Mastodawn

Lucas de Sena 2d ago

The Engineer Who Tried to Put Age Verification Into Linux

https://www.sambent.com/the-engineer-who-tried-to-put-age-verification-into-linux-5/

The lasting damage was knowing it could happen at all: that a single contributor with no stated organizational backing could submit compliance infrastructure for surveillance law directly into the software that boots your computer, get it merged by two Microsoft employees, and have the creator of systemd personally block the removal.

The Engineer Who Tried to Put Age Verification Into Linux

Dylan, useful idiot with commit access, pushed age verification PRs to systemd, Ubuntu & Arch, got 2 Microslop employees to merge it, called it 'hilariously pointless' in the PR itself, then watched Lennart personally block the revert. Unpaid compliance simp.

Sam Bent

Albert ARIBAUD ✎3d ago

@Khrys (disclaimer: IANALAIDEPOOTV)

One remark and one comment:

Remark: the title says "tried to", the article says did -- and Poettering blocked a revert.

Comment: in countries where the GDPR applies, the feature appears contrary to article 5 as overbroad, even probably purposeless *per se* ; maybe also contrary to recent European decisions against generalized citizen data collection, too.

@aaribaud @Khrys et donc ? quel est le rapport avec se poser la question du qui et du pourquoi ?

Albert ARIBAUD ✎3d ago

@CypherSephiroth

Je ne crois pas avoir suggéré un rapport (encore moins spécifiquement avec une question "du qui et du pourquoi" dont j'ignorais qu'elle était posée), mais pour éviter toute confusion, j'edite mon post.

@aaribaud À mon avis, cet article a comme sujet "Ce type décide d'ajouter une pseudo-fonctionnalité de vérification d'âge par collaboration. Dans quel but ?", pas "La législation de vérification d'âge ne respecte pas la limitation de collecte généralisée de données sur les citoyens, européens ou non."

Albert ARIBAUD ✎3d ago

@CypherSephiroth Ton avis semble fondé. Mais en quoi le supposé angle de l'article sur les faits décrits interdit-il de faire des commentaires sur ces faits sous un autre angle ?

@aaribaud J'interdis rien du tout. Je dis que je vois pas le rapport entre les deux prémisses.

Albert ARIBAUD ✎2d ago

@CypherSephiroth Si par "les deux prémisses" tu entends l'angle de l'article et celui de mon commentaire, alors je renouvelle ma réponse : je ne vois pas la raison pour laquelle ils devraient avoir un rapport à part le fait de porter sur le même objet.

@aaribaud
«in countries where the GDPR applies» <- you got this wrong, GDPR applies everywhere as soon as you are an European Union citizen.

Edit: correction «European citizen» -> «European Union citizen»

Albert ARIBAUD ✎2d ago

@patpro @Khrys Europe does not include all countries on whole Earth, does it?

Osma A 🇫🇮🇺🇦2d ago

GDPR applies to protect the personal data of every EU citizen and every person domiciled in EU, never mind where and by whom that data is processed.
@aaribaud @patpro @Khrys

Albert ARIBAUD ✎2d ago

@osma @patpro @Khrys How exactly is this a valid rebuttal of my statement about the (lack of) validity of the birth date field *in countries where the GDPR applies* ?

Osma A 🇫🇮🇺🇦2d ago

GDPR applies everywhere.
@aaribaud @patpro @Khrys

Albert ARIBAUD ✎2d ago

@osma @patpro @Khrys No, GDPR does not apply everywhere.

sebsauvage 3d ago

@Khrys
I just don't know what do to with this information. 🤔

BigGrizzly 3d ago

@sebsauvage @Khrys Comme je le commentais sur SeenThis dans la semaine, c'est la première vraie démonstration qu'il y a un problème avec systemd et que ce n'est donc finalement pas qu'un problème technique, et qu'il y a aussi un problème politique.

https://seenthis.net/messages/1163717

Ret - Mastodon

https://furry.engineer/ret/116261339761579758 ❝More systemd shit, sorry... But the more I look at this project the worse it gets. The reaction to a very balanced, polite, "yeah don't like this PR because [though-through reasons]" comment? *PEH! Who let (…)

SReyCoyrehourcq 2d ago

@biggrizzly @sebsauvage @Khrys Si on regarde la thèse de Gabriel Alcaras (https://theses.fr/2022EHES0120.pdf), le fait que de plus en plus de développeurs Open Source intègre le monde du libre et son développement (dans le kernel, et partout ailleurs), ce type de cas risque de se multiplier, les entreprises poussant linux à être le plus "Compliant" possible malheureusement ... Cela ne m'étonnerait pas que cela créé de plus en plus de remous, de plus en plus de FOSS se dotant de chartes heureusement :( poke @khinsen

Konrad Hinsen 2d ago

@SReyCoyrehourcq On voit en effet de plus en plus de "corporate" dans l'univers Linux, et la Linux Foundation en est peut-être le symbol le plus visible. Je suppose que c'est pourquoi BSD (re-)trouve de plus en plus d'adhérents.

@biggrizzly @sebsauvage @Khrys

Martijn Vos 3d ago

I don't understand what the fuss is about. This is exactly the right way to comply with that law: an optional birth date field. You don't want to have to submit an idea to your OS or implement facial recognition, and you certainly don't want to tie account creation to external services for those things, but now parents can fill in the birth date for their kids, and everybody else can ignore it. This kind of thing needs to be in the hands of parents, not external companies.

So I don't really see the problem here.

Martijn Vos 3d ago

The lasting damage was knowing it could happen at all: that a single contributor with no stated organizational backing could submit compliance infrastructure for surveillance law directly into the software that boots your computer, get it merged by two Microsoft employees, and have the creator of systemd personally block the removal.

What the hell is the issue here? Do you need to be a member of an organization to submit a PR? And if the lack of organisational backing would be a problem, why is it a problem that the people merging it do work for an organisation? The only thing that matters is that an official committer approves it.

This whole article sounds like pointless fear mongering. If there's anything else to it that I'm missing, I'd love for someone to explain it.

@mcv @Khrys let's take it a bit further too. Nobody uses a pre-built systemd straight from upstream, every distribution is building and packaging it.

This seems very trivial to patch right back out and/or put behind a define. (I would actually be surprised if it wasn't like that, to make compliance with different jurisdictions easier).

This is literally just an additional field for dbus' consumption, right? Tempest in a teacup.

Jules 🍺3d ago

@mcv @Khrys
I do, it was done unilaterally without discussion.
Even if it was technically correct and maybe we need to look at this, a single person making the decision and forcing it into the code is not the way this should be done.

Martijn Vos 3d ago

@julesbl @Khrys

But no single person can force this into the code, right? Someone submitted a PR, and two committers approved it, one of them the creator of the project, as far as I understand. If that's not good enough, then what is?

Of course discussion about this important, but can we do that without panic and fear mongering?

Jules 🍺3d ago

@mcv @Khrys
If you think that is a way that things are discussed and implemented then I guess that is all fine and dandy, yes three people implementing a change which affects millions, perfectly fine

@julesbl @mcv
Another problem is that it starts implementing surveillance infrastructure without any pushback. Looking at many governments now I don't think that's advisable.

The law was lobbied into existence by Facebook/Meta and friends.

https://old.reddit.com/r/linux/comments/1rmhxk1/i_pulled_the_actual_bill_text_from_5_state_age/

https://tboteproject.com/

Martijn Vos 3d ago

@julesbl @Khrys

We've long depended on software maintained by fewer people than that.

The point is: anyone can contribute, committers review and approve. If that has always been a reasonable process, why not now? There are lots of open source projects where the creator of the project has more power than that, and we've always accepted it because we trust the maintainers, and when they break that trust, the community forks, which has also happened plenty of times.

But at the end of the day, it seems to me most people here are irrationally panicking about this. Isn't the field optional? Isn't what goes in the field entirely under the user's control?

By all means discuss this honestly, but I don't see anything here that justifies the hype and panic.

Jules 🍺3d ago

@mcv @Khrys
If you think this is just like a bug, you are mistaken

Martijn Vos 2d ago

@julesbl @Khrys

Nowhere do I call this a bug. It's an additional field in the user db. Just like userName, realName, emailAddress, location, timezone, preferredLanguage, and many others, some of which are at least as sensitive as age.

People are panicking about a complete non-issue. Read the actual discussion on the commit; there is actual discussion there, but nobody is panicking about it the way people here are.

The discussion on the Arch commit has a bit more pushback; there the contributor puts more emphasis on legal compliance, receives some pushback that it offers no reliable age verification, so how can it comply with the law? and the decision is made to put in on hold until they get some legal advice.

And with or without that law, I don't see any problem with storing yet another piece of personal information. It fits right in with everything else that's already stored. If you don't trust the privacy of your own PC, don't fill it in. It's optional.

But I can imagine that parents would want to set this for their kids, and may also want software to restrict their kids' access to certain kind of content based on that. But that's not what this does.

@mcv
Weeeell... it's optional... for now. Heck, systemd is just another init, right?
@Khrys @julesbl

@julesbl
Tbh that's how large FOSS projects work, yes.
Or do you expect a comitte for every code change?
@mcv @Khrys

Legit_Spaghetti 2d ago

So I don't really see the problem here.

I do. The problem is that the guy is complying in advance with unjust, abusive, and dangerous laws.

"Okay, guess I'll add it in" is not the correct response to an unjust legal requirement. The correct response is "Fuck you, make me."

Martijn Vos 2d ago

@Legit_Spaghetti @Khrys

"Fuck you, make me."

Sorry, but nobody is making you fill this in. It's an optional field. And there's no verification on it.

George Liquor, American 2d ago

@mcv @Khrys @Legit_Spaghetti Not required at launch of the feature, anyway. Your take is naive. It's a foot in the door for mass surveillance.

Wilfried Klaebe 2d ago

Not *yet*.

@mcv @Khrys @Legit_Spaghetti

Legit_Spaghetti 2d ago

@mcv @Khrys Imagine if instead of your DOB, the field asked "Are you a Jew?" and it was also optional and didn't have any sort of verification attached to it. Just an innocent question, right? No one's being forced to answer it. Not a problem, right?

Except anyone who'd spend their time adding such a field to an open-source project in anticipation of an imagined legal requirement should immediately become radioactive in the community, as should anyone defending such an action.

George Liquor, American 2d ago

@mcv @Khrys Never heard of a slippery slope? It's a longstanding tradition in our legal system. Start with something that seems innocuous enough. Then when enough people have been lulled into complacency by arguments like yours, the law changes into something onerous and we're stuck dealing with that.

It's very basic stuff.

Martijn Vos 2d ago

@liquor_american @Khrys

Di you understand that we're talking about an optional field on your own, local computer that you control, and which already has similar fields for your real name, your email and your location?

I understand people are wary to paranoid about privacy, and you should be, but it's misplaced here. This is the wrong battle to be fighting. There are many worthy battles out there that could use this energy.

George Liquor, American 1d ago

@mcv @Khrys Yes I understand what the initial implementation is supposed to look like. It's a very cute little baby cat that surely no reasonable person could have a problem with.

Oops, now it's been 18 months and we have a very hungry leopard and we wish we hadn't been taken in by how harmless that kitten seemed at the time.

BenderIsGreat34 2d ago

@mcv @Khrys The problem is that they’ve acquiesced to a poorly thought out and bad faith trial balloon of a law. So now the lawmakers know that it’s game on. The next version of the law will be even more insidious and require actual verification and do who knows what else.

Osma A 🇫🇮🇺🇦2d ago

Say there's a law requiring collection of people's ethnicity. Or of their gender, allowing only two options. Or of their religion. Or legal, government issued names and id numbers. Oh, they're all optional in most jurisdictions and in fact defined in ways that are noncompliant with other laws. But what's the big deal? We'll just add an optional field name to standardize the schema. There's no mandatory mechanism or verification. Just making the data cleaner.
@mcv @Khrys

⁂ Fish Id Wardrobe 3d ago

@Khrys we like to think of FOSS as some sort of anarchist collective°. it never has been.

it's run by a series of people with absolute power, for the most part. the benefit is that it's a lot of tiny dictators rather than a few big ones; that in theory anyone can become one, you don't need to be rich; and that these dictators tend to have technical knowledge.

but they can still be arseholes.

° i mean, we might not CALL it that.

Lorraine Lee 2d ago

@Khrys @fishidwardrobe I've long been saying that, instead of debating the relative merits of open source software and free software, we should have been demanding noncommercial software. Now it may be too late. FOSS is no anarchist collective, but arguably hacking is. Unfortunately too many of the hacker era hackers were ancaps and could be hired to do the dirty work of the powerful. But now that computing freedom is by definition illegal, maybe a new generation of hackers will arise. One can only hope.

⁂ Fish Id Wardrobe 2d ago

@lori @Khrys i've recently been thinking about — and this is beyond my skills, so i should really say "fantasising about" — some sort of common retrocomputing platform, maybe based on an esp32 or something, which is completely incompatible with commercial computers and so can't be used commercially.

but it would also be missing all the spy-firmware (minix in the cpu, tiny computers in usb plugs etc). maybe we could start our own replacement for the internet!

… yeah, right. sorry.

@fishidwardrobe

Open hardware would be incompatible with modern day commercial aspirations.
Coupled with FOSS of course.

#ESP32 is more for IoT than regular computing – but you can use it for #meshcore (and other #LoRa-based projects), wish is an interesting, albeight very basic, alternative to common (controlled) networks.

@lori @Khrys

⁂ Fish Id Wardrobe 2d ago

@0x0 @lori @Khrys folks are, amazingly, building tiny computers that run python or basic around esp32. surprised me too!

you need another chip to handle vga, and some external static RAM, it appears.

here is a project emulating i386 that runs windows 98! on an esp32!! https://hackaday.com/2021/07/28/emulating-the-ibm-pc-on-an-esp32/

Emulating The IBM PC On An ESP32

The IBM PC spawned the basic architecture that grew into the dominant Wintel platform we know today. Once heavy, cumbersome and power thirsty, it’s a machine that you can now emulate on a sin…

Hackaday

@fishidwardrobe

It really says a lot when we can use low end hardware (for today's standards) to run simpler software that suffices for most tasks.
Maybe RAM prices will bring that ingenuity back.

⁂ Fish Id Wardrobe 1d ago

@0x0 @lori @Khrys i'm old enough to be certain that i, for one, do not need the power of a modern computer – given the right software.

something between a BBC Model B / Acorn Electron and a 386 would be just fine.

Lorraine Lee 1d ago

@Khrys @fishidwardrobe @0x0 Everything I do other than surfing the web I could retrocompute. Both of the two (2) viable web layout engines are bloatware because the web standard is bloatware.

astoundingteam.com/2020/04/21/…

Standards Bloat is a thing – In Defense of Anagorism

⁂ Fish Id Wardrobe 1d ago

@lori @Khrys @0x0 maybe we should start a thing where we bring back "this site best viewed in Netscape Navigator"…

edit: for some reason caniuse.com does not list this browser.

@fishidwardrobe
Or switch to #gemini or #gopher.
@lori @Khrys

⁂ Fish Id Wardrobe 1d ago

@0x0 @lori @Khrys no objection here…

Brad Macpherson 1d ago

@fishidwardrobe @0x0 @lori @Khrys The Motorola 68000 powered a generation of pretty awesome machines, I'd happily fall back to my STe as a daily driver for most tasks if I won the Lotto.

(Of course I would have to be paying the idiot tax for that scenario to have any possibility of happening 😂)

@fishidwardrobe
I'm glad most tend to be BDFLs.
@Khrys

⁂ Fish Id Wardrobe 2d ago

@0x0 @Khrys do they? the title was originally ironic, but these days everyone seems fine taking it seriously.

Fazal Majid 3d ago

@Khrys what do you mean, tried? He succeeded, with the complicity of even bigger idiot Poettering.

Two? foxes in a trench coat 2d ago

@fazalmajid @Khrys You mean the very same Poettering which was responsible for this commit https://github.com/systemd/systemd/commit/bb19b6104978b5ede792fa3f0cfc74272f20bf9c which was "Found with Claude Code Review" and it broke systemd-boot in one of the release candidates (260 RC3) https://github.com/systemd/systemd/issues/41098

"Anything LLM-generated will not be committed without a thorough human review" in practice. Yeah.

measure: figure success of measurement correctly · systemd/systemd@bb19b61

Found by Claude Code Review.

GitHub

Fazal Majid 2d ago

@foxes @Khrys Well, yes. We've known since the days of PulseAudio he is a moron with abysmal judgment and worse code quality, to the point he is regularly called out by Linus Torvalds for it.

Guillaume 3d ago

@Khrys https://agelesslinux.org/ je préfère cette approche

Ageless Linux — Software for Humans of Indeterminate Age

@Khrys Open source's entire threat model assumed contributors act toward user freedom. The surveillance state runs on volunteers: people who do the implementation work for free, out of genuine conviction, with no paper trail connecting them to the money that wrote the laws.

Jeff McNeill 3d ago

@Khrys @pluralistic best argument for removing systemd (and I actually like systemd).