Mastodawn

Inside the Systemd Age Verification Debate: Developer Responds to Criticism

https://europe.pub/post/10762385

Inside the Systemd Age Verification Debate: Developer Responds to Criticism - Europe Pub

>Dylan M. Taylor is not a household name in the Linux world. At least, he wasn’t until recently. > >The software engineer and longtime open source contributor has quietly built a respectable track record over the years: writing Python code for the Arch Linux installer, maintaining packages for NixOS, and contributing CI/CD pipelines to various FOSS projects. > >But a recent change he made to systemd has pushed him into the spotlight, along with a wave of intense debate. > >At the center of the controversy is a seemingly simple addition Dylan made: an optional birthDate field in systemd’s user database.

I was expecting civil discourse and a level-headed response.

He may have been hoping for that, but surely he didn’t truely expect it. The FOSS community can barely have a civil discussion about filesystems.

breadsmasher 6d ago

HEY MY GUY you want a CIVIL discussion about CIVIL DISCUSSION?

/s

panda_abyss 6d ago

Ugh, I’m forking this thread. If you guys can’t agree with me I’ll make my own.

panda_abyss 6d ago

Oh wow, this guy ^ is the best at civil discussion!

Linearity 6d ago

Why’d you reply to yourself 😭😭

panda_abyss 5d ago

It’s my thread I can do what I want

How nation states were formed

The D Quuuuuill 6d ago

we’re what happens when dumpster fighting punks need their laptops to work

Avicenna 6d ago

At the moment of most intense debates about mandatory age checks and government surveillance you hoped people to be calm about this? Then you my friend are simply delusional. They are angry and for a good reason. Why the rush to comply with a surveillance practice that hasn’t forced on you with some sanction or enforcement. You did not even wait for it to play out. You did not have a discourse about alternatives. You just went ahead and hastily applied a change as if as if doing some sort of coup.

Pommes_für_dein_Balg 5d ago

He didn’t apply the change, he proposed it.
And there’s zero surveillance in the change he proposed.

Avicenna 5d ago

If we are going to get stuck in semantics, then he also did not just propose it. Propose would be opening an issue, describing how he would plan to do it and letting people discuss. This is how proposals work. Pushing a very controversial change and getting someone to accept it is not “proposing” when the change is something the community will obviously be so divided over.

And it does not have to implement a full on surveillance mechanism to take a step towards better compliance with possible future surveillance laws. The guy literally said in his comments that this was the intent:

github.com/archlinux/archinstall/pull/4290

What the hell are we even discussing here?

user: add required birth date field to user creation by dylanmtaylor · Pull Request #4290 · archlinux/archinstall

Add a required birth date prompt (YYYY-MM-DD) to the user creation flow, stored as a systemd userdb JSON drop-in at /etc/userdb/<user>.user on the target system. Motivation Recent age verific...

GitHub

fruitcantfly 5d ago

A pull request is very much a proposal: It is a proposal to make specific changes to the code-base. The developers are not forced to accept it in any form, and discussions can take place in the pull request, should the developers (or third parties) not agree with (the exact form of) the proposed changes. Which is exactly what happened in the systemd pull request, to the extent that the actual developers had to lock the thread.

In the case of systemd, the “someone”, or rather the “someones”, who accepted the pull request also included the lead developer on the project, namely Lennart Poettering

userdb: add birthDate field to JSON user records by dylanmtaylor · Pull Request #40954 · systemd/systemd

Stores the user's birth date for age verification, as required by recent laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc. The xdg-desktop-portal project is addi...

GitHub

FooBarrington 5d ago

You’re approaching this with an everyday definition of “proposal”, but in the industry that term is overloaded with more specific meanings.

If you asked 100 random devs, I have no doubt that the majority would call a PR to be something much more concrete than a proposal.

Avicenna 3d ago

Simply not true. In any such project, major proposals first get discussed as issues and community either vets a plan or comes up with an alternative before more solid steps such as PRs start. What is being done here is clearly trying to downplay a major change as a minor one. There are loads of blog posts and discussions on why this isn’t a minor change, especially when the author of the PR himself admits the goal is to comply with age verification laws. I will not get into that here. Suffice to say, at best, this is a political statement of the kind “we are ok to comply with surveillance and will show minimal resistance”. Yet they try to play this as if they are just changing a typo in the documents. Thanks to Lennart for his life long contributions to FOSS, despite him at some point joining Microsoft, the antithesis of everything that is FOSS. I am sure many things he did shaped how the open-source developed on a world-wide level. This still does not mean that his reaction to everything will be correct. To me this was more like a “fuck all, this was a minor change, don’t care what you say” attitude, which in my world-view has place in propriety software world not FOSS.

Overspark 5d ago

That’s a rather negative view. There’s a big difference between people who actually contribute to FOSS (in any way, not just code) and random keyboard warriors in the contents. Sure, there’s always some drama somewhere, but that’s not exclusive to FOSS.

There’s also a massive difference when ine participates in destroying linux users’ freedom, one of the pillars of foss

Q. You say this is “just attestation, not verification” but we know that infrastructure always gets repurposed later. This is where the legit fear lies. Today it’s birthDate. Tomorrow could it be location, identity, or verification tokens? I understand that you are providing a workaround but where should we draw the line between compliance and resistance?

A. Funny you mention that, location is already a field in userdb. Like birthDate, this field is also trivially nullable, stored locally, and can be set to anything. As long as we are talking about a user self-attesting a date - especially with the ability to enter any value we want - we aren’t in the realm of identity tracking. I draw the line at when a third party internet-connected service is doing validation of ID. Let’s be honest though, I strongly believe such a thing isn’t possible on a FOSS operating system environment unless they could control what was bootable on the device at a firmware level, enforce signatures to ensure that you couldn’t boot something unrestricted, remove the ability to be root, and block LD_PRELOAD so signals couldn’t be faked. There’s probably more ways to circumvent that. What I’m trying to say is real ID verification on Linux would be awfully hard to implement, and I guarantee you, nobody would put up with it. They’d fork to a version that doesn’t have it immediately as a protest. Right now, we’re considering implementing something akin to the date pickers that were ubiquitous when signing up for internet services in the early 2000s where it’s just an honor system. Things like actual ID checks and/or facial scanning + age estimation would be just too incompatible with Linux where we have the freedom to change whatever we want to.

the intellectually diverse lemmings represented in this post and many others cannot understand this

won’t stop them expressing their feelings tho, bless their hearts

That’s a sound argument, mostly.

If the technical implementation of how they would try and force age verification was the problem people were concerned about this take would be very useful.

Physical locks on glass doors are easy to bypass, doesn’t mean you won’t get shafted if someone just so happens to catch you in the act.

If third party age verification is legally mandated the implementation being technical difficult (or easy to bypass) doesn’t stop it from being illegal.

Being a condescending prick works better if the position you take is unassailable, you do you though.

tangonov 5d ago

You definitely can’t have your cake and eat it too. Linux for many has been about freedom and privacy. He made a direct contribution toward a system that would help take that away