California passed a law forcing every operating system to check your age at setup, with a $7,500-per-child fine for intentional violations. The Linux distros that ship to a few thousand Californians were on the hook right next to Apple and Google. Then the same lawmaker who wrote that law filed a second bill to carve them out.
The carve-out turns on one word: license. Software you can copy, redistribute, and modify walks free. Ship a proprietary client on top and you stay trapped, which is the line that decides whether your project pays.
In today’s indie hacker news:
- 📜 California moves to spare Linux from the age law it just passed
- 🪙 r/SaaS: nobody pays for a SaaS that AI clones in a weekend
- 🐢 A 14-year veteran uses AI to write code slower, on purpose
- 🇳🇴 Norway trains a sovereign LLM on text no startup can legally touch
- 🔖 A macOS kernel bug found by Claude, and what Telegram Stars pay
TOP STORIES
THE AUTHOR WHO UNWROTE HER OWN LAW
📜 California moves to exempt Linux from the age-check law its own author just passed
The story: California’s AB 1043, the Digital Age Assurance Act, passed unanimously last year and hands every OS provider one job: detect a user’s age bracket, then expose it to apps through a real-time API. Four brackets, from under-13 to adult. Windows, macOS, Android, iOS, and yes, every Linux distro. After open-source maintainers pointed out that a hobbyist project can’t staff a compliance API to dodge a per-child fine, Assemblymember Buffy Wicks, who wrote AB 1043, introduced AB 1856 to fix what she shipped. It exempts any OS distributed under terms that let you “copy, redistribute, and modify the software.” Tom’s Hardware clocked the irony: same author, opposite bill.
The details:
- AB 1856 is still a proposal. It cleared a second reading and was ordered to a third as of May 19, so nothing is law until a floor vote lands.
- Debian, Fedora, Ubuntu, Arch, and Mint qualify, because their copyleft licenses are exactly what the amendment’s exemption describes.
- SteamOS does not. It ships Valve’s proprietary Steam client, so the Steam Deck and Frame stay subject to the original mandate even if the exemption passes.
- The fine that triggered the panic: $2,500 per affected child for a negligent violation, climbing on intent, enforced by the state AG with each non-compliant download counted on its own.
- AB 1043 itself sailed through 76-0 in the Assembly and 38-0 in the Senate before any of this surfaced. The backlash arrived after the unanimous yes.
Why builders care: The amendment quietly makes proprietary licensing the regulatory default target and hands FOSS a legal advantage it didn’t have a year ago. If you ship anything that a statute could read as an “operating system,” your license terms are now a compliance line item, and Colorado already signed near-identical exemption language other states will copy.
Work from any WiFi like it's your home network. NordVPN's Meshnet runs a free private mesh between your laptop, dev box, and home server. SSH from a café without exposing a port, the way you'd use Tailscale. The paid VPN on top lets you test geo-fenced Stripe checkouts or feature flags from any country.
We get a cut if you sign up. Only added for tools we use ourselves.
CODING WAS NEVER THE MOAT
🪙 r/SaaS argues nobody pays for a product AI can clone over a weekend
The story: A post on r/SaaS put a name to the anxiety quietly spreading through every “I built it in two days, why no customers?” thread. The argument: “Coding is becoming the cheap part. The expensive parts are trust, distribution, support, reliability, integrations, compliance, reputation.” If a rival can spin up your app in a weekend with a few prompts, the OP asks, why would anyone trust you over the clone? The thread did not nod along. It split down the middle, which is the actual signal here.
The details:
- The sharpest pushback came from a commenter claiming their own vibe-coded SaaS hit its “first $1k day” and is on track to beat it. Self-reported, no link, so weigh it as one anecdote against another.
- Another reply called the whole take “genuinely horrible,” arguing people win by cornering niches and building brand recognition, not by being impossible to copy.
- The “you’re just gatekeeping” camp showed up too: “99.9% of the population cannot build a software application even if it was vibe coded.”
- The agreeing half kept circling one line, that the real filter is “will you still be here in a year fixing my broken workflow at 11pm.” Most won’t.
- 128 upvotes against 133 comments. A modest score with heavier debate is the math of a genuinely contested take, not a pile-on.
Why builders care: If a weekend of prompting reproduces your product, the defensible part is everything the prompt can’t conjure: distribution you already own, a face behind the brand, and credibility in a niche that takes months to earn. The clone is free. Trust isn’t.
THE ENGINEER WHO TURNED THE SPEED DIAL DOWN
🐢 A senior dev makes the case for using AI to write code slower, and says his quality climbed
The story: Nolan Lawson, who spent six years on Salesforce’s web-platform performance team and now works on supply-chain security at Socket, pushed back on the dominant AI-coding story. “A lot of people seem convinced that the point of AI coding is to write low-quality code as fast as possible,” he writes. “You can use them just as effectively to write high-quality code more slowly.” His method runs counter to the speed-run instinct, and he is upfront that it has not made him 10x anything. The HN thread landed on a clean reframe: this is a job change, not a speed hack.
The details:
- The core loop runs three reviewers on every PR in parallel, a Claude sub-agent, Codex, and Cursor Bugbot, each ranking bugs by severity before he consolidates the findings.
- “The more different models you throw at a PR review, the less likely you are to get hallucinations or bogus bugs,” he writes, clearing the context window between passes.
- His triage has four tiers. Only critical and high get fixed to resolution; medium and low are accepted risk; a fundamentally flawed approach gets the PR abandoned.
- The reviews keep surfacing old bugs unrelated to the change, sending him on side-quests to write tests for flaws that predate the PR entirely.
- The most-quoted HN line nailed the shift: “You’ve essentially promoted yourself from coder to engineering manager.”
Why builders care: Solo, you have no senior reviewer to catch what the agent missed, and merging on a plausible-looking diff is how quality debt compounds in silence. Running three models over one PR is the cheapest stand-in for that second set of eyes, and it forces you to actually understand the code you’re shipping. It’s the how-to attached to the story above: if vibe-coded slop won’t sell, this is the quality side of the bet.
THE DATA NOBODY ELSE IS ALLOWED TO TRAIN ON
The story: Norway’s National Library was handed a job no commercial provider would take: build a sovereign Norwegian-language model. It has a corpus and a legal right most labs can only dream about, roughly 20 petabytes of digitized books, newspapers, and web pages collected since 2005, plus a signed agreement with Norwegian newspapers to train on copyrighted material. “No private company has this,” says the library’s head of IT platform, Marius Husnes. The detail that travels furthest, though, is the storage feeding the pipeline: a 2-petabyte Huawei OceanStor flash tier, the same vendor Europe bans from its telecom networks. (The talk surfaced at a Huawei-hosted forum, so read the framing accordingly.)
The details:
- The 2PB Huawei array is the high-throughput prep tier that cleans and dedupes data. Training itself runs on Norway’s Olivia supercomputer and its 448 NVIDIA GH200 chips, a separate system entirely.
- Europe bars Huawei from 5G core and radio kit, but storage hardware faces no equivalent ban, which is the gap Huawei is working to win European deals Dell and NetApp are losing.
- Husnes is blunt that the hard part was never the GPUs: “The bottleneck was not compute; it was data quality, cleaning and pipeline throughput.”
- Norwegian has two written standards plus dialects, so the library is building its own evaluation benchmark from scratch because standard LLM evals don’t exist for the language.
- US export controls aimed at Huawei backfired by one ITIF tally: American firms lost more than $33B in sales while Huawei’s telecom share grew.
Why builders care: The moat here is the licensing deal and the cleaning pipeline, not the chip count, and that’s the transferable lesson. If you’re building anything data-heavy, your defensible asset is data you have the rights to plus the unglamorous work of making it usable, not the model weights everyone can rent. Sovereignty also moved real procurement budgets, which is how a vendor banned from European telecom quietly ends up inside a government AI project.
TRENDING TODAY
🛐 Pope Leo XIV’s first encyclical is about AI - The Vatican dropped Magnifica Humanitas on May 15, the first papal encyclical dedicated to AI, and Simon Willison’s read gave it credibility well past church circles. He called it “some of the clearest writing I’ve seen on the ethics of integrating AI into modern society.” The line builders are quoting: current systems are “more ‘cultivated’ than ‘built,’” since developers “create a framework within which the intelligence ‘grows’” and the internals “remain, at present, unknown.” It’s modeled on the 1891 labor-rights encyclical, framing AI as this century’s version of the same disruption.
📄 NuExtract3: a 4B open-weight model for turning documents into JSON - NuMind shipped a 4B vision-language model on r/LocalLLaMA built to convert PDFs, screenshots, and invoices into structured Markdown or JSON, a self-hostable swing at Google Document AI. It’s Apache-2.0 and runs on as little as 4GB of VRAM, which is what the 205-upvote thread fixated on. The win that got cheered was shipping GGUF and MLX weights day one instead of leaving conversions to the community. Treat the base-model and benchmark claims as poster-reported, not independently verified.
FIRST DOLLAR
THIRTY-SIX FOLLOWERS, THIRTEEN VIEWS, FIRST $100
🪙 “this might not seem like much… but it’s my first big financial milestone as a founder”
@pomelowarriorr hit their first $100 MRR off pure word of mouth, then posted it to 36 followers and 13 views, which is what the start actually looks like before anyone’s watching. No viral launch, just people telling friends, and a quiet promise to finally get serious about social. Right behind them, @pramodk73 laid out the unglamorous math: 33, a kid at home, eight products shipped, one of them at $700 MRR, grinding toward $2k a month one build at a time. Two reminders that the median indie-hacker story is patience, not a screenshot.
STACK OF THE DAY
🗓️ TryPost
A fully open-source social-media scheduler you can self-host with Docker Compose: connect Instagram, X, LinkedIn, and TikTok, draft once, and let it auto-publish on a schedule. It’s an open Buffer alternative with no vendor lock-in, shipped under an FSL license that converts to MIT after two years, and there’s a managed cloud option with a 7-day trial if you’d rather not run it yourself. It’s brand new, a Show HN at 5 points, so kick the tires before trusting it with your whole calendar. We run Postiz ourselves, so we have a soft spot for this category.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
🔖 Claude found a real macOS kernel bug - Apple credited Calif.io working with Claude and Anthropic Research for finding CVE-2026-28952, a kernel flaw it patched in macOS Tahoe 26.5. A clean data point that AI is now turning up genuine OS-level security issues that ship as real fixes.
📚 Nobody cracks open a programming book anymore - This essay argues chatbots quietly killed the programming book by replacing its function while losing the discipline that made it work: typing the examples out by hand. The 152-comment thread tied it to Stack Overflow’s collapse to about 1,300 questions a month, the knowledge base that trained these models eroding under them.
🔐 Mullvad patches exit-IP fingerprinting - Mullvad rolled out a mitigation across 13 exit-server locations to blunt a fingerprinting technique that could link your activity across exit points even behind a VPN. Worth a read if your threat model lives in the details.