- cross-posted to:
- linux@programming.dev
- linux@lemmy.world
- cross-posted to:
- linux@programming.dev
- linux@lemmy.world
Per the very first reply on their thread discussing it in their forums, which I linked directly to for the post title:
We’ll NEVER require any verification or identification from the user.
However, what’s gonna happen should the attempts to age-gate the XDG portal screw over alt-init distros like Artix too? My guess is maybe they start blocking regions which force age gating like Arch Linux 32 is doing.
You must log in or register to comment.
First Artix made me not vulnerable to the XZ backdoor (requires systemd). Now it saves me from age verification nonsense. Even on Lemmy sentiment seems people who avoid systemd are just cranks. But every time we are right.
It saves you from what exactly? As a rational crank, surely you have an explanation.
Unless you use xdg-desktop-portal, the field that systemd added does absolutely nothing.
It’s an optional information field for user accounts, systemd doesn’t require that it is filled nor does systemd do anything to verify or check the field. User accounts also store e-mail and location and you are free to not enter that information or to enter fake information.
I don’t see the vulnerability, especially considering that you’re comparing it to an SSH vulnerability (which, it should be noted, was caught in testing and never released).
The rational is systemd has a huge amount of features that normal desktop users will never need. If you use something like OpenRC or Runit the experience is not much (or any) different. All those features will introduce complexity and potential bugs and vulnerabilities.
Unless you use xdg-desktop-portal, the field that systemd added does absolutely nothing.
Sure it doesn’t add much, but many of the systemd things are ‘not much’. But together it is a lot.
I don’t see the vulnerability, especially considering that you’re comparing it to an SSH vulnerability (which, it should be noted, was caught in testing and never released).
Luckily it was the case, but it was way too close for comfort. It doesn’t change the fact that bloated systems like systemd are what enable these types of attacks. If you use many of its features I’m sure its great, all software has bugs and holes in it. But the point is that if you don’t need the features you don’t need to expose yourself to the extra bulk and risks. Same for things like sudo vs doas. Almost everyone uses sudo but 99.9%+ doesn’t use any features that doas doesn’t have. And then of course systemd invents its own alternative 😅.
And then there is the Unix philosophy. If we need age verification, why does it need to be in the init system? Why not a separate package that can be installed along side any init system / kernel / desktop environment / etc? If it lives in the init system, every init system needs to implement their own version of it.
I understand the arguments against systemd. It isn’t just an init system and it fulfills multiple roles, which goes against the Unix philosophy.
That being said, systemd does store user information. Since this issue requires the storage of additional user information, in order to comply with the law, the systemd team are making their software compatible with complying with the law.
Ultimately, it’s the end user who gets to determine how the software is configured. You can ignore the birthdate field and systemd will not do anything to prevent you from doing so. systemd doesn’t require the data in order to operate, it doesn’t verify the data and it doesn’t prompt you to enter the data. The consequences of ignoring this addition are exactly zero.
It’s simply there because a law exists and users of systemd (like xdg-desktop-portal) require a location to store the data.
I hate the age verification laws and think they’re going to cause more problems than they claim to solve. I’m not cheering on these laws, I’m simply pointing out that attacking systemd for adding an optional field in order to allow compliance isn’t rational.
Aim the ire at the people making the laws, not the volunteer developers who are following laws even if they don’t like them.
I think the issue outside of capitulation is the matter of systemd’s obligation or lack thereof to make this change. Systemd by law isn’t required to do anything. xdg-desktop-portal more so is, but that raises a bigger question: Why is a jurisdiction specific requirement being rolled into this? Do all jurisdiction specific requirements need to be loaded for optional use? Why is this being shunted to xdg-desktop-portal to handle the brunt of this?
Ultimately the PR was closed and for this very reason:
That amounts to a short-sighted decision to tune the specification to one state’s law, without taking into account that other states and countries can define different age brackets, and without the ability for an application to know which age bracket classification (California, Japan if/when they mandate it, etc.) applies.
Expanding on that, the outright shortsightedness of the request is made more clear further into that discussion: https://github.com/systemd/systemd/issues/40974#issuecomment-4018655808
>Gender plays a role on whether you could use a computer and what sites you can access?In Afghanistan, all forms of higher education are not permitted for women. Furthermore, the Taliban have a reputation as gentlemen who are not used to repeating themselves.
I think the issue outside of capitulation is the matter of systemd’s obligation or lack thereof to make this change.
Most of what systemd does isn’t based on an obligation, it’s based on creating a system that fulfills the needs of the users of the software.
xdg-desktop-portal was adding age verification and the logical place to store that information is in the user’s records. systemd is the project which xdg-desktop-portal looks to for storing user records and so systemd added a field to support xdg-desktop-portal’s requirements.
Like I’ve said elsewhere, I don’t agree with the age verification laws… but they do exist. The software developers in the various projects are attempting to comply with them (or not, as in the OP) in their own ways. Nothing that systemd is doing here will affect you unless you want it to. The field is optional and not verified by systemd in any way (other than ensuring that it’s an ISO 8601-compatible date).
Ultimately the PR was closed and for this very reason:
The contention was that the field would only work for complying with a single state’s law and the data wouldn’t be useful to comply with other laws. For example, if a state defined an adult as 18 and another state defined an adult as 16 then simply storing ‘Adult: [True|False]’ would require individual fields for each legal jurisdiction. So it doesn’t meet the specifications globally.
To fix this, the PR that was merged stores a birthdate and leaves it to the application to determine how to use that information for compliance. Here’s the merged PR:
I totally get what you are saying, and I don’t think we are really in disagreement about anything here. This is just my personal point of contention.
Its opening a can of worms for xdg-desktop-portal and systemd for something that they don’t need to or shouldn’t need to act on. If they make this change then: If the Afghani govt issues a request for gender, they should include that in userDB as well then. If Colorado’s new law requires age data to be held differently or different format, they will need to include that as well then. COPPA already exists, so do they need to further change how they store this data? If a new federal law is passed for age verification, they will need to support that on top of the existing state laws. Should it be jurisdiction specific? EU laws might state you can’t arbitrarily store this data, so now you need to check operating geo. Which jurisdictions do you honor? Which do you ignore?
Its optional until made so convoluted that its required. I think what’s so interesting to me is how this all goes back to a 30+ year old debate on the UNIX philosophy.
Oh yeah, this is totally a can of worms that I don’t think we should be opening.
I just channel that into yelling at politicians, the FOSS devs are on our team they just have to make the best of a dumb situation.
Unless you use xdg-desktop-portal, the field that systemd added does absolutely nothing.
Yet. it’s a foot-on-the-door to demand more stuff, and some distros have already shown they are going to merrily open up their arses and ours.
This is something being created in response to laws being passed by politicians, it’s not a secret plot by systemd and distro maintainers to… whatever it is that you’re implying.
This is about as scary as the realName, emailAddress or location fields. They’re completely optional and not validated in any way. You can call yourself Linus Torvalds set your e-mail address to gaben@valve.com and your location to Mars… nothing about the system is going to check or care if you’re lying. Similarly, now you can set your birthdate to April 20th 69BC if you’d like. It doesn’t mean anything.
e: I lied, it has to be ISO 8601 compliant so anybody born before 1900 is ineligible for Linux, smh
Literally nobody: https://en.wikipedia.org/wiki/List_of_the_verified_oldest_people
AFAICT even the oldest unverified person was born in 1900 https://en.iz.ru/en/node/2061564?main_click
Literally nobody: https://en.wikipedia.org/wiki/List_of_the_verified_oldest_people
AFAICT even the oldest unverified person was born in 1900 https://en.iz.ru/en/node/2061564?main_click
Someone in the future may be born before 1900, we can’t know for sure.
Honestly wouldn’t be surprised if the slippery slopers claim that this is just the first step, eventually they’ll make it ban anyone born before 1970, then 2036
To be fair, when it comes to both physical and digital fascism, every time the slippery slopers have been told they are sloping and exaggerating, they are actually proven right.
I’ve been slippery sloped already in one of these conversation threads.
xzutils doesn’t require systemd.
I doesn’t but the exploit required it.
deleted by creator
We’ll NEVER require any verification or identification from the user.
Cool so no passwords?
In fact Arch and Artix do not require you to make a password to install the OS (even though you probably should).
But making a password doesn’t identify you or verify anything about you, anyway.
And regardless, say you do create a password at installation (as you should). The next time you type it in, that’s really you verifying yourself.
A password is litterally the OS verifying you are who you are claiming to be.
But making a password doesn’t identify you or verify anything about you, anyway.
Neither is putting in a date of birth.
I think there’s some confusion here about the concept of “identification”.
A date of birth is generally considered identifying information because it can be used to implicate other information about your real-life self, and it can have real-life consequences for you if it is known. It discrimantes and differentiates you from other individuals in ways that have real-life implications.
What does a password identify about you? Well it verifies that you are “the same person who set the password on the OS”.
So to compare and contrast, A DOB identifies you as…
- a person who may not be allowed to install certain programs or access certain information/content, based on age
- a person in a demographic who may be amenable to certain advertisements
- (if your system is compromised/leaked and age retrieved) someone who may be desireable by predators
- (in the context of investigation or stalking) someone who is not a specific other individual (ie it narrows you down from a pool of individuals)
Having entered a password identifies you as…
- the same person who set up the OS
- ??? - feel free to let me know if you’ve got anything here.
To consider the act of entering a password as an “identity” is pretty bizarre, and frankly the notion seems contrived just to be argumentative.
Wow sounds like they should only return an age bracket to mitigate most of those risks.
Also if your system is compromised it’s insane to think your DOB is the problem and not everything else on your system that can ID you.
No, it is the OS verifying what you know. The OS doesn’t care if you gave your password to anyone, just that whoever is opening the PC knows the password.
Verifying who you are would be biometric verification or ID verification.
In my case I require a password and a hardware key on login. That is still not verifying that I am myself, only that I know the password, and have the hardware key. If I added fingerprint scanning then I would have the holy trifecta and only then verify who I am.
If you think about it like that none of the proposed laws verify anything, even the worst one just verified you logged into the account with credentials for someone who put their DOB in the age bracket returned by the API
That is why I donate to them.
I hope you donate to them
Tnx
In this case Artix already is a systemd-free distro, but this is part of why i think it’s a bad idea that systemd is wanting to implement the age verification crap, cause i think the distro should be allowed to decide if they want to comply or not. Feels like distros that use systemd will be forced to comply unless they change init, which is probably a pain in of itself.
Btw, what does the desktop portal actually do? I’ve installed a lot of programs over the years, including flatpaks, and i never seemed to need it. I hope it stays that way considering they’re implementing this shit too.
Systemd isn’t implementing age verification.
They added the ability to store the data because the xdg-desktop-portal team added the ability to set an age and that requires a place to store the data. No component ‘verifies’ the age, it’s a data field that you can enter whatever you’d like into.
From https://github.com/systemd/systemd/pull/40954 :
Stores the user’s birth date for age verification, as required by recent laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc.
The xdg-desktop-portal project is adding an age verification portal (flatpak/xdg-desktop-portal#1922) that needs a data source for the user’s age. userdb already stores personal metadata (emailAddress, realName, location) so birthDate is a natural fit.
Full date rather than just birth year: birth year alone has up to ~12 months of imprecision at age boundaries, which could misclassify a 17-year-old as 18 or vice versa.
Sure, but they both seem way too eager for my taste to go along with this nonsense, and if you refuse to implement this, you don’t need a place to store it either. I suppose it’s nice for the distros that do want to use it.
they both seem way too eager for my taste to go along with this nonsense
Based on what? They have specifically addressed the issue and it does not read like they’re eager to have this forced on them by state laws.
https://blog.system76.com/post/system76-on-age-verification
We are accustomed to adding operating system features to comply with laws. Accessibility features for ADA, and power efficiency settings for Energy Star regulations are two examples. We are a part of this world and we believe in the rule of law. We still hope these laws will be recognized for the folly they are and removed from the books or found unconstitutional.
That’s system76, not systemd. System76 is atleast trying to see what they can do (or rather can not do) and are in talks with legislators to see what this actually means for them (if it ends up meaning anything at all, apparently open sourse systems could be exempt from it). I’ve also seen discussions on nixos discourse to see what the best course of action is, and they are also not planning on just folding, but instead looking to bypass the issue. Meanwhile systemd already has the commits ready it seems, no questions asked.
That’s system76, not systemd.
Yeah oops, I’m just dumb.
Meanwhile systemd already has the commits ready it seems, no questions asked.
Because it’s a trivial addition that was requested by a large user of systemd.
I don’t like these laws either, but they do exist. Go after the politicians who’re making them. Don’t go after the, volunteer, developers for not making a political stand on your behalf.
It’s an optional field, unverified, unenforced and in the worst case, this is open source software so you can simply revert that PR and build it yourself without the extra field or if you feel super strongly about it you can fork the project.
Heaping ire on the development team is the part that I’m taking issue with.
When did i go after the developers? I never attacked them personally whatsoever, i just voiced a concern. At the end of the day they can do what they want with the project. I don’t even use systemd nor xdg-desktop-portal myself, so this doesn’t affect me (atleast not yet).
Sorry in that case, I’m juggling a few threads
In this case Artix already is a systemd-free distro, but this is part of why i think it’s a bad idea that systemd is wanting to implement the age verification crap, cause i think the distro should be allowed to decide if they want to comply or not. Feels like distros that use systemd will be forced to comply unless they change init, which is probably a pain in of itself.
Where do I install an Ageless-style patch to force flagrant non-compliance for systemd distros?
Good, Maybe a list of “Pirate Distros” would help people.
Kinda crazy how downloading Linux isos might actually become illegal.
What a fucking clown world we live in.
What a fucking clown world we live in.
i think we let it happen when we collectively chose not to push back against the us government’s capture of the kernel project when they forced its maintainers to kicked out russian developers; pastor niemoller explains it best:
First they came for the Communists And I did not speak out Because I was not a Communist
Then they came for the Socialists And I did not speak out Because I was not a Socialist
Then they came for the trade unionists And I did not speak out Because I was not a trade unionist
Then they came for the Jews And I did not speak out Because I was not a Jew
Then they came for me And there was no one left To speak out for me
jefferyjefferson @lemmy.org
Kinda crazy how downloading Linux isos might actually become illegal.
What a fucking clown world we live in.
Welcome to the world of open-source piracy if that happens.
Lol, which is funny as every torrent client gives the example of downloading Linux isos (which is probably for legality reasons)
Yep, that’s me, just Linux isos, I just like to collect 'em, y’know, and store them on a small 100TB NAS I can access from any
Plex clientcomputer in the house should I need them. You never know.100tb … You must be downloading larger 4k Linux images.
Artix is patching many packages anyway, so one more package patched to remove age stuff or add a dummy interface that always returns 18+ won’t be too difficult.
That’s what Ageless already does, so maybe Artix could implement that officially in their distro by what you’re suggesting?
In my mind, region-blocking is actually probably the best solution for this in every case.
Cut off every legitimate operation in these regions (including my own) from using your genuinely useful software. Software isn’t compromised, saves on unnecessary work and law compliance. Then everyone with a VPN flourishes anyway. And then maybe it hurts profits so much that lawmakers actually decide to reverse course. Wins all around.
No dude, nobody asked for this law, it was lobbied by Facebook / Meta and doesn’t protect anyone, the compliance burden shouldn’t fall on the devs (who happen to be volunteers most of the time), they made a law, they have to figure out how to apply it (like I said in my over down-voted comment: hire a group of devs to fork everything, add the restrictions then convince your citizens to switch so they are compliant)
And only the 7 people using the OS will care.
We’ll NEVER require any verification or identification from the user.
This sentence doesn’t give me confidence that they have read the law.
You can not comply with laws. Its how all piracy sites and most social media sites work
The law definitely doesn’t require OSes to require users to verify their age or identity themselves.
At least one of the laws made the OS responsible if the determined age is not correct, meaning if you don’t verify the age you may still be commiting a crime, even if it is not required
The Californian bill doesn’t. If you have knowledge to the contrary please provide.
I am confused on what you are trying to say, English isn’t my native language. Could you say what exactly the point of your comments is?
I’m saying that “We’ll NEVER require any verification or identification from the user.” can be true even when they comply with the Californian bill.
Ah, I understand now. That is AFAIK correct, however complienace with the New York bill will be impossible:
New York’s proposed Senate Bill S8102A requires adults to prove they’re adults to use a computer, exercise bike, smart watch, or car if the device is internet enabled with app ecosystems. The bill explicitly forbids self-reporting and leaves the allowed methods to regulations written by the Attorney General.
