Strong agree! I find writing a lot of toy implementations speed-runs learning. If you do it naively, you’ll constantly have to refactor around the next unforeseen hurdle making you appreciate solutions all the more (teaching you a lot!) Different crutches are available e.g. Schematics of Computation guides you through modifications of existing software to teach you how they work or Architecture of Open Source Applications AOSA’s 500 Lines of Less guides, but I vacillate whether they help or disrupt creativity and prevent you from truly appreciating why. It’s great to learn from others’ mistakes, but how precious few tell you what mistakes they made before! I’ve been thinking how to make useful engineering katas/koans for a while.
Right hand missed the memo and needs a quick meeting with left hand.
Honestly, this seems like an OK outcome to me. The software gets an open-source license for something that should never have been a centralized service in the first place, and the investors eat the development cost.
Krita is scriptable and has a healthy plugin ecosystem. I don’t know your specific use case, but I bet you could make it work for you if you’re willing to learn new UI and workflow… which you would need to do anyway in a hypothetical comprehensively redesigned GIMP!
This guide shows visually how Git rearranges the graph of commits for the major operations.
Once you’ve played with Git, this resource allows to understand what Git does, and that allows to use commands efficiently to rebase or cherry-pick without struggling.
This is the resource I recommend the most to newcomers to Git, not to use the first day, but after one week.
It’s especially important for people working on team projects, like open-source projects, to cope with main branch rebase.
but it’s not easy to tell how much someone is self-promoting by looking at their profile.
One practical thing: just look at their submissions, and see how many they authored (no need to look at comments) vs just submitted (I’ll use this as an example–no beef with the author, I just know they tend to be the source of “What are you doing this week?” posts).
@pushcx could probably make this easier with a visible measure of submitted vs authored, and even easier via a measure of how many unique domains they submit vs total submissions (a select subexample from one user’s history being this page, where two domains are clearly favored because the user posts to the same two domains).
As for the rest…
I disagree heavily–it’s part of the immune system of the site. Users acting in good faith will typically say “oh shit, sorry” and that’ll be that, whereas other ones will argue and feed the flames (resulting in the behavior you see).
Everybody wants a nice place that isn’t full of growth hacking and antisocial behavior, but in order to have that you need to call people on this sort of thing publicly. It’s not enough to send a polite PM, because bad-faith actors will not do anything about it.
For folks talking about uneven application: the solution isn’t to remove the norm, because it exists for a reason. The solution is to step in whenever you see it happening. You can just do things, you can help contribute (as over a decade of Lobsters have) in pushing Eternal September back just a few more hours.
I can point at previous longer, nicer writeups I’ve had on this topic, but the thing is there is a very large target on our community front page and we all need to do our part in keeping it from becoming an open dumping ground.
it’s hard to point to any popular open-source tools that fully support HTTP/3: rollout has barely even started
Ummm..?? Caddy enables HTTP/3 by default since September 2022 (v2.6) and Caddy is, like, almost the default choice for “just serve a website from this unix box” these days.
I can take advantage of HTTP/3 in a 20-line quickie demo app written in Swift (or Obj-C, or with some more work C.) It’s not that it’s “too big and awkward”, it’s just that the open source world seems to have dropped the ball on supporting it.
There are a rare few external libraries for some languages, but all are experimental and/or independent of other core networking APIs. Despite mobile networking being a key use case for HTTP/3, Android’s most popular HTTP library has no support
Completely ignoring the fact that Apple’s APIs have supported QUIC and HTTP/3 since about 2021. That means pretty much all native iOS and Mac apps support it, i.e. programs that use NSURLConnection or Network.framework instead of low-level sockets. That’s a pretty good fraction of mobile networking right there.
I have to assume the author either lives in a reality distortion field where Apple doesn’t exist, or just implicitly considers non-open-source unworthy of mention.
(SQLite is a major example of an open source project that is not open to contributions.)
I’m pretty sure SQLite accepts contributions from people that sign a CLA. Its web page says they don’t accept pull requests. Anyhow, I have yet to find a clear authoritative summary of this, so please set me straight if I’m wrong or omitting anything.
I would consider SQLite open source. I think you’re missing my main point though - this is why I said “depending on how you define open source”, and why I said “typically associate”. SQLite still has a public bug tracker and a public VCS repository. Public domain does not imply these things, and my comment was much more focused on contrasting “open source” with public domain status than it was on trying to draw a line in the sand for what constitutes open source.
I focused on the former because that’s what the comment I was replying to was directly asking about.
For example, public domain status does not imply an issue tracker, or patch submission process, or anything like that that we’d typically associate with a project being open source.
Do you not consider SQLite open source? (SQLite is a major example of an open source project that is not open to contributions.)
Yes, anything developed directly by the US government is automatically public domain. However, being in the public domain isn’t necessarily the same thing as being open source, depending on how you define open source. For example, public domain status does not imply an issue tracker, or patch submission process, or anything like that that we’d typically associate with a project being open source. It doesn’t even imply that the code is published - just because it’s public domain doesn’t mean it’s easy to access.
It’s also worth noting that a large amount of government software is developed by government contractors, who aren’t subject to the public domain rule. Often the government doesn’t necessarily have the right to publish code they’re using because the software is copyrighted by the contractor, and that right wasn’t negotiated in the contract.
I wonder what the current status is regarding Federally funded projects in the US? AFAIK, legally the government can’t copyright and all directly developed software is in the public domain/open source?
But for example the status of Drupal contributions by White House seems to be dormant/archived?
Great to see this push to open source. In Germany they also had a recent push in open source software [0]. They have fund for open source software [1].
I’ve disabled the pending geoblock of the UK because I now think the risks of the Online Safety Act to this site are low enough to change strategies to only geoblock if directly threatened by the regulator.
It’s taken dozens of hours over the last few months to understand the risks of this law and I’ve seen other communities linking to our threads as they start figuring it out.
So this comment is a big roundup: an introduction of the law that addresses common misconceptions, a summary of our evaluation, and a look forward to similar future laws.
If you want more details I kept a log of the process in comments to our story on LFGSS and our primary story on it, and this post is me trying to collect all that jumble into a single coherent piece.
I hope this summary will be useful to other online communities navigating the same issues we are, so let me give a bit of introduction about where this post comes from.
Lobsters is a computing-focused community centered around link aggregation and discussion started in 2012.
I’ve been the site admin since 2017.
I have a 25 year career as a programmer, I’m American, and my views on speech are heavily informed by my experience as a journalist at the Washington Post: I see running this forum as a form of trade journalism.
(I tried to place this with a few outlets without luck. The last couple months have been busy for international political news, so, no luck there.
To close out some other loose ends that didn’t work out, I never did hear back from my Senators, Senator Wyden, or the US Embassy to the UK.)
This law, and law generally
The Online Safety Act is a law that censors every site with user-generated content like comments, starting on March 17, 2025.
(There are a few relevant caveats I’ll explain towards the end.)
Under this law, many kinds of speech and publishing become illegal.
It tries to place impossible obligations on sites even if they are not in the UK, tiny, noncommercial, or harmless.
Rather than restrict UK publishers or what UK readers are allowed to read, it claims the even broader authority to censor every site with a reader in the UK.
The law designates a UK government office called Ofcom as the censor.
Ofcom is empowered to define specific regulations and enforce them.
They explain the OSA’s reach by writing:
The rules apply to organisations big and small, from large and well-resourced companies to very small âmicro-businessesâ. They also apply to individuals who run an online service.
It doesnât matter where you or your business is based. The new rules will apply to you (or your business) if the service you provide has a significant number of users in the UK, or if the UK is a target market.
I include this quote because it starts with one of the few clear statements of the OSA’s global aspirations and addresses some common “surely it can’t be that bad” assumptions.
Then the statement sinks into a perfect example of Ofcom’s legalese.
That last sentence is built on three terms:
“significant number”, which Ofcom has only defined in the negative by saying it “isn’t a numeric threshold” and “we would need to see robust evidence to demonstrate any assertion that there isn’t a ‘significant number’ of UK users on the service”
“target market”, which the law and Ofcom repeatedly use but have never defined
Running down these definitions brings us to a particularly tempting peril for programmers: making sense of laws feels like diving into a codebase.
We’re dereferencing terms to build up definitions and chaining the predicates into a state machine we can run in our heads against our situation.
But programmers are bad at playing lawyers because the law works very differently than code.
The famous pitfall of legal writing is that a harmless-looking word like “reasonable” or “reasonably” (which appear 108 times in the OSA) are actually jargon freighted with centuries of legacy code.
But the bigger problem for programmers is the unknown unknown legal principles we fill in with intuition based on our programming experience.
We love to look for clever loopholes.
We assume a judge would act like a compiler and throw out an entire contract at the first exception because our work type-checks or it doesn’t build.
We don’t include principles like lex specialis or alternative pleading, and we don’t need entire agreement when we have git HEAD.
We are also prone to over-generalization, like in the ongoing Wordpress legal disputes where many programmers interpreted an injunction as a court “forcing an open source maintainer into providing services”.
When we feel surprise and mild outrage at an absurdity or contradiction in programming, it’s a sign our intuition, built on years of experience, is leading us to recognize bugs.
When we have those same feelings reading the law, it’s a sign our inexperience is leading us to make very basic errors.
Why does this law matter?
The OSA threatens sites with penalties up to $22 million USD (or 10% of global revenue, whichever is greater, but of course that’s $0 for Lobsters).
The OSA has made serious threats of enormous fines and jail time because because the UK wants the law to be taken seriously - and I do.
One of the OSA’s rules undermines privacy in reading.
It demands that some sites require highly invasive identification proofs from users, like taking a live selfie while holding a government-issued ID card.
One site wasn’t sure if this rule applied to them and asked if they could delay implementation until Ofcom contacted them.
Ofcom replied:
When we write to you to say you’re in breach, that is: you are in breach.
You know, you need to take steps to get yourself compliant.
We’ve got all the tools and things that Alice and James have spoken about.
We want to engage with the industry as much as possible.
Don’t wait until you get that breach letter, reach out to us, work with us.
Because once that breach letter is there, that is the final.
And that is when we start full on enforcement action.
Allowing for the normal difference between conversational speaking and legal writing, Ofcom’s answer is that their first contact may be to impose a crushing penalty.
When explaining how sites must evaluate risks, Ofcom writes in bold, “we expect providers to err on the side of caution and select the higher risk level*”.
The chance that Ofcom targets any one community out of the millions of blogs, forums, bug trackers, and other sites with user-generated content are small but the punishments are ruinous.
I look both ways when I cross the street for the same reason.
(Though perhaps our odds are worse, as a site with many employees of “tech giants” the current government is keen to regulate.)
Extra-territoriality
The primary problem with the OSA is its claims of extra-territorial jurisdiction, that the UK claims authority to censor any site readable by someone in the UK.
Despite inquiries from me and others, no UK legislators or Ofcom have attempted a legal theory justifying this overreach.
Countries have governed their own territories since 1648.
No one I’ve talked to is aware of an international treaty that grants the UK extra-territorial jurisdiction over everywhere people communicate online.
Further, UK legislators shouldn’t want this legal claim to hold up.
If every country can censor sites that can be read by their occupants, UK publishers and readers will quickly find themselves censored in turn.
The most eager censors will want to impose very incompatible cultural norms and political values, wrapped in identical justifications of saving the children from online harms.
I’ll explain why towards the end of this, but I now talk plainly about this law to restrict legal speech as censorship rather than reiterate its euphemisms about protecting users and responsible regulation.
There have been similar censorship laws elsewhere elsewhere in the world.
They try to restrict discussion like which countries exist, whether a violent atrocity was committed, whether women are people, insults to the royal family, or which religions are permitted.
I’ve ignored them because they’ve mostly come from poor, despotic countries that would be vanishingly unlikely to be able to enforce them against this site.
However, a wealthy anglosphere country with politicians who score local points by getting tough on “American Tech Giants” is enormously different.
While it seems unlikely that the UK could effectively enforce this on a non-UK site, defending an international lawsuit would be exhausting and incredibly expensive.
Thereâs a classic book in US law called The Process is the Punishment.
It argues that the direct costs (like lawyers) and indirect costs (like lost work hours) can make winning exoneration of a minor crime into a life-altering punishment.
The years-long disruption of setting OSA case law is a serious punishment even if a site wins in court.
Why not just comply?
One way of avoiding that risk would be to obey in advance.
Lobsters spends its time kicking around programming minutia rather than producing 17 kinds of priority illegal content like defrauding people, selling firearms, human trafficking, or bullying children into suicide.
Surely the law is proportionate for such an anodyne service?
No.
It is not possible for a hobby site to comply with the Online Safety Act.
The OSA is written to censor huge commercial sites with professional legal teams, and even understanding one’s obligations under the regulations is an enormous project requiring expensive legal advice.
The law is 250 pages and the mandatory “guidance” from Ofcom is more than 3,000 pages of dense, cross-referenced UK-flavoured legalese.
To find all the guidance you’ll have to start here, click through to each of the 36 pages listed, and expand each page’s collapsible sections that might have links to other pages and documents.
(Though I can’t be sure that leads to all their guidance, and note you’ll have to check back regularly for planned updates.)
Let’s get into an example of understanding the OSA: is Lobsters a “multi-risk” site that is subject to extra scrutiny?
Ofcom’s definition begins on page 78 of this PDF and incorporates pages 58-68 of this one, with references that fan out to hundreds of concepts defined in vague legalese throughout dozens of similarly-named documents that you’ll have to hunt down.
Please do take a few minutes to try, I’ve struggled to convey what an enormous slog it is to answer these seemingly-straightforward questions.
But I call it impossible because every attempt I’ve made into answering a question like this always gotten lost into undefined behavior:
Are replies to exempted comments are also exempted?
What is the definition of “illegal harm”?
Is there a usable list of what depictions are pornography? A list of which depictions are “extreme” pornography?
Which methods of forcing readers to identify themselves are considered highly effective?
If a forum has never had illegal content posted but could at any time, is it high risk or low risk?
How much would you be willing to bet on these answers? Because if you are an individual or small company, you are betting everything you have.
Lobsters is publicly readable with an open source codebase so theoretically anyone should be able to determine if Lobsters is “multi-risk”.
I’ve lost enough time to these dead ends that I’m unwilling to listen to any suggestion that sites should “just comply” if it doesn’t start with a show-your-work answer to at least this one question.
Fully complying would mean producing paperwork to assess dozens of censorship responsibilities, continually produce documentation of compliance, and produce all of this and much more should Ofcom inquire.
And then remember that all this work should be reviewed by a lawyer because we can’t tell if we’ve blundered until Ofcom comes knocking.
The UK government’s “high estimate” is that sites would need two hours of legal advice to comply with the entire OSA.
Why is this so hard?
Why is everything an endless snarl of cross-references and dishonest euphemisms about saving the children?
Why does Ofcom do that?
Ofcom can’t edit the law.
Where it’s vague they can perhaps pick a plausible interpretation, but they can’t change the law.
Ofcom is a government office headed by a political appointee.
When the law has obvious contradictions, demonstrates ignorance of internet standards, or leads to ridiculous conclusions, Ofcom can’t give answers that are too politically embarrassing.
Compare this series of questions to Ofcom’s non-response.
That’s why an admission that sites will geoblock the UK is surrounded by contradicting statements like “to continue to enjoy a vibrant digital economy” and “we’re not reducing the range of services in the UK”.
It’s Ofcom’s duty to censor and call it regulating.
Indefinitely delaying the pending geoblock
Getting back to the news I opened with, I’ve lifted the scheduled geoblock that I described as our “current, bad plan” because it feels terrible to place a brick in the Great Firewall the UK is building around itself.
The risk to Lobsters isn’t gone, but after the last couple months of collaboration and research I think the risks are reduced to a level that I’m willing to take them.
The risks are reduced by several independent lines of reasoning.
(Remember alternative
pleading?)
In roughly descending order:
\1. UK law does not apply to American sites like Lobsters.
The OSA’s claims of extra-terrritorial reach defy centuries of law.
I can’t find that any of the OSA’s proponents, authors, advocates, or Ofcom have advanced a legal theory to justify its extra-territorial claims.
The UK will quickly regret supporting this whole “if we can read it, we can censor it” claim when it’s used against it by wealthy countries it can’t ignore.
\5. Lobsters is not a “regulated service” because it does not have a “significant number” of UK users.
> Ofcom's [example risk assessments](https://www.ofcom.org.uk/siteassets/resources/documents/online-safety/information-for-industry/illegal-harms/risk-assessment-guidance-and-risk-profiles.pdf?v=390984) suggest that âsmallâ services have 5,000-50,000 monthly UK users.
Lobsters does not have analytics geolocating users but in [our thread on the OSA](https://lobste.rs/s/ukosa1) only 4 users implied they occupy the UK.
(Several more implied they are UK citizens, but in true programmer fashion this seemed mostly to be exploring corner cases about residing in Canada or on the [Isle of Man](https://lobste.rs/s/ukosa1/uk_users_lobsters_needs_your_help_with#c_oprpgm).)
No available information implies Lobsters is read by a significant number of UK occupants, though see next for more on "significant number".
\8. Lobsters is not a regulated service because Ofcom doesn’t treat it as one.
If you read their pages or watch their webinars, Ofcom regularly offers to answer questions from regulated services, like “If you reach out to us, we want to have conversations about what applies to your service.”.
Ofcom has ignored my emails on Jan 7, Jan 15, Jan 20, Jan 22, and Feb 18.
One email got a reply from a PR flack who demanded not to be identified and did not address my questions.
I understand this to mean that Ofcom agrees Lobsters is not a regulated service.
What’s next for the UK and Lobsters?
Hopefully nothing.
I would be very happy to resume never thinking about Ofcom and UK law.
In the unlikely event that Lobsters is targeted by Ofcom and all other defenses fail, I’ll give what warning I can before I geoblock the UK.
While Ofcom has threatened to punish people from their first interaction, the extra hurdles of overcoming the 8 reasons the OSA does not apply to this site plus their own potential expenses in international enforcement have me optimistic they’d drop it.
For UK occupants: the only clear, usable writing I’ve found on the OSA is written by UK lawyer Neil Brown,
whose site about the OSA is excellent and contains many sample documents.
I can’t thank Neil enough for how generously he’s answered many questions for me.
(And don’t miss his In Memoriam list.)
I don’t generally talk about my politics online, I never have, and I’m very unlikely to start. I think “You Just Don’t Do That” is one of those family beliefs I absorbed growing up without ever thinking about. When I worked as a journalist I was in a culture that valued “no cheering from the press box”, as my boss put it, and that reinforced my reluctance. This attitude has turned out useful as a mod: if my opinion is private, there’s a better chance I can be perceived as the impartial arbitrator I try hard to be. I guess that also shows that I don’t feel so confident and righteous in my political positions that I’m seriously tempted to try to enforce them (though very little of politics is close enough to on-topic here to come up).
Of course I have plenty of private opinions, and my perspective is shaped by being an American and a journalist.
When I started learning about the OSA I tried to talk about it neutrally because echoing someone’s language back to them is a very effective communication tool.
But I can’t in good conscience endorse its euphemisms for censorship by reiterating them.
The Online Safety Act reads to me as a profoundly ironic tragedy.
Ofcom constantly reiterates that huge, vague swaths of expression are “illegal, harmful content” while, to me, almost everything they’ve written about the OSA is illegal, harmful content.
The OSA exercises prior restraint
and enables jawboning
for a deliberatechilling effect,
placing an undue burden
that would never withstand strict scrutiny
let alone justify unreasonable search and seizure.
If I’ve learned one thing about Ofcom it’s that they think it’s trivial for someone to engage with another country’s centuries of legal tradition and case law, so perhaps they will protect children online by revamping their thousands of pages of guidance to avoid these harms.
Or perhaps this is the first and mildest unbridgeable divide the OSA brings to the UK’s shores as its foundational idea of Parliamentary Sovereignty can’t adapt to a political system where laws themselves can be considered illegal.
I hope this post gives folks a pretty good idea of how I’ll approach these risks.
(But I’m done writing for the day, whew.)
My thanks to every Lobster who helped with this.
Every bit of kicking this arduous process around with you all was useful, and I hope this writing reflects it onwards to other communities.
Strong agree! I find writing a lot of toy implementations speed-runs learning. If you do it naively, you’ll constantly have to refactor around the next unforeseen hurdle making you appreciate solutions all the more (teaching you a lot!) Different crutches are available e.g. Schematics of Computation guides you through modifications of existing software to teach you how they work or Architecture of Open Source Applications AOSA’s 500 Lines of Less guides, but I vacillate whether they help or disrupt creativity and prevent you from truly appreciating why. It’s great to learn from others’ mistakes, but how precious few tell you what mistakes they made before! I’ve been thinking how to make useful engineering katas/koans for a while.
Right hand missed the memo and needs a quick meeting with left hand.
Honestly, this seems like an OK outcome to me. The software gets an open-source license for something that should never have been a centralized service in the first place, and the investors eat the development cost.
https://opensource.com/article/21/12/open-source-photo-editing-krita
Krita is scriptable and has a healthy plugin ecosystem. I don’t know your specific use case, but I bet you could make it work for you if you’re willing to learn new UI and workflow… which you would need to do anyway in a hypothetical comprehensively redesigned GIMP!
This kind of behaviour is very typical for a certain kind of open source project.
I concur.
This guide shows visually how Git rearranges the graph of commits for the major operations.
Once you’ve played with Git, this resource allows to understand what Git does, and that allows to use commands efficiently to rebase or cherry-pick without struggling.
This is the resource I recommend the most to newcomers to Git, not to use the first day, but after one week.
It’s especially important for people working on team projects, like open-source projects, to cope with main branch rebase.
One practical thing: just look at their submissions, and see how many they authored (no need to look at comments) vs just submitted (I’ll use this as an example–no beef with the author, I just know they tend to be the source of “What are you doing this week?” posts).
@pushcx could probably make this easier with a visible measure of submitted vs authored, and even easier via a measure of how many unique domains they submit vs total submissions (a select subexample from one user’s history being this page, where two domains are clearly favored because the user posts to the same two domains).
As for the rest…
I disagree heavily–it’s part of the immune system of the site. Users acting in good faith will typically say “oh shit, sorry” and that’ll be that, whereas other ones will argue and feed the flames (resulting in the behavior you see).
Everybody wants a nice place that isn’t full of growth hacking and antisocial behavior, but in order to have that you need to call people on this sort of thing publicly. It’s not enough to send a polite PM, because bad-faith actors will not do anything about it.
For folks talking about uneven application: the solution isn’t to remove the norm, because it exists for a reason. The solution is to step in whenever you see it happening. You can just do things, you can help contribute (as over a decade of Lobsters have) in pushing Eternal September back just a few more hours.
I can point at previous longer, nicer writeups I’ve had on this topic, but the thing is there is a very large target on our community front page and we all need to do our part in keeping it from becoming an open dumping ground.
Ummm..?? Caddy enables HTTP/3 by default since September 2022 (v2.6) and Caddy is, like, almost the default choice for “just serve a website from this unix box” these days.
Sure there is.
Every language should collect all of the material it can find in that language, train an LLM on it and then release that LLM as open source.
I can take advantage of HTTP/3 in a 20-line quickie demo app written in Swift (or Obj-C, or with some more work C.) It’s not that it’s “too big and awkward”, it’s just that the open source world seems to have dropped the ball on supporting it.
Completely ignoring the fact that Apple’s APIs have supported QUIC and HTTP/3 since about 2021. That means pretty much all native iOS and Mac apps support it, i.e. programs that use NSURLConnection or Network.framework instead of low-level sockets. That’s a pretty good fraction of mobile networking right there.
I have to assume the author either lives in a reality distortion field where Apple doesn’t exist, or just implicitly considers non-open-source unworthy of mention.
I’m pretty sure SQLite accepts contributions from people that sign a CLA. Its web page says they don’t accept pull requests. Anyhow, I have yet to find a clear authoritative summary of this, so please set me straight if I’m wrong or omitting anything.
Is there a way for those of us outside of France to use this service? I know it’s open source so could theoretically be self-hosted.
Very cool. :)
Would love to dig in to your compiler architecture and language feature set if you ever decide to open source it.
I would consider SQLite open source. I think you’re missing my main point though - this is why I said “depending on how you define open source”, and why I said “typically associate”. SQLite still has a public bug tracker and a public VCS repository. Public domain does not imply these things, and my comment was much more focused on contrasting “open source” with public domain status than it was on trying to draw a line in the sand for what constitutes open source.
I focused on the former because that’s what the comment I was replying to was directly asking about.
Do you not consider SQLite open source? (SQLite is a major example of an open source project that is not open to contributions.)
Yes, anything developed directly by the US government is automatically public domain. However, being in the public domain isn’t necessarily the same thing as being open source, depending on how you define open source. For example, public domain status does not imply an issue tracker, or patch submission process, or anything like that that we’d typically associate with a project being open source. It doesn’t even imply that the code is published - just because it’s public domain doesn’t mean it’s easy to access.
It’s also worth noting that a large amount of government software is developed by government contractors, who aren’t subject to the public domain rule. Often the government doesn’t necessarily have the right to publish code they’re using because the software is copyrighted by the contractor, and that right wasn’t negotiated in the contract.
(Edit to add this disclaimer: IANAL.)
I wonder what the current status is regarding Federally funded projects in the US? AFAIK, legally the government can’t copyright and all directly developed software is in the public domain/open source?
But for example the status of Drupal contributions by White House seems to be dormant/archived?
https://github.com/whitehouse
Great to see this push to open source. In Germany they also had a recent push in open source software [0]. They have fund for open source software [1].
[0] https://www.openproject.org/blog/opendesk-1-0/
[1] https://www.sovereign.tech/tech
Hope you find it useful and develop nice CL web apps. It took me… some time to assemble.
Example web apps built in CL?
https://allmicrowedding.com/
pgcharts
screenshotbot, an open-source, mobile-first automated screenshot testing. Written primarily with LispWorks, works also on CCL.
https://github.com/KikyTokamuro/todolist-cl a simple todo list, good for a demo.
mine:
http://abstock.org/ a simple app to show products on line. Made for local bookstores.
https://github.com/OpenBookStore/openbookstore/ very much WIP, but I am slowly working on it! I’m now working on a DB dashboard admin à la Django: https://lisp-journey.gitlab.io/blog/towards-a-database-admin-dashboard-for-common-lisp/
ps: for more companies and projects: https://github.com/azzamsa/awesome-lisp-companies/
I’ve disabled the pending geoblock of the UK because I now think the risks of the Online Safety Act to this site are low enough to change strategies to only geoblock if directly threatened by the regulator.
It’s taken dozens of hours over the last few months to understand the risks of this law and I’ve seen other communities linking to our threads as they start figuring it out. So this comment is a big roundup: an introduction of the law that addresses common misconceptions, a summary of our evaluation, and a look forward to similar future laws. If you want more details I kept a log of the process in comments to our story on LFGSS and our primary story on it, and this post is me trying to collect all that jumble into a single coherent piece.
I hope this summary will be useful to other online communities navigating the same issues we are, so let me give a bit of introduction about where this post comes from. Lobsters is a computing-focused community centered around link aggregation and discussion started in 2012. I’ve been the site admin since 2017. I have a 25 year career as a programmer, I’m American, and my views on speech are heavily informed by my experience as a journalist at the Washington Post: I see running this forum as a form of trade journalism.
(I tried to place this with a few outlets without luck. The last couple months have been busy for international political news, so, no luck there. To close out some other loose ends that didn’t work out, I never did hear back from my Senators, Senator Wyden, or the US Embassy to the UK.)
This law, and law generally
The Online Safety Act is a law that censors every site with user-generated content like comments, starting on March 17, 2025. (There are a few relevant caveats I’ll explain towards the end.) Under this law, many kinds of speech and publishing become illegal. It tries to place impossible obligations on sites even if they are not in the UK, tiny, noncommercial, or harmless. Rather than restrict UK publishers or what UK readers are allowed to read, it claims the even broader authority to censor every site with a reader in the UK.
The law designates a UK government office called Ofcom as the censor. Ofcom is empowered to define specific regulations and enforce them. They explain the OSA’s reach by writing:
I include this quote because it starts with one of the few clear statements of the OSA’s global aspirations and addresses some common “surely it can’t be that bad” assumptions. Then the statement sinks into a perfect example of Ofcom’s legalese. That last sentence is built on three terms:
Running down these definitions brings us to a particularly tempting peril for programmers: making sense of laws feels like diving into a codebase. We’re dereferencing terms to build up definitions and chaining the predicates into a state machine we can run in our heads against our situation.
But programmers are bad at playing lawyers because the law works very differently than code. The famous pitfall of legal writing is that a harmless-looking word like “reasonable” or “reasonably” (which appear 108 times in the OSA) are actually jargon freighted with centuries of legacy code. But the bigger problem for programmers is the unknown unknown legal principles we fill in with intuition based on our programming experience. We love to look for clever loopholes. We assume a judge would act like a compiler and throw out an entire contract at the first exception because our work type-checks or it doesn’t build. We don’t include principles like lex specialis or alternative pleading, and we don’t need entire agreement when we have git
HEAD. We are also prone to over-generalization, like in the ongoing Wordpress legal disputes where many programmers interpreted an injunction as a court “forcing an open source maintainer into providing services”.When we feel surprise and mild outrage at an absurdity or contradiction in programming, it’s a sign our intuition, built on years of experience, is leading us to recognize bugs. When we have those same feelings reading the law, it’s a sign our inexperience is leading us to make very basic errors.
Why does this law matter?
The OSA threatens sites with penalties up to $22 million USD (or 10% of global revenue, whichever is greater, but of course that’s $0 for Lobsters). The OSA has made serious threats of enormous fines and jail time because because the UK wants the law to be taken seriously - and I do.
One of the OSA’s rules undermines privacy in reading. It demands that some sites require highly invasive identification proofs from users, like taking a live selfie while holding a government-issued ID card. One site wasn’t sure if this rule applied to them and asked if they could delay implementation until Ofcom contacted them. Ofcom replied:
Allowing for the normal difference between conversational speaking and legal writing, Ofcom’s answer is that their first contact may be to impose a crushing penalty. When explaining how sites must evaluate risks, Ofcom writes in bold, “we expect providers to err on the side of caution and select the higher risk level*”.
The chance that Ofcom targets any one community out of the millions of blogs, forums, bug trackers, and other sites with user-generated content are small but the punishments are ruinous. I look both ways when I cross the street for the same reason. (Though perhaps our odds are worse, as a site with many employees of “tech giants” the current government is keen to regulate.)
Extra-territoriality
The primary problem with the OSA is its claims of extra-territorial jurisdiction, that the UK claims authority to censor any site readable by someone in the UK. Despite inquiries from me and others, no UK legislators or Ofcom have attempted a legal theory justifying this overreach.
Countries have governed their own territories since 1648. No one I’ve talked to is aware of an international treaty that grants the UK extra-territorial jurisdiction over everywhere people communicate online.
Further, UK legislators shouldn’t want this legal claim to hold up. If every country can censor sites that can be read by their occupants, UK publishers and readers will quickly find themselves censored in turn. The most eager censors will want to impose very incompatible cultural norms and political values, wrapped in identical justifications of saving the children from online harms.
I’ll explain why towards the end of this, but I now talk plainly about this law to restrict legal speech as censorship rather than reiterate its euphemisms about protecting users and responsible regulation.
There have been similar censorship laws elsewhere elsewhere in the world. They try to restrict discussion like which countries exist, whether a violent atrocity was committed, whether women are people, insults to the royal family, or which religions are permitted. I’ve ignored them because they’ve mostly come from poor, despotic countries that would be vanishingly unlikely to be able to enforce them against this site. However, a wealthy anglosphere country with politicians who score local points by getting tough on “American Tech Giants” is enormously different.
While it seems unlikely that the UK could effectively enforce this on a non-UK site, defending an international lawsuit would be exhausting and incredibly expensive. Thereâs a classic book in US law called The Process is the Punishment. It argues that the direct costs (like lawyers) and indirect costs (like lost work hours) can make winning exoneration of a minor crime into a life-altering punishment. The years-long disruption of setting OSA case law is a serious punishment even if a site wins in court.
Why not just comply?
One way of avoiding that risk would be to obey in advance. Lobsters spends its time kicking around programming minutia rather than producing 17 kinds of priority illegal content like defrauding people, selling firearms, human trafficking, or bullying children into suicide. Surely the law is proportionate for such an anodyne service?
No. It is not possible for a hobby site to comply with the Online Safety Act. The OSA is written to censor huge commercial sites with professional legal teams, and even understanding one’s obligations under the regulations is an enormous project requiring expensive legal advice.
The law is 250 pages and the mandatory “guidance” from Ofcom is more than 3,000 pages of dense, cross-referenced UK-flavoured legalese. To find all the guidance you’ll have to start here, click through to each of the 36 pages listed, and expand each page’s collapsible sections that might have links to other pages and documents. (Though I can’t be sure that leads to all their guidance, and note you’ll have to check back regularly for planned updates.)
Let’s get into an example of understanding the OSA: is Lobsters a “multi-risk” site that is subject to extra scrutiny? Ofcom’s definition begins on page 78 of this PDF and incorporates pages 58-68 of this one, with references that fan out to hundreds of concepts defined in vague legalese throughout dozens of similarly-named documents that you’ll have to hunt down. Please do take a few minutes to try, I’ve struggled to convey what an enormous slog it is to answer these seemingly-straightforward questions.
But I call it impossible because every attempt I’ve made into answering a question like this always gotten lost into undefined behavior:
Lobsters is publicly readable with an open source codebase so theoretically anyone should be able to determine if Lobsters is “multi-risk”. I’ve lost enough time to these dead ends that I’m unwilling to listen to any suggestion that sites should “just comply” if it doesn’t start with a show-your-work answer to at least this one question.
Fully complying would mean producing paperwork to assess dozens of censorship responsibilities, continually produce documentation of compliance, and produce all of this and much more should Ofcom inquire. And then remember that all this work should be reviewed by a lawyer because we can’t tell if we’ve blundered until Ofcom comes knocking. The UK government’s “high estimate” is that sites would need two hours of legal advice to comply with the entire OSA.
Why is this so hard?
Why is everything an endless snarl of cross-references and dishonest euphemisms about saving the children? Why does Ofcom do that?
Ofcom can’t edit the law. Where it’s vague they can perhaps pick a plausible interpretation, but they can’t change the law.
Ofcom is a government office headed by a political appointee. When the law has obvious contradictions, demonstrates ignorance of internet standards, or leads to ridiculous conclusions, Ofcom can’t give answers that are too politically embarrassing. Compare this series of questions to Ofcom’s non-response.
That’s why an admission that sites will geoblock the UK is surrounded by contradicting statements like “to continue to enjoy a vibrant digital economy” and “we’re not reducing the range of services in the UK”. It’s Ofcom’s duty to censor and call it regulating.
Indefinitely delaying the pending geoblock
Getting back to the news I opened with, I’ve lifted the scheduled geoblock that I described as our “current, bad plan” because it feels terrible to place a brick in the Great Firewall the UK is building around itself.
The risk to Lobsters isn’t gone, but after the last couple months of collaboration and research I think the risks are reduced to a level that I’m willing to take them. The risks are reduced by several independent lines of reasoning. (Remember alternative pleading?) In roughly descending order:
\1. UK law does not apply to American sites like Lobsters. The OSA’s claims of extra-terrritorial reach defy centuries of law. I can’t find that any of the OSA’s proponents, authors, advocates, or Ofcom have advanced a legal theory to justify its extra-territorial claims. The UK will quickly regret supporting this whole “if we can read it, we can censor it” claim when it’s used against it by wealthy countries it can’t ignore.
\2. Even if this legal novelty holds up, Ofcom has confirmed “if a service feels the best way to comply is to geoblock the UK, that is sufficient to meet the regulations”. This is the only articulable process Ofcom has described as “sufficient”. I’d try the below reasons first, but I can still fall back to geoblocking the UK.
\3. Lobsters is an email service, one of a few types of service exempted from censorship. When pressed to share their definition of “email”, Ofcom replied that its use of the term is shared with “widespread and frequent use among the general public”. Like Ofcom’s choice of email client (Outlook.com, per their headers) and all of the other most popular email services in widespread and frequent use among the general public, Lobsters is an email service that allows users to type into web-based forms, stores that user-generated content in a database, emails it using standard protocols, and maintains a browsable web-based archive. All user-generated content on Lobsters that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service, and that may be encountered by another user, or other users, of the service by means of the service is email.
\4. Before Ofcom demands evidence of censorship (a “notice”), it must “must particularly consider in deciding whether it is necessary and proportionate” because Lobsters is journalistic content (if the implausible legal theory about being “UK-linked” holds) and would have an adverse impact on the availability of journalistic content on the service. The adverse impact will be that I geoblock the UK.
The next three reasons are directly adapted from @aphyr’s announcement for woof.group.
\5. Lobsters is not a “regulated service” because it does not have a “significant number” of UK users.
\6. There are no “reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom”. To return to Ofcom’s conspicuously unpublished definition of the term “significant number”, it mentioned that “It could also mean significant if the level of harm on that service is particularly high”. I can only compare that the harms our guidelines address only require a single 5-word sentence (“Abuse and bigotry are unwelcome”) while Ofcom’s Quick Guide to illegal content risk assessments incorporates more than 77,000 words and their Register of Risks adds 247,000 words.
\7. Lobsters is not a regulated service because UK occupants do not form one of the target markets for the service. Lobsters is not a business and does not have a target market.
\8. Lobsters is not a regulated service because Ofcom doesn’t treat it as one. If you read their pages or watch their webinars, Ofcom regularly offers to answer questions from regulated services, like “If you reach out to us, we want to have conversations about what applies to your service.”. Ofcom has ignored my emails on Jan 7, Jan 15, Jan 20, Jan 22, and Feb 18. One email got a reply from a PR flack who demanded not to be identified and did not address my questions. I understand this to mean that Ofcom agrees Lobsters is not a regulated service.
What’s next for the UK and Lobsters?
Hopefully nothing. I would be very happy to resume never thinking about Ofcom and UK law.
In the unlikely event that Lobsters is targeted by Ofcom and all other defenses fail, I’ll give what warning I can before I geoblock the UK. While Ofcom has threatened to punish people from their first interaction, the extra hurdles of overcoming the 8 reasons the OSA does not apply to this site plus their own potential expenses in international enforcement have me optimistic they’d drop it.
For UK occupants: the only clear, usable writing I’ve found on the OSA is written by UK lawyer Neil Brown, whose site about the OSA is excellent and contains many sample documents. I can’t thank Neil enough for how generously he’s answered many questions for me. (And don’t miss his In Memoriam list.)
Let (not) talk politics
I’m only spending all this time discussing politics because I feared the OSA posed a credible existential threat to the site. To reuse an old comment of mine:
Of course I have plenty of private opinions, and my perspective is shaped by being an American and a journalist. When I started learning about the OSA I tried to talk about it neutrally because echoing someone’s language back to them is a very effective communication tool. But I can’t in good conscience endorse its euphemisms for censorship by reiterating them.
The Online Safety Act reads to me as a profoundly ironic tragedy. Ofcom constantly reiterates that huge, vague swaths of expression are “illegal, harmful content” while, to me, almost everything they’ve written about the OSA is illegal, harmful content. The OSA exercises prior restraint and enables jawboning for a deliberate chilling effect, placing an undue burden that would never withstand strict scrutiny let alone justify unreasonable search and seizure.
If I’ve learned one thing about Ofcom it’s that they think it’s trivial for someone to engage with another country’s centuries of legal tradition and case law, so perhaps they will protect children online by revamping their thousands of pages of guidance to avoid these harms. Or perhaps this is the first and mildest unbridgeable divide the OSA brings to the UK’s shores as its foundational idea of Parliamentary Sovereignty can’t adapt to a political system where laws themselves can be considered illegal.
Speaking of credible existential threats
We may have to go through all this again.
There’s Australia’s Online Safety Amendment, America’s Kids Online Safety Act (currently paused but very likely to reawaken), and America’s potential repeal of Section 230.
I hope this post gives folks a pretty good idea of how I’ll approach these risks. (But I’m done writing for the day, whew.)
My thanks to every Lobster who helped with this. Every bit of kicking this arduous process around with you all was useful, and I hope this writing reflects it onwards to other communities.