Dylan M. Taylor is not a household name in the Linux world. At least, he wasn’t until recently.
The software engineer and longtime open source contributor has quietly built a respectable track record over the years: writing Python code for the Arch Linux installer, maintaining packages for NixOS, and contributing CI/CD pipelines to various FOSS projects.
But a recent change he made to systemd has pushed him into the spotlight, along with a wave of intense debate.
At the center of the controversy is a seemingly simple addition Dylan made: an optional birthDate field in systemd’s user database.
He has nothing to defend
The damage is done
He’s a collaborator; we don’t want parasites like him
In free software, there is FREEDOM
I didn’t switch to Linux to end up under the thumb of Microsoft’s henchmen and some random government
Lol.
The free part is you are free to remove the commit and build it yourself. Doofus.
I was expecting civil discourse and a level-headed response.
He may have been hoping for that, but surely he didn’t truely expect it. The FOSS community can barely have a civil discussion about filesystems.
You definitely can’t have your cake and eat it too. Linux for many has been about freedom and privacy. He made a direct contribution toward a system that would help take that away
Q. You say this is “just attestation, not verification” but we know that infrastructure always gets repurposed later. This is where the legit fear lies. Today it’s birthDate. Tomorrow could it be location, identity, or verification tokens? I understand that you are providing a workaround but where should we draw the line between compliance and resistance?
A. Funny you mention that, location is already a field in userdb. Like birthDate, this field is also trivially nullable, stored locally, and can be set to anything. As long as we are talking about a user self-attesting a date - especially with the ability to enter any value we want - we aren’t in the realm of identity tracking. I draw the line at when a third party internet-connected service is doing validation of ID. Let’s be honest though, I strongly believe such a thing isn’t possible on a FOSS operating system environment unless they could control what was bootable on the device at a firmware level, enforce signatures to ensure that you couldn’t boot something unrestricted, remove the ability to be root, and block LD_PRELOAD so signals couldn’t be faked. There’s probably more ways to circumvent that. What I’m trying to say is real ID verification on Linux would be awfully hard to implement, and I guarantee you, nobody would put up with it. They’d fork to a version that doesn’t have it immediately as a protest. Right now, we’re considering implementing something akin to the date pickers that were ubiquitous when signing up for internet services in the early 2000s where it’s just an honor system. Things like actual ID checks and/or facial scanning + age estimation would be just too incompatible with Linux where we have the freedom to change whatever we want to.
the intellectually diverse lemmings represented in this post and many others cannot understand this
won’t stop them expressing their feelings tho, bless their hearts
That’s a sound argument, mostly (in the quote, i mean)
If the technical implementation of how they would try and force age verification was the problem people were concerned about, this take would be very useful.
Physical locks on glass doors are easy to bypass, doesn’t mean you won’t get shafted if someone just so happens to catch you in the act.
If third party age verification is legally mandated the implementation being technically difficult (or easy to bypass) doesn’t stop it from being illegal.
Being a condescending prick works better if the position you take is unassailable, you do you though.
At the moment of most intense debates about mandatory age checks and government surveillance you (Dylan) hoped people to be calm about this? Then you my friend are simply delusional. They are angry and for a good reason. Why the rush to comply with a surveillance practice that hasn’t forced on you with some sanction or enforcement. You did not even wait for it to play out. You did not have a discourse about alternatives. You just went ahead and hastily applied a change as if as if doing some sort of coup.
He didn’t apply the change, he proposed it.
And there’s zero surveillance in the change he proposed.If we are going to get stuck in semantics, then he also did not just propose it. Propose would be opening an issue, describing how he would plan to do it and letting people discuss. This is how proposals work. Pushing a very controversial change and getting someone to accept it is not “proposing” when the change is something the community will obviously be so divided over.
And it does not have to implement a full on surveillance mechanism to take a step towards better compliance with possible future surveillance laws. The guy literally said in his comments that this was the intent:
https://github.com/archlinux/archinstall/pull/4290
What the hell are we even discussing here?
A pull request is very much a proposal: It is a proposal to make specific changes to the code-base. The developers are not forced to accept it in any form, and discussions can take place in the pull request, should the developers (or third parties) not agree with (the exact form of) the proposed changes. Which is exactly what happened in the systemd pull request, to the extent that the actual developers had to lock the thread.
In the case of systemd, the “someone”, or rather the “someones”, who accepted the pull request also included the lead developer on the project, namely Lennart Poettering. Who else do you propose should decide what pull requests and other proposals to accept?
You’re approaching this with an everyday definition of “proposal”, but in the industry that term is overloaded with more specific meanings.
If you asked 100 random devs, I have no doubt that the majority would call a PR to be something much more concrete than a proposal.
HEY MY GUY you want a CIVIL discussion about CIVIL DISCUSSION?
/s
Ugh, I’m forking this thread. If you guys can’t agree with me I’ll make my own.
How nation states were formed
Oh wow, this guy ^ is the best at civil discussion!
Why’d you reply to yourself 😭😭
It’s my thread I can do what I want
That’s a rather negative view. There’s a big difference between people who actually contribute to FOSS (in any way, not just code) and random keyboard warriors in the contents. Sure, there’s always some drama somewhere, but that’s not exclusive to FOSS.
There’s also a massive difference when one proactively participates in destroying linux users’ freedom, one of the pillars of foss
we’re what happens when dumpster fighting punks need their laptops to work
Not surprising, this guy is also onboard with Google locking down Android: https://dylanmtaylor.com/posts/2026-03-19-googles-new-android-sideloading-flow-is-a-fair-trade
He barely went into developing systemd for two weeks before shoehorning in his bootlicking, he can fuck off. You’re supposed to stick it to the man, not stick up for him
Woah, fuck this guy. He admitted the change was for the purpose of complying with these laws
It’s a fucking field. Why is everyone loosing his mind over it? It’s not like it is required, nor will it prevent you to do anything if you put data in (except not being able to change it later).
If you have to complain, complain about the law, not poor guy that has to add it, by law.
A single law pushed through in a single state in a single country should not lead to systemic changes in FOSS projects used worldwide.
That field is here to allow the support of it, not to make it required everywhere.
Seatbelts isn’t required everywhere, but car maker won’t make two version of a car, one that support seatbelts, and one that doesn’t. They will make one model, with the required attach points to install a seatbelt, and install an actual seatbelt only on cars that goes somewhere where it is mandatory.
Here we are in a similar situation. That filed is here to make of possible for OS to support that law, but it doesn’t mean we’ll all have to conform to that law unless you live in a country that have said law.
The largest state in the union that has a GDP larger than many countries.
No. Don’t follow unjust laws.
Especially Foss projects which don’t have to follow laws, because they are outside their jurisdiction
Open-sourcing a software doesn’t make it magically immune to laws.
Of course it does. Do you know how laws work?
Who broke the law if the owner is everyone?
An open source software is, by law, the maintainer’s (which can be an individual, or a group of persons) property. It is said maintainer who has the right to grant you any kind of license over what he owns.
In the case of an open-source project, that license is very permissive, true, but if you take the time to read any of those, you will always see :
- A provision indicating that the owners grants that licence within the limits of the applicable laws
- Sometimes a provision indicating under which juridiction said license is granted. If not, the user local laws are the ones used.
Source : the fucking law and the fucking licenses. And my friend, which happens to be a lawyer specialized in intellectual property laws.
What do you mean, he “admitted” that?
It’s quite literally the first thing he wrote in his pull request to systemd:
Stores the user’s birth date for age verification, as required by recent laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc.
And the second paragraph of his pull request to arch:
Recent age verification laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc. require platforms to verify user age. Collecting birth date at install time ensures Arch Linux is compliant with these regulations.
Yeah, I didn’t think he was being ap transparent that he was doing something evil
This guy fucking sucks.
I hope he gets blacklisted from working with other projects.
Fuck him. As another user put it best: https://piefed.social/comment/10665234
I can’t help but feel bad for Dylan. It’s not like if he hadn’t done this someone else wouldn’t have had to eventually.
It’s not like he had no way of thinking, “Geez, I don’t have the experience or knowledge or insignts to start the ball rolling on such a major decision.” and went on to do something useful instead.
Why not let someone else do it then? Why eagerly sign up to be the one to do it?
Because he’s a slimy piece of shit.
It’s not necessary. But also, where’s the hate against the ass that merged this PR. They’re worse.
Why not wait until it becomes absolutely necessary and all other alternatives are exhausted? The mandatory age check thing hasn’t been even accepted whole US wide let alone world-wide. He did not even wait for ut to play out. What is with the enthusiasm to jump on board with this?
Blessings to you young bootlicker. May you pay escalating subscriptions and own nothing eternally, forevermore, amen.
He brought this on himself.
Being on Linux and in control of your OS couldn’t you just set the age statically to something like 99? I really do not understand the hate :/
I really do not understand the hate :/
The itsfoss interviewer goes into this:
A lot of backlash isn’t about the code change, but about what it represents.
You say this is “just attestation, not verification” but we know that infrastructure always gets repurposed later. This is where the legit fear lies.
Do you think regulations like these will reshape desktop Linux in the next 5-10 years where we might have “compliant Linux” and “Freedom-first Linux”?
Sam Bent’s article also goes into this (although, fuck that clickbait title): https://www.sambent.com/the-engineer-who-tried-to-put-age-verification-into-linux-5/
He read the laws, decided compliance was the correct response, and went to work. Every objection the community raised went nowhere: that this enables surveillance infrastructure, that lying is trivially easy, that the laws themselves are unconstitutional overreach. He’d already accepted the law as legitimate and moved to implementation.
He read the law, took it at face value, and started writing code. The word for what that is sits somewhere past malice, something more insidious: an engineer who treats compliance as engineering, who sees a legal requirement the way he sees a technical specification, and will implement whatever the spec says regardless of who wrote the spec or why.
The reason to name him is the pattern. The surveillance state runs on volunteers: people who do the implementation work for free, out of genuine conviction, with no paper trail connecting them to the money that wrote the laws.
Compliance with fascism is definitely not the correct response
deleted by creator
One interesting thought I’ve had is actually that if we strip this signal to websites/apps and do not report an age range at all, but the vast majority of users DO, that actually gives us a more unique and trackable browser fingerprint.
As someone who is not a fan of adding the age field I’m curious what people think of this.
This is stupid. We block fingerprinting.
Just because some people are fingerprint able doesn’t mean all of us should suffer and bend at the knee to unjust laws
You can’t really “block” fingerprinting. You can obfuscate it a bit, but the fingerprinting process happens server side, not on your device. So whether or not your system sends whatever age verification signal becomes a part of its fingerprint.
It’s not just server-side: A lot of fingerprinting happens client-side, for example using a canvas to check what features your graphics card supports. You can see this in action via services like https://coveryourtracks.eff.org/ or https://amiunique.org/
That’s not the fingerprinting happening client side, that’s just information supply. Fingerprinting is about what the server does with that information.
Yeah, but the countermeasures are client-side because that’s what you can control. And some kind FOSS devs out there make it easy to start somewhere decent.
- Sent from my LibreWolf
Of course you can block fingerprinting. See Tor Browser. Everyone looks the same.
Or you can change your fingerprint every 30 seconds with a plugin like chameleon.
You know it works when evil sites all ban you because they can’t fingerprint you and track you between sessions anymore
That’s not blocking the fingerprinting, that obfuscating the data. The fact that you are doing that itself becomes part of the fingerprint being built. Services like Tor or Chameleon don’t stop the fingerprinting process running, they just make it more difficult (but not impossible) to tie the fingerprint to your actual identity.
It’s making the fingerprinting efforts useless. Sure, they can do it, but many of us are blocking them from being able to uniquely fingerprint and track us across the internet
deleted by creator
It’s not stupid insofar that it is an additional fingerprintable data point. But it’s obviously still much harder to fingerprint you if many users share the same value that you have, so it is invalid.
Y’all are going after this guy rn but in a few months we should expect more and more distros to do changes like this. So lets think, what is the real issue going on here? The real issue is that these distros are hosted on GitHub, which is a Microsoft company, and they will comply in a heartbeat and take that shit down if the software is against the law. So the two options are to move off Github or wait until it gets taken down, and lawyer up and fight California and Colorado, which if so, we’d better start a fund as a community for some lawyers for these devs.
Why would I want some stupid verification field needed only in one state in one country I don’t even live in? It shouldn’t be in my FOSS when it is not required in my home location. I would like to stay as far away from a dystopian police state as possible, tyvm. No lawyers needed; I’m not in their jurisdiction.
Like ur right, it’s total bull that this shit affects you. But the only way they could keep you totally isolated would be to host and finance an entire instance in your county, which ain’t easy for a FOSS project. Like it absolutely sucks that large parts of the world have to bend to the will of American and, to a lesser extent, European tech.
One place in one country wants one law. That place in that country will have to isolate its citizens from the rest of the world. Not force the world to play by their rules. Everyone who bends the knee to this kind of overzealous information gathering should be excised from FOSS communities as it only leads to worse things down the line. Every single piece of PID can be connected to all other previously disclosed PID even after “anonymisation” has been applied. Google and Meta do nothing else on the daily.
That’s sadly not how the world works. The code for the most popular distros is posted and maintained on Github which is owned by Microsoft, a US company. If the state of California sees that Github is hosting illegal content, they will block that site and Microsoft isn’t going to want that site to be blocked in the state that Sillicon Vally is located in. All financial institutions that are located in America are also not going to let themselves be open to any form of lawsuit from the state of California for allowing transactions for “illegal” software and will instead block donations. It sucks but most FOSS projects rely on these shitty companies to run, and these corps would rather sack any project than let the smallest possibility of a lawsuit happen. So basically, the USA sucks and other countries will hopefully stop relying on this shitty country
What fucking distro would make this change besides redhat?
Debian, Ubuntu, most of their derivatives except the niche ones, Arch, Endeavor, Manjaro, Fedora. Basically all major ones.
Mark my words.Lol wit. No. Debian, arch, and Fedora are Foss projects. They have no reason to follow the whims of these stupid laws.
They can just move the code to Iceland or whatever. It’s easy.
If they don’t implement they won’t be able to access any site with restricted material.
No major website will willingly exclude California.
No, they just have to use a VPN to come from a region that isn’t run by fascists
The donations for Debian, Arch and a dozen others are collected and distributed by a non-profit that sits in the US, which also represents them legally. If they’re sued into oblivion, the distros have no more money for hosting their repos.
Nope, just change fiscal hosts. It’s really easy.
Yeah, really easy, just all employees suddenly work for a foreign organisation which pays salary in foreign currency, while they’re still living and expected to pay income tax in the US. Transfers of money and tech are now cross-border and subject to Trump’s Truthed tariffs. All servers have to be transferred to different hosts, all SPF records need to be changed, all contact info updated.
Nothing difficult at all, it’s all really easy.But hey, they avoided putting an empty data field in their OS, and with their 1% market share they sure sent a strong signal that’ll get lawmakers who have never even heard of Linux to reconsider.
May you gain the knowledge to see what you’re saying here. And the emotional maturity to be horrified over it.
Yes. Easy.
Also wtf we’re talking about Foss software projects that have no employees.
Look, it sucks that they’re complaying early with no push back ok. Like not even watiing until the law goes into affect at the least. But what else are they supposed to do besides comply, get off Github or lawyer up when the time comes. If you don’t belive they can move off GIthub then we, as a community, should try to support these devs for a legal battle with the state. I don’t care about this guy, I care about long term solutions to protect our privicy. And to answer your question I don’t think many distos are going to switch off Github, that is a laborus task. I just don’t know what other solutions to this problem are besides this
Lawyer up? Who are they going to sue? Most Foss projects are not a legal entity.
For the few that are (eg connnical) they can just move the org to Canada or Mexico or wherever in Europe that doesn’t have insane laws.
Everyone continues to work remotely. It’s easy.
They will get kicked off Github by Microsoft when they get somthing in the mail by the state of California for hosting content that vilolates the law.
So they push to codeberg. What’s your point?
Git is decentralized. You’re not citing a problem that can’t be fixed in a few hours.
That is literally my point. But i think you’re underestimating how difficult a task like that is not only just to migrate but also to learn new tools, if it were so easy, why haven’t they done it yet? Not to mention the servers and fiscal activity done in the US that will also be targeted and moving to places like the EU where they are already implementing ID verification laws isn’t a good idea. They’d have to move them to other countries that are less likely to do such a thing, but there are no guarantees those countries will stay safe. So do you think the devs would rather do all that or add an age field that is stored locally? If the laws get worse (which they very well might), we should start funding campaigns that try to fight these laws through legal means and through awareness, this is personally what I think is the best idea but I’m open to hearing other methods. Getting mad at this one guy is doing nothing and if anything, will make devs not want to maintain these projects.
