Practical suggestions for resolving the Brazilian problem

Originally posted to forum:
https://forums.freebsd.org/threads/practical-suggestions-for-resolving-the-brazilian-problem.101913/#post-748010

I am not conversant in Portuguese so I don't know if this is already 
being discussed on the Brazilian list. I apologise if this is already 
being dealt with.

On March 17, 2026 the Brazilian government will be enforcing a new law 
that requires age verification of the users of a computer operating 
system. This thread is to discuss how the FreeBSD developers could 
resolve this problem within the next 11 days. Please add your own ideas 
and pick apart any/all that have been posted.

Summary in English
https://fpf.org/wp-content/uploads/2025/12/Issue-Brief-Brazils-Digital-ECA.pdf

1. Geo-block Brazil from image downloads and from pkg repositories.
This is an extreme solution that will alienate the Brazilian user 
community, but it is the quickest to achieve given the lack of time.

2. Modify pkg so that it can accurately geo-locate by the public IP address.
If a Brazilian IP address is detected, pkg requests the email address of 
a human installer over the age of 18 that is responsible for the system. 
Pkg will no longer install or update until a token received by email 
from pkgtoken@freebsd.org is entered into pkg.

Pkg will also have to state on every execution that the FreeBSD package 
repo is for 18+ users only and it is the responsibility of the system 
administrator not to permit use of the system by minors. All existing 
FreeBSD systems will remain usable in a pre-enforcement date state. 
However, they will not be able to update until the sysadmin confirms to 
pkg that the system is for 18+ users only. If the public IP address 
changes, pkg will have to request a new authorisation token to continue. 
This is the only way to deal with geo-locating dynamic IP or portable 
systems that are travelling (visiting laptops).

The authorisation token does not need to be individual to the machine. A 
simple method of using a token matching the last 8-bits of an IPv4 or 
IPv6 address is good enough. Every quarter, regenerate those 256 tokens 
and save them on a private system area of the package repo. An already 
authorised pkg will automatically rollover to the new token without 
human intervention. Yes, someone could map the bit to token assignments 
every quarter and publish them, but the new pkg program must save the 
email address and display it every time pkg is run. Whoever runs package 
will see the email address that was used to obtain the token.

If a fake email address is used with published tokens, then the 
Brazilian authorities have the problem of identifying the sysadmin and 
the token publisher. The sysadmin becomes the criminal.

Pkg gets updated every quarter to recognise the new set of 256 tokens 
used by the FreeBSD repo. If pkg is used in Brazil without a valid token 
it fails safe (legally, not functionally) by not updating and not 
installing software until a sysadmin has submitted an email address to 
receive an unlock token.

If pkg is used against a private repo, such as a Poudriere built repo, 
then no email address or token checking is required. Whoever operates 
the Poudriere repo is the software distributor.

-Vince-