Dylan M. Taylor is not a household name in the Linux world. At least, he wasn’t until recently.
The software engineer and longtime open source contributor has quietly built a respectable track record over the years: writing Python code for the Arch Linux installer, maintaining packages for NixOS, and contributing CI/CD pipelines to various FOSS projects.
But a recent change he made to systemd has pushed him into the spotlight, along with a wave of intense debate.
At the center of the controversy is a seemingly simple addition Dylan made: an optional birthDate field in systemd’s user database.
I was expecting civil discourse and a level-headed response.
He may have been hoping for that, but surely he didn’t truely expect it. The FOSS community can barely have a civil discussion about filesystems.
Q. You say this is “just attestation, not verification” but we know that infrastructure always gets repurposed later. This is where the legit fear lies. Today it’s birthDate. Tomorrow could it be location, identity, or verification tokens? I understand that you are providing a workaround but where should we draw the line between compliance and resistance?
A. Funny you mention that, location is already a field in userdb. Like birthDate, this field is also trivially nullable, stored locally, and can be set to anything. As long as we are talking about a user self-attesting a date - especially with the ability to enter any value we want - we aren’t in the realm of identity tracking. I draw the line at when a third party internet-connected service is doing validation of ID. Let’s be honest though, I strongly believe such a thing isn’t possible on a FOSS operating system environment unless they could control what was bootable on the device at a firmware level, enforce signatures to ensure that you couldn’t boot something unrestricted, remove the ability to be root, and block LD_PRELOAD so signals couldn’t be faked. There’s probably more ways to circumvent that. What I’m trying to say is real ID verification on Linux would be awfully hard to implement, and I guarantee you, nobody would put up with it. They’d fork to a version that doesn’t have it immediately as a protest. Right now, we’re considering implementing something akin to the date pickers that were ubiquitous when signing up for internet services in the early 2000s where it’s just an honor system. Things like actual ID checks and/or facial scanning + age estimation would be just too incompatible with Linux where we have the freedom to change whatever we want to.
the intellectually diverse lemmings represented in this post and many others cannot understand this
won’t stop them expressing their feelings tho, bless their hearts
At the moment of most intense debates about mandatory age checks and government surveillance you (Dylan) hoped people to be calm about this? Then you my friend are simply delusional. They are angry and for a good reason. Why the rush to comply with a surveillance practice that hasn’t forced on you with some sanction or enforcement. You did not even wait for it to play out. You did not have a discourse about alternatives. You just went ahead and hastily applied a change as if as if doing some sort of coup.
He didn’t apply the change, he proposed it.
And there’s zero surveillance in the change he proposed.If we are going to get stuck in semantics, then he also did not just propose it. Propose would be opening an issue, describing how he would plan to do it and letting people discuss. This is how proposals work. Pushing a very controversial change and getting someone to accept it is not “proposing” when the change is something the community will obviously be so divided over.
And it does not have to implement a full on surveillance mechanism to take a step towards better compliance with possible future surveillance laws. The guy literally said in his comments that this was the intent:
https://github.com/archlinux/archinstall/pull/4290
What the hell are we even discussing here?
A pull request is very much a proposal: It is a proposal to make specific changes to the code-base. The developers are not forced to accept it in any form, and discussions can take place in the pull request, should the developers (or third parties) not agree with (the exact form of) the proposed changes. Which is exactly what happened in the systemd pull request, to the extent that the actual developers had to lock the thread.
In the case of systemd, the “someone”, or rather the “someones”, who accepted the pull request also included the lead developer on the project, namely Lennart Poettering. Who else do you propose should decide what pull requests and other proposals to accept?
Simply not true. In any such project, major proposals first get discussed as issues and community either vets a plan or comes up with an alternative before more solid steps such as PRs start. What is being done here is clearly trying to downplay a major change as a minor one. There are loads of blog posts and discussions on why this isn’t a minor change, especially when the author of the PR himself admits the goal is to comply with age verification laws. I will not get into that here. Suffice to say, at best, this is a political statement of the kind “we are ok to comply with surveillance and will show minimal resistance”. Yet they try to play this as if they are just changing a typo in the documents. Thanks to Lennart for his life long contributions to FOSS, despite him at some point joining Microsoft, the antithesis of everything that is FOSS. I am sure many things he did shaped how the open-source developed on a world-wide level. This still does not mean that his reaction to everything will be correct. To me this was more like a “fuck all, this was a minor change, don’t care what you say” attitude, which in my world-view has place in propriety software world not FOSS.
You’re approaching this with an everyday definition of “proposal”, but in the industry that term is overloaded with more specific meanings.
If you asked 100 random devs, I have no doubt that the majority would call a PR to be something much more concrete than a proposal.
You definitely can’t have your cake and eat it too. Linux for many has been about freedom and privacy. He made a direct contribution toward a system that would help take that away
HEY MY GUY you want a CIVIL discussion about CIVIL DISCUSSION?
/s
Ugh, I’m forking this thread. If you guys can’t agree with me I’ll make my own.
Oh wow, this guy ^ is the best at civil discussion!
Why’d you reply to yourself 😭😭
It’s my thread I can do what I want
we’re what happens when dumpster fighting punks need their laptops to work
He has nothing to defend
The damage is done
He’s a collaborator; we don’t want parasites like him
In free software, there is FREEDOM
I didn’t switch to Linux to end up under the thumb of Microsoft’s henchmen and some random government
Lol.
The free part is you are free to remove the commit and build it yourself. Doofus.
He barely went into developing systemd for two weeks before shoehorning in his bootlicking, he can fuck off. You’re supposed to stick it to the man, not stick up for him
Not surprising, this guy is also onboard with Google locking down Android: https://dylanmtaylor.com/posts/2026-03-19-googles-new-android-sideloading-flow-is-a-fair-trade
One interesting thought I’ve had is actually that if we strip this signal to websites/apps and do not report an age range at all, but the vast majority of users DO, that actually gives us a more unique and trackable browser fingerprint.
As someone who is not a fan of adding the age field I’m curious what people think of this.
This is stupid. We block fingerprinting.
Just because some people are fingerprint able doesn’t mean all of us should suffer and bend at the knee to unjust laws
You can’t really “block” fingerprinting. You can obfuscate it a bit, but the fingerprinting process happens server side, not on your device. So whether or not your system sends whatever age verification signal becomes a part of its fingerprint.
Of course you can block fingerprinting. See Tor Browser. Everyone looks the same.
Or you can change your fingerprint every 30 seconds with a plugin like chameleon.
You know it works when evil sites all ban you because they can’t fingerprint you and track you between sessions anymore
That’s not blocking the fingerprinting, that obfuscating the data. The fact that you are doing that itself becomes part of the fingerprint being built. Services like Tor or Chameleon don’t stop the fingerprinting process running, they just make it more difficult (but not impossible) to tie the fingerprint to your actual identity.
It’s not just server-side: A lot of fingerprinting happens client-side, for example using a canvas to check what features your graphics card supports. You can see this in action via services like https://coveryourtracks.eff.org/ or https://amiunique.org/
That’s not the fingerprinting happening client side, that’s just information supply. Fingerprinting is about what the server does with that information.
Fuck him. As another user put it best: https://piefed.social/comment/10665234
I can’t help but feel bad for Dylan. It’s not like if he hadn’t done this someone else wouldn’t have had to eventually.
Why not wait until it becomes absolutely necessary and all other alternatives are exhausted? The mandatory age check thing hasn’t been even accepted whole US wide let alone world-wide. He did not even wait for ut to play out. What is with the enthusiasm to jump on board with this?
Woah, fuck this guy. He admitted the change was for the purpose of complying with these laws
It’s a fucking field. Why is everyone loosing his mind over it? It’s not like it is required, nor will it prevent you to do anything if you put data in (except not being able to change it later).
If you have to complain, complain about the law, not poor guy that has to add it, by law.
A single law pushed through in a single state in a single country should not lead to systemic changes in FOSS projects used worldwide.
That field is here to allow the support of it, not to make it required everywhere.
Seatbelts isn’t required everywhere, but car maker won’t make two version of a car, one that support seatbelts, and one that doesn’t. They will make one model, with the required attach points to install a seatbelt, and install an actual seatbelt only on cars that goes somewhere where it is mandatory.
Here we are in a similar situation. That field is here to make of possible for OS to support that law, but it doesn’t mean we’ll all have to conform to that law unless you live in a country that have said law.
The largest state in the union that has a GDP larger than many countries.
No. Don’t follow unjust laws.
Especially Foss projects which don’t have to follow laws, because they are outside their jurisdiction
Open-sourcing a software doesn’t make it magically immune to laws.
Of course it does. Do you know how laws work?
Who broke the law if the owner is everyone?
An open source software is, by law, the maintainer’s (which can be an individual, or a group of persons) property. It is said maintainer who has the right to grant you any kind of license over what he owns.
In the case of an open-source project, that license is very permissive, true, but if you take the time to read any of those, you will always see :
- A provision indicating that the owners grants that licence within the limits of the applicable laws
- Sometimes a provision indicating under which juridiction said license is granted. If not, the user local laws are the ones used.
Source : the fucking law and the fucking licenses. And my friend, which happens to be a lawyer specialized in intellectual property laws.
What do you mean, he “admitted” that?
It’s quite literally the first thing he wrote in his pull request to systemd:
Stores the user’s birth date for age verification, as required by recent laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc.
And the second paragraph of his pull request to arch:
Recent age verification laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc. require platforms to verify user age. Collecting birth date at install time ensures Arch Linux is compliant with these regulations.
Y’all are going after this guy rn but in a few months we should expect more and more distros to do changes like this. So lets think, what is the real issue going on here? The real issue is that these distros are hosted on GitHub, which is a Microsoft company, and they will comply in a heartbeat and take that shit down if the software is against the law. So the two options are to move off Github or wait until it gets taken down, and lawyer up and fight California and Colorado, which if so, we’d better start a fund as a community for some lawyers for these devs.
Why would I want some stupid verification field needed only in one state in one country I don’t even live in? It shouldn’t be in my FOSS when it is not required in my home location. I would like to stay as far away from a dystopian police state as possible, tyvm. No lawyers needed; I’m not in their jurisdiction.
Like ur right, it’s total bull that this shit affects you. But the only way they could keep you totally isolated would be to host and finance an entire instance in your county, which ain’t easy for a FOSS project. Like it absolutely sucks that large parts of the world have to bend to the will of American and, to a lesser extent, European tech.
What fucking distro would make this change besides redhat?
Debian, Ubuntu, most of their derivatives except the niche ones, Arch, Endeavor, Manjaro, Fedora. Basically all major ones.
Mark my words.Lol wit. No. Debian, arch, and Fedora are Foss projects. They have no reason to follow the whims of these stupid laws.
They can just move the code to Iceland or whatever. It’s easy.
If they don’t implement they won’t be able to access any site with restricted material.
No major website will willingly exclude California.
No, they just have to use a VPN to come from a region that isn’t run by fascists
The donations for Debian, Arch and a dozen others are collected and distributed by a non-profit that sits in the US, which also represents them legally. If they’re sued into oblivion, the distros have no more money for hosting their repos.
Nope, just change fiscal hosts. It’s really easy.
Yeah, really easy, just all employees suddenly work for a foreign organisation which pays salary in foreign currency, while they’re still living and expected to pay income tax in the US. Transfers of money and tech are now cross-border and subject to Trump’s Truthed tariffs. All servers have to be transferred to different hosts, all SPF records need to be changed, all contact info updated.
Nothing difficult at all, it’s all really easy.But hey, they avoided putting an empty data field in their OS, and with their 1% market share they sure sent a strong signal that’ll get lawmakers who have never even heard of Linux to reconsider.
May you gain the knowledge to see what you’re saying here. And the emotional maturity to be horrified over it.
Yes. Easy.
Also wtf we’re talking about Foss software projects that have no employees.
Look, it sucks that they’re complaying early with no push back ok. Like not even watiing until the law goes into affect at the least. But what else are they supposed to do besides comply, get off Github or lawyer up when the time comes. If you don’t belive they can move off GIthub then we, as a community, should try to support these devs for a legal battle with the state. I don’t care about this guy, I care about long term solutions to protect our privicy. And to answer your question I don’t think many distos are going to switch off Github, that is a laborus task. I just don’t know what other solutions to this problem are besides this
Lawyer up? Who are they going to sue? Most Foss projects are not a legal entity.
For the few that are (eg connnical) they can just move the org to Canada or Mexico or wherever in Europe that doesn’t have insane laws.
Everyone continues to work remotely. It’s easy.
They will get kicked off Github by Microsoft when they get somthing in the mail by the state of California for hosting content that vilolates the law.
So they push to codeberg. What’s your point?
Git is decentralized. You’re not citing a problem that can’t be fixed in a few hours.
Being on Linux and in control of your OS couldn’t you just set the age statically to something like 99? I really do not understand the hate :/
I really do not understand the hate :/
The itsfoss interviewer goes into this:
A lot of backlash isn’t about the code change, but about what it represents.
You say this is “just attestation, not verification” but we know that infrastructure always gets repurposed later. This is where the legit fear lies.
Do you think regulations like these will reshape desktop Linux in the next 5-10 years where we might have “compliant Linux” and “Freedom-first Linux”?
Sam Bent’s article also goes into this (although, fuck that clickbait title): https://www.sambent.com/the-engineer-who-tried-to-put-age-verification-into-linux-5/
He read the laws, decided compliance was the correct response, and went to work. Every objection the community raised went nowhere: that this enables surveillance infrastructure, that lying is trivially easy, that the laws themselves are unconstitutional overreach. He’d already accepted the law as legitimate and moved to implementation.
He read the law, took it at face value, and started writing code. The word for what that is sits somewhere past malice, something more insidious: an engineer who treats compliance as engineering, who sees a legal requirement the way he sees a technical specification, and will implement whatever the spec says regardless of who wrote the spec or why.
The reason to name him is the pattern. The surveillance state runs on volunteers: people who do the implementation work for free, out of genuine conviction, with no paper trail connecting them to the money that wrote the laws.
Compliance with fascism is definitely not the correct response
