is easy for shar­ing up­dates with peo­ple but it is so, so sim­ple to just set up a web­site once with a menu/​prices/​what­ever on it, then you can rest se­cure in the fact that you can be found on the in­ter­net re­gard­less of the whims of our drug-ad­dled tech over­lords.

You don’t own shit that you put on so­cial me­dia plat­forms. You don’t own your fol­lower counts, you don’t own your posts. Stop giv­ing away all of your shit to data har­vesters and ad­ver­tis­ers for free in ex­change for the il­lu­sion of im­por­tance that comes with likes and a fol­lower count. Set up a web­site — and while you’re at it, start a mail­ing list, be­cause email is ba­si­cally the only means of reach­ing your con­tacts that can’t eas­ily be taken away from you.

The in­ter­net was built on web­sites that linked to one an­other. The con­cept of con­gre­gat­ing in walled gar­dens owned by pe­dophilic fas­cist speed freaks who ac­tively block the shar­ing of links in an ef­fort to keep peo­ple scrolling on their plat­forms is very new. With any luck, it will pass sooner rather than later, and every time some­one cre­ates an ac­tual fuck­ing web­site, that day gets a lit­tle closer.

Age ver­i­fi­ca­tion is no longer a nar­row mech­a­nism for a few adult web­sites. Across Europe, the USA, the UK, Australia, and else­where, it is ex­pand­ing into so­cial me­dia, mes­sag­ing, gam­ing, search, and other main­stream ser­vices.

The com­mon fram­ing says these sys­tems ex­ist to pro­tect chil­dren. That con­cern is real. Children are ex­posed to harm­ful con­tent, ma­nip­u­la­tive rec­om­men­da­tion sys­tems, preda­tory be­hav­ior, and com­pul­sive plat­form de­sign. Even adults are ma­nip­u­lated, quite suc­ces­fully, with tech­niques that can in­flu­ence na­tional elec­tions.

But from a tech­ni­cal and po­lit­i­cal point of view, age ver­i­fi­ca­tion is not just a child-safety fea­ture. It is an ac­cess con­trol ar­chi­tec­ture. It changes the de­fault con­di­tion of the net­work from open ac­cess to per­mis­sioned ac­cess. Instead of re­ceiv­ing con­tent un­less some­thing is blocked, users in­creas­ingly have to prove some­thing about them­selves be­fore a ser­vice is al­lowed to re­spond.

That shift be­comes clearer when age as­sur­ance moves down into the op­er­at­ing sys­tem. In some US pro­pos­als, the model is no longer a one-off check at a web­site. It be­comes a per­sis­tent age-sta­tus layer main­tained by the OS and ex­posed to ap­pli­ca­tions through a sys­tem-level in­ter­face. At that point, age ver­i­fi­ca­tion stops look­ing like a lim­ited safe­guard and starts look­ing like a gen­eral iden­tity layer for the whole de­vice.

This is no longer only a pro­pri­etary-plat­form story ei­ther. Even the Linux desk­top stack is be­gin­ning to ab­sorb this pres­sure. sys­temd has re­port­edly added an op­tional birth­Date field to userdb in re­sponse to age-as­sur­ance laws. Regulation is be­gin­ning to shape the data model of per­sonal com­put­ing, so that higher-level com­po­nents can build age-aware be­hav­ior on top.

Content mod­er­a­tion is about clas­si­fi­ca­tion and fil­ter­ing. It asks whether some con­tent should be blocked, la­beled, de­layed, or han­dled dif­fer­ently. Guardianship is some­thing else. It is the con­tex­tual re­spon­si­bil­ity of par­ents, teach­ers, schools, and other trusted adults to de­cide what is ap­pro­pri­ate for a child, when ex­cep­tions make sense, and how su­per­vi­sion should evolve over time. Moderation is partly tech­ni­cal. Guardianship is re­la­tional, lo­cal, and sit­u­ated in spe­cific con­texts.

I am also a par­ent. I un­der­stand the fear be­hind these pro­pos­als be­cause I live with it too. Children do face real on­line risks. But rec­og­niz­ing that does not oblige us to ac­cept any so­lu­tion placed in front of us, least of all one that weak­ens pri­vacy for every­one while shift­ing re­spon­si­bil­ity away from fam­i­lies, schools, and the peo­ple who ac­tu­ally have to guide chil­dren through dig­i­tal life.

Age-verification laws col­lapse these two ques­tions into one cen­tral­ized an­swer. The re­sult is pre­dictable. A plat­form, browser ven­dor, app store, op­er­at­ing-sys­tem provider, or iden­tity in­ter­me­di­ary is asked to en­force what is pre­sented as a child-pro­tec­tion pol­icy, even though no cen­tral­ized ac­tor can re­place the judg­ment of a par­ent, a school, or a lo­cal com­mu­nity.

It also fails on its own terms. The by­passes are ob­vi­ous: VPNs, bor­rowed ac­counts, pur­chased cre­den­tials, fake cre­den­tials, and tricks against age-es­ti­ma­tion sys­tems. A con­trol that is easy to evade but ex­pen­sive to im­pose is not a se­ri­ous com­pro­mise: it is an er­ror or, one may say, a cor­po­rate data-grab.

The price is high and paid by every­one. More iden­tity checks. More meta­data. More log­ging. More ven­dors in the mid­dle. More fric­tion for peo­ple who lack the right de­vice, the right pa­pers, or the right dig­i­tal skills. This is not a mi­nor safety fea­ture. It is a new con­trol layer for the net­work.

And once that layer ex­ists, it rarely stays con­fined to age. Infrastructure built for one at­tribute is eas­ily reused for oth­ers: lo­ca­tion, cit­i­zen­ship, le­gal sta­tus, plat­form pol­icy, or what­ever the next panic de­mands. This is how a lim­ited check be­comes a gen­eral gate.

Keep guardian­ship where it be­longs: with par­ents, teach­ers, schools, and com­mu­ni­ties that can make con­tex­tual de­ci­sions, au­tho­rize ex­cep­tions, and ad­just over time.

The op­er­at­ing sys­tem can help here, but only as a lo­cal pol­icy sur­face un­der the con­trol of users and guardians. It should not be­come a uni­ver­sal age-broad­cast­ing layer for apps and re­mote ser­vices. That is the ar­chi­tec­tural line that mat­ters.

Most of the harms in­voked in this de­bate do not come from the mere ex­is­tence of con­tent on­line. They come from rec­om­men­da­tion sys­tems, dark pat­terns, ad­dic­tive met­rics, and busi­ness mod­els that re­ward am­pli­fi­ca­tion with­out re­spon­si­bil­ity. If the goal is to pro­tect mi­nors, that is where reg­u­la­tion should bite.

If we are se­ri­ous about re­duc­ing harm, we should stop ask­ing how to iden­tify every­one and start ask­ing how to strengthen lo­cal con­trol with­out turn­ing the net­work into a check­point.

It is en­cour­ag­ing to see this ar­ti­cle cir­cu­lat­ing widely, as it may con­tribute to a shift in how pol­i­cy­mak­ers ap­proach the is­sue. Given its grow­ing vis­i­bil­ity, I will keep a con­cise record here of the se­quence of its cov­er­age across me­dia out­lets, as well pi­lot im­ple­men­ta­tions across the world.

My first ac­count on the prob­lem emerged from a di­a­logue with Brave’s de­vel­oper Kyle den Hartog at a cypher­punk re­treat in Berlin. It was right af­ter fa­cil­i­tat­ing the dig­i­tal iden­tity track of the event that I pub­lished a rather tech­ni­cal piece on the topic.

Later, as age ver­i­fi­ca­tion mea­sures be­gan to take hold, and in align­ment with our com­mu­nity fa­cil­i­ta­tors at the Dyne.org foun­da­tion, we de­cided to dis­con­tinue Discord as a chan­nel for par­tic­i­pa­tion, as the plat­form moved to im­pose age ver­i­fi­ca­tion.

Then the sys­temd dis­pute un­folded, and I found my­self, as founder of the pro­ject, as the first dis­tro main­tainer stat­ing that we would not im­ple­ment age ver­i­fi­ca­tion in Devuan GNU/Linux, a Debian fork with­out sys­temd that has, since 2016, shown fewer bugs and se­cu­rity ad­vi­sories. The tech jour­nal­ist Lunduke picked it up im­me­di­ately, set­ting off a wave of sim­i­lar de­c­la­ra­tions across the dis­tri­b­u­tion main­tainer com­mu­nity.

That was the mo­ment I re­alised the need to set out, in clear terms, the rea­sons be­hind this choice, and the grounds for a form of con­sci­en­tious ob­jec­tion should such laws ever be en­forced on our pro­jects at Dyne.org. I then wrote a piece for Wired Italy, in Italian, my mother tongue, which is due to be pub­lished by the mag­a­zine in the com­ing days (link TBD).

While await­ing pub­li­ca­tion in Wired, I trans­lated the ar­ti­cle and pub­lished it here, in English, through our think and do tank. The piece you have just read quickly reached the front page of Hacker News, draw­ing nearly 400 com­ments from con­cerned read­ers and tech­ni­cal ex­perts, a valu­able body of ma­te­r­ial to build on.

As the dis­cus­sion gains mo­men­tum, I am en­gag­ing with col­leagues at the City of Lugano and the Plan₿ Foundation, where I have re­cently taken on the role of Scientific Director. The pro­posal is to move from analy­sis to ac­tion by es­tab­lish­ing a city-wide pi­lot that ex­plores tech­nolo­gies for lo­cally man­aged guardian­ship, of­fer­ing a con­struc­tive ex­am­ple for Switzerland.

We are ap­proach­ing this with con­fi­dence and prepar­ing for a roll­out for Lugano within the next two years. At the same time, within the Swiss Confederation there are signs of a more grounded di­rec­tion, as re­flected in “The Internet Initiative” plac­ing re­spon­si­bil­ity on Big Tech and bring­ing to­gether rep­re­sen­ta­tives from all ma­jor Swiss po­lit­i­cal par­ties.

My next steps in­clude reach­ing out to con­tacts in Europe to help broaden the dis­cus­sion and con­tribute to a more bal­anced pub­lic de­bate, in the face of sus­tained pres­sure from cor­po­rate lob­bies ad­vanc­ing data-ex­trac­tive mea­sures.

And you can play a mean­ing­ful role as well: en­gage with the is­sue, bring your tech­ni­cal and po­lit­i­cal un­der­stand­ing to it, and help sus­tain at­ten­tion so that those who make up the in­ter­net are not ex­cluded from de­ci­sions that af­fect it. I hope this ma­te­r­ial and the rea­son­ing be­hind it can be use­ful in that di­rec­tion. Do let us at Dyne.org know if we can as­sist in mak­ing vis­i­ble suc­cess­ful lo­cal pi­lots that im­ple­ment child pro­tec­tion in a sound and pro­por­tion­ate way.

If you like to read fur­ther, I’ve writ­ten more about the prob­lems of European Digital Identity im­ple­men­ta­tion plans and ar­chi­tec­ture.

I’ve been work­ing on pri­vacy and iden­tity tech­nol­ogy for over a decade, pri­mar­ily in pro­jects funded by the European Commission.

Among my ef­forts are de­code­pro­ject.eu and re­flow­pro­ject.eu, var­i­ous aca­d­e­mic pa­pers, in­clud­ing SD-BLS, re­cently pub­lished by IEEE. Additionally, with our team at The Forkbomb Company we’ve de­vel­oped dig­i­tal iden­tity prod­ucts as DID­ROOM.com and CRED­IMI.io.

There’s not much worth quot­ing in this PC Gamer ar­ti­cle but I do want to draw your at­ten­tion to three things.

First, what you see when you nav­i­gate to the page: a no­ti­fi­ca­tion popup, a newslet­ter popup that ob­scures the ar­ti­cle, and a dimmed back­ground with at least five vis­i­ble ads.

Second, once you get passed the wel­come mat: yes, five ads, a ti­tle and a sub­ti­tle.

Third, this is a whop­ping 37MB web­page on ini­tial load. But that’s not the worst part. In the five min­utes since I started writ­ing this post the web­site has down­loaded al­most half a gi­ga­byte of new ads.

We’re lucky to have so many good RSS read­ers that cut through this non­sense. 1

Trees take quite a while to grow. If some­one 50 years ago planted a row of oaks or a chest­nut tree on your plot of land, you have some­thing that no amount of money or ef­fort can repli­cate. The only way is to wait. Tree-lined roads, old gar­dens, houses shel­tered by decades of canopy: if you want to start fresh on an empty plot, you will not be able to get that.

Because some things just take time.

We know this in­tu­itively. We pay pre­mi­ums for Swiss watches, Hermès bags and old prop­er­ties pre­cisely be­cause of the time em­bed­ded in them. Either be­cause of the time it took to build them or be­cause of their age. We re­quire age min­i­mums for dri­ving, vot­ing, and drink­ing be­cause we be­lieve ma­tu­rity only comes through lived ex­pe­ri­ence.

Yet right now we also live in a time of in­stant grat­i­fi­ca­tion, and it’s en­ter­ing how we build soft­ware and com­pa­nies. As much as we can speed up code gen­er­a­tion, the real defin­ing el­e­ment of a suc­cess­ful com­pany or an Open Source pro­ject will con­tinue to be tenac­ity. The abil­ity of lead­er­ship or the main­tain­ers to stick to a prob­lem for years, to build re­la­tion­ships, to work through chal­lenges fun­da­men­tally de­fined by hu­man life­times.

The cur­rent gen­er­a­tion of startup founders and pro­gram­mers is ob­sessed with speed. Fast it­er­a­tion, rapid de­ploy­ment, do­ing every­thing as quickly as pos­si­ble. For many things, that’s fine. You can go fast, leave some qual­ity on the table, and learn some­thing along the way.

But there are things where speed is ac­tively harm­ful, where the fric­tion ex­ists for a rea­son. Compliance is one of those cases. There’s a strong de­sire to elim­i­nate every­thing that processes like SOC2 re­quire, and an en­tire in­dus­try of turnkey so­lu­tions has sprung up to help —

Delve just be­ing one ex­am­ple, there are more.

There’s a feel­ing that all the things that cre­ate fric­tion in your life should be au­to­mated away. That hu­man in­volve­ment should be re­placed by AI-based de­ci­sion-mak­ing. Because it is the fric­tion of the process that is the prob­lem. When in fact many times the fric­tion, or that things just take time, is pre­cisely the point.

There’s a rea­son we have cool­ing-off pe­ri­ods for some im­por­tant de­ci­sions in one’s life. We rec­og­nize that peo­ple need time to think about what they’re do­ing, and that do­ing some­thing right once does­n’t mean much be­cause you need to be able to do it over a longer pe­riod of time.

AI writes code fast which is­n’t news any­more. What’s in­ter­est­ing is that we’re push­ing this force down­stream: we seem­ingly have this de­sire to ship faster than ever, to run more ex­per­i­ments and that cre­ates a new de­sire, one to re­move all the re­main­ing fric­tion of re­views, de­sign­ing and con­fig­ur­ing in­fra­struc­ture, any­thing that slows the pipeline. If the ma­chines are so great, why do we even need check­lists or per­mis­sion sys­tems? Express de­sire, en­joy re­sult.

Because we now be­lieve it is im­por­tant for us to just do every­thing faster. But in­creas­ingly, I also feel like this means that the shelf life of much of the soft­ware be­ing cre­ated to­day — soft­ware that peo­ple and busi­nesses should de­pend on — can be mea­sured only in months rather than decades, and the re­la­tion­ships along­side.

In one of last year’s ear­lier YC batches, there was al­ready a hand­ful that just dis­ap­peared with­out even say­ing what they learned or say­ing good­bye to their cus­tomers. They just shut down their pub­lic pres­ence and moved on to other things. And to me, that is not a sign of healthy it­er­a­tion. That is a sign of break­ing the ba­sic trust you need to build a re­la­tion­ship with cus­tomers. A proper shut­down takes time and ef­fort, and our cur­rent en­vi­ron­ment treats that as time not wisely spent. Better to just move on to the next thing.

This is ex­tend­ing to Open Source pro­jects as well. All of a sud­den, every­thing is an Open Source pro­ject, but many of them only have com­mits for a week or so, and then they go away be­cause the mo­ti­va­tion of the cre­ator al­ready waned. And in the name of ex­per­i­men­ta­tion, that is all good and well, but what makes a good Open Source pro­ject is that you think and truly be­lieve that the per­son that cre­ated it is ei­ther go­ing to stick with it for a very long pe­riod of time, or they are able to set up a strat­egy for suc­ces­sion, or they have cre­ated enough of a com­mu­nity that these pro­jects will stand the test of time in one form or an­other.

Relatedly, I’m also in­creas­ingly skep­ti­cal of any­one who sells me some­thing that sup­pos­edly saves my time. When all that I see is that every­body who is like me, fully on­boarded into AI and agen­tic tools, seem­ingly has less and less time avail­able be­cause we fall into a trap where we’re im­me­di­ately fill­ing it with more things.

We all sell each other the idea that we’re go­ing to save time, but that is not what’s hap­pen­ing. Any time saved gets im­me­di­ately cap­tured by com­pe­ti­tion. Someone who ac­tu­ally takes a breath is out­ma­neu­vered by some­one who fills every freed-up hour with new out­put. There is no easy way to bank the time and it just dis­ap­pears.

I feel this acutely. I’m very close to the red-hot cen­ter of where eco­nomic ac­tiv­ity around AI is tak­ing place, and more than any­thing, I have less and less time, even when I try to pur­pose­fully scale back and cre­ate the space. For me this is a prob­lem. It’s a prob­lem be­cause even with the best in­ten­tions, I ac­tu­ally find it very hard to cre­ate qual­ity when we are quickly com­modi­tiz­ing soft­ware, and the ma­chines make it so ap­peal­ing.

I keep com­ing back to the trees. I’ve been main­tain­ing Open Source pro­jects for close to two decades now. The last startup I worked on, I spent 10 years at. That’s not be­cause I’m par­tic­u­larly dis­ci­plined or vir­tu­ous. It’s be­cause I or some­one else, planted some­thing, and then I kept show­ing up, and even­tu­ally the thing had roots that went deeper than my en­thu­si­asm on any given day. That’s what time does! It turns some idea or plan into a com­mit­ment and a com­mit­ment into some­thing that can shel­ter and grow other peo­ple.

Nobody is go­ing to mass-pro­duce a 50-year-old oak. And no­body is go­ing to con­jure trust, or qual­ity, or com­mu­nity out of a week­end sprint. The things I value most — the pro­jects, the re­la­tion­ships, the com­mu­ni­ties — are all things that took years to be­come what they are. No tool, no mat­ter how fast, was go­ing to get them there sooner.

We re­cently planted a new tree with Colin. I want it to grow into a large one. I know that’s go­ing to take time, and I’m not in a rush.