Dylan M. Taylor is not a household name in the Linux world. At least, he wasn’t until recently.
The software engineer and longtime open source contributor has quietly built a respectable track record over the years: writing Python code for the Arch Linux installer, maintaining packages for NixOS, and contributing CI/CD pipelines to various FOSS projects.
But a recent change he made to systemd has pushed him into the spotlight, along with a wave of intense debate.
At the center of the controversy is a seemingly simple addition Dylan made: an optional birthDate field in systemd’s user database.
Not surprising, this guy is also onboard with Google locking down Android: https://dylanmtaylor.com/posts/2026-03-19-googles-new-android-sideloading-flow-is-a-fair-trade
I was expecting civil discourse and a level-headed response.
He may have been hoping for that, but surely he didn’t truely expect it. The FOSS community can barely have a civil discussion about filesystems.
You definitely can’t have your cake and eat it too. Linux for many has been about freedom and privacy. He made a direct contribution toward a system that would help take that away
Q. You say this is “just attestation, not verification” but we know that infrastructure always gets repurposed later. This is where the legit fear lies. Today it’s birthDate. Tomorrow could it be location, identity, or verification tokens? I understand that you are providing a workaround but where should we draw the line between compliance and resistance?
A. Funny you mention that, location is already a field in userdb. Like birthDate, this field is also trivially nullable, stored locally, and can be set to anything. As long as we are talking about a user self-attesting a date - especially with the ability to enter any value we want - we aren’t in the realm of identity tracking. I draw the line at when a third party internet-connected service is doing validation of ID. Let’s be honest though, I strongly believe such a thing isn’t possible on a FOSS operating system environment unless they could control what was bootable on the device at a firmware level, enforce signatures to ensure that you couldn’t boot something unrestricted, remove the ability to be root, and block LD_PRELOAD so signals couldn’t be faked. There’s probably more ways to circumvent that. What I’m trying to say is real ID verification on Linux would be awfully hard to implement, and I guarantee you, nobody would put up with it. They’d fork to a version that doesn’t have it immediately as a protest. Right now, we’re considering implementing something akin to the date pickers that were ubiquitous when signing up for internet services in the early 2000s where it’s just an honor system. Things like actual ID checks and/or facial scanning + age estimation would be just too incompatible with Linux where we have the freedom to change whatever we want to.
the intellectually diverse lemmings represented in this post and many others cannot understand this
won’t stop them expressing their feelings tho, bless their hearts
That’s a sound argument, mostly (in the quote, i mean)
If the technical implementation of how they would try and force age verification was the problem people were concerned about, this take would be very useful.
Physical locks on glass doors are easy to bypass, doesn’t mean you won’t get shafted if someone just so happens to catch you in the act.
If third party age verification is legally mandated the implementation being technically difficult (or easy to bypass) doesn’t stop it from being illegal.
Being a condescending prick works better if the position you take is unassailable, you do you though.
At the moment of most intense debates about mandatory age checks and government surveillance you (Dylan) hoped people to be calm about this? Then you my friend are simply delusional. They are angry and for a good reason. Why the rush to comply with a surveillance practice that hasn’t forced on you with some sanction or enforcement. You did not even wait for it to play out. You did not have a discourse about alternatives. You just went ahead and hastily applied a change as if as if doing some sort of coup.
He didn’t apply the change, he proposed it.
And there’s zero surveillance in the change he proposed.If we are going to get stuck in semantics, then he also did not just propose it. Propose would be opening an issue, describing how he would plan to do it and letting people discuss. This is how proposals work. Pushing a very controversial change and getting someone to accept it is not “proposing” when the change is something the community will obviously be so divided over.
And it does not have to implement a full on surveillance mechanism to take a step towards better compliance with possible future surveillance laws. The guy literally said in his comments that this was the intent:
https://github.com/archlinux/archinstall/pull/4290
What the hell are we even discussing here?
A pull request is very much a proposal: It is a proposal to make specific changes to the code-base. The developers are not forced to accept it in any form, and discussions can take place in the pull request, should the developers (or third parties) not agree with (the exact form of) the proposed changes. Which is exactly what happened in the systemd pull request, to the extent that the actual developers had to lock the thread.
In the case of systemd, the “someone”, or rather the “someones”, who accepted the pull request also included the lead developer on the project, namely Lennart Poettering. Who else do you propose should decide what pull requests and other proposals to accept?
You’re approaching this with an everyday definition of “proposal”, but in the industry that term is overloaded with more specific meanings.
If you asked 100 random devs, I have no doubt that the majority would call a PR to be something much more concrete than a proposal.
That’s a rather negative view. There’s a big difference between people who actually contribute to FOSS (in any way, not just code) and random keyboard warriors in the contents. Sure, there’s always some drama somewhere, but that’s not exclusive to FOSS.
There’s also a massive difference when one proactively participates in destroying linux users’ freedom, one of the pillars of foss
HEY MY GUY you want a CIVIL discussion about CIVIL DISCUSSION?
/s
Ugh, I’m forking this thread. If you guys can’t agree with me I’ll make my own.
How nation states were formed
Oh wow, this guy ^ is the best at civil discussion!
Why’d you reply to yourself 😭😭
It’s my thread I can do what I want
we’re what happens when dumpster fighting punks need their laptops to work
He barely went into developing systemd for two weeks before shoehorning in his bootlicking, he can fuck off. You’re supposed to stick it to the man, not stick up for him
Fuck him. As another user put it best: https://piefed.social/comment/10665234
One interesting thought I’ve had is actually that if we strip this signal to websites/apps and do not report an age range at all, but the vast majority of users DO, that actually gives us a more unique and trackable browser fingerprint.
As someone who is not a fan of adding the age field I’m curious what people think of this.
This is stupid. We block fingerprinting.
Just because some people are fingerprint able doesn’t mean all of us should suffer and bend at the knee to unjust laws
You can’t really “block” fingerprinting. You can obfuscate it a bit, but the fingerprinting process happens server side, not on your device. So whether or not your system sends whatever age verification signal becomes a part of its fingerprint.
Of course you can block fingerprinting. See Tor Browser. Everyone looks the same.
Or you can change your fingerprint every 30 seconds with a plugin like chameleon.
You know it works when evil sites all ban you because they can’t fingerprint you and track you between sessions anymore
That’s not blocking the fingerprinting, that obfuscating the data. The fact that you are doing that itself becomes part of the fingerprint being built. Services like Tor or Chameleon don’t stop the fingerprinting process running, they just make it more difficult (but not impossible) to tie the fingerprint to your actual identity.
It’s making the fingerprinting efforts useless. Sure, they can do it, but many of us are blocking them from being able to uniquely fingerprint and track us across the internet
deleted by creator
It’s not just server-side: A lot of fingerprinting happens client-side, for example using a canvas to check what features your graphics card supports. You can see this in action via services like https://coveryourtracks.eff.org/ or https://amiunique.org/
That’s not the fingerprinting happening client side, that’s just information supply. Fingerprinting is about what the server does with that information.
It’s not stupid insofar that it is an additional fingerprintable data point. But it’s obviously still much harder to fingerprint you if many users share the same value that you have, so it is invalid.
Woah, fuck this guy. He admitted the change was for the purpose of complying with these laws
It’s a fucking field. Why is everyone loosing his mind over it? It’s not like it is required, nor will it prevent you to do anything if you put data in (except not being able to change it later).
If you have to complain, complain about the law, not poor guy that has to add it, by law.
No. Don’t follow unjust laws.
Especially Foss projects which don’t have to follow laws, because they are outside their jurisdiction
Open-sourcing a software doesn’t make it magically immune to laws.
Of course it does. Do you know how laws work?
Who broke the law if the owner is everyone?
An open source software is, by law, the maintainer’s (which can be an individual, or a group of persons) property. It is said maintainer who has the right to grant you any kind of license over what he owns.
In the case of an open-source project, that license is very permissive, true, but if you take the time to read any of those, you will always see :
- A provision indicating that the owners grants that licence within the limits of the applicable laws
- Sometimes a provision indicating under which juridiction said license is granted. If not, the user local laws are the ones used.
Source : the fucking law and the fucking licenses. And my friend, which happens to be a lawyer specialized in intellectual property laws.
What do you mean, he “admitted” that?
It’s quite literally the first thing he wrote in his pull request to systemd:
Stores the user’s birth date for age verification, as required by recent laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc.
And the second paragraph of his pull request to arch:
Recent age verification laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc. require platforms to verify user age. Collecting birth date at install time ensures Arch Linux is compliant with these regulations.
Yeah, I didn’t think he was being ap transparent that he was doing something evil
Being on Linux and in control of your OS couldn’t you just set the age statically to something like 99? I really do not understand the hate :/
I really do not understand the hate :/
The itsfoss interviewer goes into this:
A lot of backlash isn’t about the code change, but about what it represents.
You say this is “just attestation, not verification” but we know that infrastructure always gets repurposed later. This is where the legit fear lies.
Do you think regulations like these will reshape desktop Linux in the next 5-10 years where we might have “compliant Linux” and “Freedom-first Linux”?
Sam Bent’s article also goes into this (although, fuck that clickbait title): https://www.sambent.com/the-engineer-who-tried-to-put-age-verification-into-linux-5/
He read the laws, decided compliance was the correct response, and went to work. Every objection the community raised went nowhere: that this enables surveillance infrastructure, that lying is trivially easy, that the laws themselves are unconstitutional overreach. He’d already accepted the law as legitimate and moved to implementation.
He read the law, took it at face value, and started writing code. The word for what that is sits somewhere past malice, something more insidious: an engineer who treats compliance as engineering, who sees a legal requirement the way he sees a technical specification, and will implement whatever the spec says regardless of who wrote the spec or why.
The reason to name him is the pattern. The surveillance state runs on volunteers: people who do the implementation work for free, out of genuine conviction, with no paper trail connecting them to the money that wrote the laws.
Compliance with fascism is definitely not the correct response
deleted by creator
Y’all are going after this guy rn but in a few months we should expect more and more distros to do changes like this. So lets think, what is the real issue going on here? The real issue is that these distros are hosted on GitHub, which is a Microsoft company, and they will comply in a heartbeat and take that shit down if the software is against the law. So the two options are to move off Github or wait until it gets taken down, and lawyer up and fight California and Colorado, which if so, we’d better start a fund as a community for some lawyers for these devs.
What fucking distro would make this change besides redhat?
Look, it sucks that they’re complaying early with no push back ok. Like not even watiing until the law goes into affect at the least. But what else are they supposed to do besides comply, get off Github or lawyer up when the time comes. If you don’t belive they can move off GIthub then we, as a community, should try to support these devs for a legal battle with the state. I don’t care about this guy, I care about long term solutions to protect our privicy. And to answer your question I don’t think many distos are going to switch off Github, that is a laborus task. I just don’t know what other solutions to this problem are besides this
Lawyer up? Who are they going to sue? Most Foss projects are not a legal entity.
For the few that are (eg connnical) they can just move the org to Canada or Mexico or wherever in Europe that doesn’t have insane laws.
Everyone continues to work remotely. It’s easy.
They will get kicked off Github by Microsoft when they get somthing in the mail by the state of California for hosting content that vilolates the law.
So they push to codeberg. What’s your point?
Git is decentralized. You’re not citing a problem that can’t be fixed in a few hours.
That is literally my point. But i think you’re underestimating how difficult a task like that is not only just to migrate but also to learn new tools, if it were so easy, why haven’t they done it yet? Not to mention the servers and fiscal activity done in the US that will also be targeted and moving to places like the EU where they are already implementing ID verification laws isn’t a good idea. They’d have to move them to other countries that are less likely to do such a thing, but there are no guarantees those countries will stay safe. So do you think the devs would rather do all that or add an age field that is stored locally? If the laws get worse (which they very well might), we should start funding campaigns that try to fight these laws through legal means and through awareness, this is personally what I think is the best idea but I’m open to hearing other methods. Getting mad at this one guy is doing nothing and if anything, will make devs not want to maintain these projects.
Debian, Ubuntu, most of their derivatives except the niche ones, Arch, Endeavor, Manjaro, Fedora. Basically all major ones.
Mark my words.Lol wit. No. Debian, arch, and Fedora are Foss projects. They have no reason to folloa the whims of these stupid laws.
They can just move the code to Iceland or whatever. It’s easy.
The donations for Debian, Arch and a dozen others are collected and distributed by a non-profit that sits in the US, which also represents them legally. If they’re sued into oblivion, the distros have no more money for hosting their repos.
Nope, just change fiscal hosts. It’s really easy.
Yeah, really easy, just all employees suddenly work for a foreign organisation which pays salary in foreign currency, while they’re still living and expected to pay income tax in the US. Transfers of money and tech are now cross-border and subject to Trump’s Truthed tariffs. All servers have to be transferred to different hosts, all SPF records need to be changed, all contact info updated.
Nothing difficult at all, it’s all really easy.But hey, they avoided putting an empty data field in their OS, and with their 1% market share they sure sent a strong signal that’ll get lawmakers who have never even heard of Linux to reconsider.
Yes. Easy.
Also wtf we’re talking about Foss software projects that have no employees.
This guy fucking sucks.
I hope he gets blacklisted from working with other projects.
I can’t help but feel bad for Dylan. It’s not like if he hadn’t done this someone else wouldn’t have had to eventually.
It’s not like he had no way of thinking, “Geez, I don’t have the experience or knowledge or insignts to start the ball rolling on such a major decision.” and went on to do something useful instead.
It’s not necessary. But also, where’s the hate against the ass that merged this PR. They’re worse.
Why not let someone else do it then? Why eagerly sign up to be the one to do it?
Because he’s a slimy piece of shit.
Why not wait until it becomes absolutely necessary and all other alternatives are exhausted? The mandatory age check thing hasn’t been even accepted whole US wide let alone world-wide. He did not even wait for ut to play out. What is with the enthusiasm to jump on board with this?
He brought this on himself.
Blessings to you young bootlicker. May you pay escalating subscriptions and own nothing eternally, forevermore, amen.
