Mastodawn

Inside the Systemd Age Verification Debate: Developer Responds to Criticism

https://europe.pub/post/10762385

Inside the Systemd Age Verification Debate: Developer Responds to Criticism - Europe Pub

>Dylan M. Taylor is not a household name in the Linux world. At least, he wasn’t until recently. > >The software engineer and longtime open source contributor has quietly built a respectable track record over the years: writing Python code for the Arch Linux installer, maintaining packages for NixOS, and contributing CI/CD pipelines to various FOSS projects. > >But a recent change he made to systemd has pushed him into the spotlight, along with a wave of intense debate. > >At the center of the controversy is a seemingly simple addition Dylan made: an optional birthDate field in systemd’s user database.

IrateAnteater 6d ago

I was expecting civil discourse and a level-headed response.

He may have been hoping for that, but surely he didn’t truely expect it. The FOSS community can barely have a civil discussion about filesystems.

breadsmasher 6d ago

HEY MY GUY you want a CIVIL discussion about CIVIL DISCUSSION?

/s

panda_abyss 5d ago

Ugh, I’m forking this thread. If you guys can’t agree with me I’ll make my own.

panda_abyss 5d ago

Oh wow, this guy ^ is the best at civil discussion!

Linearity 5d ago

Why’d you reply to yourself 😭😭

panda_abyss 5d ago

It’s my thread I can do what I want

How nation states were formed

The D Quuuuuill 5d ago

we’re what happens when dumpster fighting punks need their laptops to work

Avicenna 5d ago

At the moment of most intense debates about mandatory age checks and government surveillance you hoped people to be calm about this? Then you my friend are simply delusional. They are angry and for a good reason. Why the rush to comply with a surveillance practice that hasn’t forced on you with some sanction or enforcement. You did not even wait for it to play out. You did not have a discourse about alternatives. You just went ahead and hastily applied a change as if as if doing some sort of coup.

Pommes_für_dein_Balg 5d ago

He didn’t apply the change, he proposed it.
And there’s zero surveillance in the change he proposed.

Avicenna 5d ago

If we are going to get stuck in semantics, then he also did not just propose it. Propose would be opening an issue, describing how he would plan to do it and letting people discuss. This is how proposals work. Pushing a very controversial change and getting someone to accept it is not “proposing” when the change is something the community will obviously be so divided over.

And it does not have to implement a full on surveillance mechanism to take a step towards better compliance with possible future surveillance laws. The guy literally said in his comments that this was the intent:

github.com/archlinux/archinstall/pull/4290

What the hell are we even discussing here?

user: add required birth date field to user creation by dylanmtaylor · Pull Request #4290 · archlinux/archinstall

Add a required birth date prompt (YYYY-MM-DD) to the user creation flow, stored as a systemd userdb JSON drop-in at /etc/userdb/<user>.user on the target system. Motivation Recent age verific...

GitHub

fruitcantfly 5d ago

A pull request is very much a proposal: It is a proposal to make specific changes to the code-base. The developers are not forced to accept it in any form, and discussions can take place in the pull request, should the developers (or third parties) not agree with (the exact form of) the proposed changes. Which is exactly what happened in the systemd pull request, to the extent that the actual developers had to lock the thread.

In the case of systemd, the “someone”, or rather the “someones”, who accepted the pull request also included the lead developer on the project, namely Lennart Poettering

userdb: add birthDate field to JSON user records by dylanmtaylor · Pull Request #40954 · systemd/systemd

Stores the user's birth date for age verification, as required by recent laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc. The xdg-desktop-portal project is addi...

GitHub

FooBarrington 5d ago

You’re approaching this with an everyday definition of “proposal”, but in the industry that term is overloaded with more specific meanings.

If you asked 100 random devs, I have no doubt that the majority would call a PR to be something much more concrete than a proposal.

Avicenna 3d ago

Simply not true. In any such project, major proposals first get discussed as issues and community either vets a plan or comes up with an alternative before more solid steps such as PRs start. What is being done here is clearly trying to downplay a major change as a minor one. There are loads of blog posts and discussions on why this isn’t a minor change, especially when the author of the PR himself admits the goal is to comply with age verification laws. I will not get into that here. Suffice to say, at best, this is a political statement of the kind “we are ok to comply with surveillance and will show minimal resistance”. Yet they try to play this as if they are just changing a typo in the documents. Thanks to Lennart for his life long contributions to FOSS, despite him at some point joining Microsoft, the antithesis of everything that is FOSS. I am sure many things he did shaped how the open-source developed on a world-wide level. This still does not mean that his reaction to everything will be correct. To me this was more like a “fuck all, this was a minor change, don’t care what you say” attitude, which in my world-view has place in propriety software world not FOSS.

Overspark 5d ago

That’s a rather negative view. There’s a big difference between people who actually contribute to FOSS (in any way, not just code) and random keyboard warriors in the contents. Sure, there’s always some drama somewhere, but that’s not exclusive to FOSS.

There’s also a massive difference when ine participates in destroying linux users’ freedom, one of the pillars of foss

Q. You say this is “just attestation, not verification” but we know that infrastructure always gets repurposed later. This is where the legit fear lies. Today it’s birthDate. Tomorrow could it be location, identity, or verification tokens? I understand that you are providing a workaround but where should we draw the line between compliance and resistance?

A. Funny you mention that, location is already a field in userdb. Like birthDate, this field is also trivially nullable, stored locally, and can be set to anything. As long as we are talking about a user self-attesting a date - especially with the ability to enter any value we want - we aren’t in the realm of identity tracking. I draw the line at when a third party internet-connected service is doing validation of ID. Let’s be honest though, I strongly believe such a thing isn’t possible on a FOSS operating system environment unless they could control what was bootable on the device at a firmware level, enforce signatures to ensure that you couldn’t boot something unrestricted, remove the ability to be root, and block LD_PRELOAD so signals couldn’t be faked. There’s probably more ways to circumvent that. What I’m trying to say is real ID verification on Linux would be awfully hard to implement, and I guarantee you, nobody would put up with it. They’d fork to a version that doesn’t have it immediately as a protest. Right now, we’re considering implementing something akin to the date pickers that were ubiquitous when signing up for internet services in the early 2000s where it’s just an honor system. Things like actual ID checks and/or facial scanning + age estimation would be just too incompatible with Linux where we have the freedom to change whatever we want to.

the intellectually diverse lemmings represented in this post and many others cannot understand this

won’t stop them expressing their feelings tho, bless their hearts

That’s a sound argument, mostly.

If the technical implementation of how they would try and force age verification was the problem people were concerned about this take would be very useful.

Physical locks on glass doors are easy to bypass, doesn’t mean you won’t get shafted if someone just so happens to catch you in the act.

If third party age verification is legally mandated the implementation being technical difficult (or easy to bypass) doesn’t stop it from being illegal.

Being a condescending prick works better if the position you take is unassailable, you do you though.

tangonov 5d ago

You definitely can’t have your cake and eat it too. Linux for many has been about freedom and privacy. He made a direct contribution toward a system that would help take that away

Skullgrid 6d ago

He barely went into developing systemd for two weeks before shoehorning in his bootlicking, he can fuck off. You’re supposed to stick it to the man, not stick up for him

RedSnt 🧩♂️👓🖥️6d ago

I can’t help but feel bad for Dylan. It’s not like if he hadn’t done this someone else wouldn’t have had to eventually.

Why not let someone else do it then? Why eagerly sign up to be the one to do it?

jefferyjefferson 5d ago

Because he’s a slimy piece of shit.

L0rdMathias 6d ago

Blessings to you young bootlicker. May you pay escalating subscriptions and own nothing eternally, forevermore, amen.

Avicenna 5d ago

Why not wait until it becomes absolutely necessary and all other alternatives are exhausted? The mandatory age check thing hasn’t been even accepted whole US wide let alone world-wide. He did not even wait for ut to play out. What is with the enthusiasm to jump on board with this?

jefferyjefferson 5d ago

He brought this on himself.

quick_snail 5d ago

It’s not necessary. But also, where’s the hate against the ass that merged this PR. They’re worse.

@quick_snail @RedSnt indeed.

@quick_snail @RedSnt unless he has been forced to do so... blackmailed, threatened... because this can also happen.

kalkulat 5d ago

It’s not like he had no way of thinking, “Geez, I don’t have the experience or knowledge or insignts to start the ball rolling on such a major decision.” and went on to do something useful instead.

Being on Linux and in control of your OS couldn’t you just set the age statically to something like 99? I really do not understand the hate :/

I really do not understand the hate :/

The itsfoss interviewer goes into this:

A lot of backlash isn’t about the code change, but about what it represents.

You say this is “just attestation, not verification” but we know that infrastructure always gets repurposed later. This is where the legit fear lies.

Do you think regulations like these will reshape desktop Linux in the next 5-10 years where we might have “compliant Linux” and “Freedom-first Linux”?

Sam Bent’s article also goes into this (although, fuck that clickbait title): https://www.sambent.com/the-engineer-who-tried-to-put-age-verification-into-linux-5/

He read the laws, decided compliance was the correct response, and went to work. Every objection the community raised went nowhere: that this enables surveillance infrastructure, that lying is trivially easy, that the laws themselves are unconstitutional overreach. He’d already accepted the law as legitimate and moved to implementation.

He read the law, took it at face value, and started writing code. The word for what that is sits somewhere past malice, something more insidious: an engineer who treats compliance as engineering, who sees a legal requirement the way he sees a technical specification, and will implement whatever the spec says regardless of who wrote the spec or why.

The reason to name him is the pattern. The surveillance state runs on volunteers: people who do the implementation work for free, out of genuine conviction, with no paper trail connecting them to the money that wrote the laws.

The Engineer Who Tried to Put Age Verification Into Linux

Dylan, useful idiot with commit access, pushed age verification PRs to systemd, Ubuntu & Arch, got 2 Microslop employees to merge it, called it 'hilariously pointless' in the PR itself, then watched Lennart personally block the revert. Unpaid compliance simp.

Sam Bent

quick_snail 5d ago

Compliance with fascism is definitely not the correct response

panda_abyss 5d ago

It’s optional. You can leave it blank.

@panda_abyss @vogi until it's not... See how it turns on Apple's devices.
To do the same thing on Linux you need a handful of people in 4-5 strategic projects, systems being the first of them because through it you can enforce things on so many distros in one move...

@panda_abyss @vogi it's easy to pay people to become contributors to these projects. Unless you are planning on years to let them become maintainers, the tricky part is to make maintainers accept the dangerous contributions -> convince them it's for « greater good », or pay the price for their soul or constrain/blackmail them.

One interesting thought I’ve had is actually that if we strip this signal to websites/apps and do not report an age range at all, but the vast majority of users DO, that actually gives us a more unique and trackable browser fingerprint.

As someone who is not a fan of adding the age field I’m curious what people think of this.

quick_snail 5d ago

This is stupid. We block fingerprinting.

Just because some people are fingerprint able doesn’t mean all of us should suffer and bend at the knee to unjust laws

FooBarrington 5d ago

It’s not stupid insofar that it is an additional fingerprintable data point. But it’s obviously still much harder to fingerprint you if many users share the same value that you have, so it is invalid.

IrateAnteater 5d ago

You can’t really “block” fingerprinting. You can obfuscate it a bit, but the fingerprinting process happens server side, not on your device. So whether or not your system sends whatever age verification signal becomes a part of its fingerprint.

fruitcantfly 5d ago

It’s not just server-side: A lot of fingerprinting happens client-side, for example using a canvas to check what features your graphics card supports. You can see this in action via services like coveryourtracks.eff.org or amiunique.org

Cover Your Tracks

See how trackers view your browser

IrateAnteater 5d ago

That’s not the fingerprinting happening client side, that’s just information supply. Fingerprinting is about what the server does with that information.

Yeah, but the countermeasures are client-side because that’s what you can control. And some kind FOSS devs out there make it easy to start somewhere decent.

Sent from my LibreWolf

quick_snail 5d ago

Of course you can block fingerprinting. See Tpr Browser. Everyone looks the same.

Or you can change your fingerprint every 30 seconds with a plugin like chameleon.

You know it works when evil sites all ban you because they can’t fingerprint you and track you between sessions anymore

IrateAnteater 5d ago

That’s not blocking the fingerprinting, that obfuscating the data. The fact that you are doing that itself becomes part of the fingerprint being built. Services like Tor or Chameleon don’t stop the fingerprinting process running, they just make it more difficult (but not impossible) to tie the fingerprint to your actual identity.

quick_snail 5d ago

It’s making the fingerprinting efforts useless. Sure, they can do it, but I’m blocking them from being able to uniquely fingerprint me.

quick_snail 5d ago

It’s making the fingerprinting efforts useless. Sure, they can do it, but many of us are blocking them from being able to uniquely fingerprint and track us across the internet

jefferyjefferson 5d ago

This guy fucking sucks.

I hope he gets blacklisted from working with other projects.

2FortGaming 5d ago

Y’all are going after this guy rn but in a few months we should expect more and more distros to do changes like this. So lets think, what is the real issue going on here? The real issue is that these distros are hosted on GitHub, which is a Microsoft company, and they will comply in a heartbeat and take that shit down if the software is against the law. So the two options are to move off Github or wait until it gets taken down, and lawyer up and fight California and Colorado, which if so, we’d better start a fund as a community for some lawyers for these devs.

quick_snail 5d ago

What fucking distro would make this change besides redhat?

@quick_snail @2FortGaming do you measure the extra effort to strip the shit from systemd every single distro will have to do for each new release of the package ?

Pommes_für_dein_Balg 5d ago

Debian, Ubuntu, most of their derivatives except the niche ones, Arch, Endeavor, Manjaro, Fedora. Basically all major ones.
Mark my words.

quick_snail 5d ago

Lol wit. No. Debian, arch, and Fedora are Foss projects. They have no reason to folloa the whims of these stupid laws.

They can just move the code to Iceland or whatever. It’s easy.

Pommes_für_dein_Balg 5d ago

The donations for Debian, Arch and a dozen others are collected and distributed by a non-profit that sits in the US, which also represents them legally. If they’re sued into oblivion, the distros have no more money for hosting their repos.

quick_snail 5d ago

Nope, just change fiscal hosts. It’s really easy.

Pommes_für_dein_Balg 5d ago

Yeah, really easy, just all employees suddenly work for a foreign organisation which pays salary in foreign currency, while they’re still living and expected to pay income tax in the US. Transfers of money and tech are now cross-border and subject to Trump’s Truthed tariffs. All servers have to be transferred to different hosts, all SPF records need to be changed, all contact info updated.
Nothing difficult at all, it’s all really easy.

But hey, they avoided putting an empty data field in their OS, and with their 1% market share they sure sent a strong signal that’ll get lawmakers who have never even heard of Linux to reconsider.

quick_snail 5d ago

Yes. Easy.

May you gain the knowledge to see what you’re saying here. And the emotional maturity to be horrified over it.

ThomasWilliams 4d ago

If they don’t implement they won’t be able to access any site with restricted material.

No major website will willingly exclude California.

quick_snail 4d ago

No, they just have to use a VPN to come from a region that isn’t run by fascists