Add a required birth date prompt (YYYY-MM-DD) to the user creation flow, stored as a systemd userdb JSON drop-in at /etc/userdb/<user>.user on the target system.
Motivation
Recent age verification laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc. require platforms to verify user age. Collecting birth date at install time ensures Arch Linux is compliant with these regulations.
This is just a pull request, no changes yet.
The pull-request discussion thread has been locked, just like it happened for the similar thread in Systemd, owing to the amount of negative comments…
I don’t know what people expect.
All big linux distros are going to be quickly a target, because the people who like age verification laws like that hate the idea of free software.
Putting a dummy, useless age input, is a good way to comply maliciously, and can be easily reverted if these stupid laws ever get removed.
It wouldn’t surprise me if obvious ways to bypass it appear a few seconds after the changes are validated.
The alternative is that these systems could be outawed in a lot of places, which would have a much more negative impact than an age field.
War is about knowing to take a hit to avoid defeat, sometimes.
@[email protected] @[email protected] @[email protected]
The Brazilian flavor of age checking explicitly prohibits self-declaring (“vedada a autodeclaração”). Estimation of age via selfie or behavioral analysis, as well as the need for government-issued IDs, perhaps validation via credit card microtransactions, are some of the accepted age verification mechanisms for Lei 15211 (“ECA Digital” or, more informally known as “Lei Felca” due to the involvement of a YouTuber sub-celebrity on getting this thing to Brazilian lawmakers). Doing age bracketing via self-declared mechanisms, such as birthdate input or the usual consent button, risks fines and other provisions.
KYC (“Know Your Customer”) is, deep down, what these laws are going to be about, ID checks as sine qua non part of purposefully vague-worded laws with broad and outreaching enforcement, so tech organizations and companies worldwide, especially the smaller ones, will eventually find themselves in a situation where they are legally compelled to implement everything that’s being pushed as part of these dystopian laws. After all, it’s far from being just a Brazilian or a Californian thing.
Currently, yes, we’re seeing this law-concept restricted to a handful of places such as some USian states, as well as countries such as UK, Australia, Canada, now Brazil… Zoom out, however, and you’ll realize how this thing is gradually spreading worldwide because this is the only way for age verification to get effectively enforced.
You read it correctly, those laws are very likely getting to more and more countries, eventually turning KYC into part of international, industrial standards. Nothing too hard for big corps to do on their own, such as Google and Microsoft, even Canonical and Red Hat which are large companies, but small companies will end up being pushed into relying on non-free third-party KYC services in order to comply with age verification.
Such situation would end up benefiting the big players, with KYC services such as Persona becoming the new ubiquitous Cloudflare when it comes to this digital landscape. KYC gates, in this sense, would become the new CAPTCHA, Biometrics-as-a-service would become the new normal, true FOSS projects would become unlawful a priori while large corporations would thrive with another data point for tracking and advertising, and as the tolerance bar gets lowered, people will end up used to it, because any attempt to be against it will lead, at best, to social ostracization…
I don’t know, maybe I’m being overly pessimistic about it, but I can’t help but notice how dystopian things, some of which were long foretold and were warned about, are slowly taking away our privacy and freedom…
I don’t disagree with anything here.
But my point wasn’t “there’s nothing to worry about”, it was “an age field is the minimum they can do, and blaming them for it is pointless”.
My point is that this law is already there, and the fight needs to be brought where it matters, and the code of linux systems is not what is going to change politics. When someone is held at gunpoint, you don’t yell at them to fight back and curse them when they don’t, but you attack the attacker.
The law is completely not here, it affects very few people in the world, so they can bugger off with this nonsense change
I have no idea what to think because this sounds reasonable, but so do the arguments that it’s a slippery slope and complying now makes it easier to surveil us all later. (Yes, I know this is the name of a fallacy. I’m curious as to when is it a fallacy and when is it not. I can absolutely imagine people saying “slippery slope fallacy” and being right, I can also imagine a different situation where people say “slippery slope fallacy” to something and it happens exactly as the people whose claim is being denied with “slippery slope” fallacy said.)
I guess that is why controversial issues are controversial, no easy and obvious resolution?
A slippery slope isn’t always a fallacy. Yes, that is a specific name of a fallacy, which people commonly point out, but it is also the form of a valid logical argument. If there is support that this will happen, it isn’t a fallacy.
I this case, a user-entered field is useless to “protect children” (being generous and assuming this is the actual reason for the laws). Children will just lie, as they have been doing for decades. The state will point to this as the law not fulfilling its stated goals, so they’ll need to verify age through other means. Even if the goal isn’t surveillance of people, this is still likely to be the result logically. This means the slippery slope argument is valid.
It could be a slippery slope. That’s why the point is not to just accept it and move on, but to comply while pushing back against it.
And complying right away, but with a bullshit field, is a good way to signal “we do not agree, and we’re going to always find a way to fight back”.
Taking a hit to avoid defeat, does not mean surrendering. It just means that you need to recognise when a battle is lost. In a way, the other side of the slippery slope is the sunk cost fallacy, where you refuse to admit that something is a lost cause and you keep on pushing, making things worse.
It’s a matter of balance and reason, which people nowadays reaaaally struggle with.
They’re not handing over private crypto keys here. It’s a database entry that the person installing the system can put whatever they like in.
But this is the crux of the fallacy. What evidence is anyone providing that there is indeed an insidious chain of events we are enabling by adding the birthdate field? Are there examples of cases similar to this in history?
EDIT: I can tell people are getting emotional about this because I’m being down voted for just asking a question that elaborates the point someone is making.
The justification of the slippery slope is pretty simple.
They ask to add in a DoB field that must be filled out and reported at all times. So we add it into our systems and say no big deal. If you hate it put down your birthday as 1900-01-01 and call it a day.
But what is the problem with a self reported, unconfirmed field like this? It is utterly useless BECAUSE it is a self reported, unconfirmed field. It doesn’t solve any problem AND it doesn’t provide any real personal information. So why even ask for it?
The two options are malicious intent and stupidity that tech can’t be worked around.
We can skip the latter as stupid people will always be stupid. So the former, malicious intent. When they point out that this new law isn’t actually fixing things because of the fact people are lying about their age they will inevitably say we need government IDs added to the system. They will not only make sure you are the correct age for content, but know WHO is viewing such content and they will be tracking it.
Now you might say, wait there is a third option, benevolent people actually wanting safety. Creating a system where personal information is mandatory to your interaction with the internet creates a security target that we all know cannot be covered. And we also know that all tech can be broken so kids will find a way around this stuff. Using your parent’s ID, a globally shared fake ID, hacking the protocol for certification. they will get around it.
The slope is slippery because the only options are
yes. every time in the history of gnu software when a function is added without a purpose its for a later feature.
otherwise there is no need for the form? since when do we leave empty forms in software that can be used to store strings, that hold no meaning…
only two uses for this. to implement the full API later or to have a string the user normally does not see that becomes a perfect place to store malware. full stop.
complying with the API is a act of absolute stupidity…
This law affects so few people in the world, they can bugger off with their changes. No one on my entire content is affected by this stupidity.
Outlawed software.
Lol
Lmao even.
In soviet america software outlaws you.
“We’ve determined you’re using an illegal OS. You’re under arrest!”
People get arrested for ones and zeros all the time.
Or you know, just getting a lot of accesses blocked, your ISP blocking you, etc.
No matter how you put it, it’s more risk than inputting a bullshit field at install.
My ISP doesn’t know which os I’m using, I behind two NATs and a proxy…
Good for you.
Now what about others that are not in your situation? What if this gets flagged as a suspicious behavior? What if your ISP blocks access to devices that are not allowed by a third party (government or company)?
You can always make a slippery slope. The difference is that complying for now brings nothing bad, not complying brings more focus and puts a target on linux and its users.
Everyone is behind at least one NAT, the wifi router.
Generally provided by the ISP, no?
Isps provide modems. You can add your own router and manage the network yourself if you’re so inclined. Why do all these threads have people like you that don’t know basic things about computing and networking commenting on this?
not really, the law is written that complaince makes you complicit. every user is a child. there is no adult users.
it’s a really messed up law…
above all else, even if the API is used properly, unless it’s giving false positives, it creates a metric that can be tracked to form patterns. these are all a advanced method to identify individuals to unmask online identities…
As I said, it’s a loss. It is not going to bring anything good, and can only bring bad stuff.
But my point is that the alternative of ignoring this law would just worsen the situation.
If you want to fight a law, you need to do it with meaningful measures. You find flaws, you revolt, but you don’t just ignore the law and hope to not be attacked for it.
If a big linux distro does it, it will lead them to endless legal battles that will ruin them, and then what?
The strategy here is to accept the loss, mitigate it as much as possible, and attack the source, which is politics, governments, and popular support and understanding.
Explain to people why it’s bad, burn down the government, and fix the system. If we only fight the symptoms when they target us, we’ve already lost.
Found the corporationist bot.
We have been taking hits since, like, 1965 at the least. Surely by this point it should have been enough?
Everyone I don’t agree with is a bot!
And what would refusing a field do?
What needs to be done is basically a revolt against current governments and capitalism, not nitpicking every privacy-invading law that comes, and then waiting patiently for the next one to come.
You’d rather put a big target on linux systems for stupid fucks to label it as “the big danger for our kids” which would just bring nothing good.
You want to stop taking hits, then stop waiting for them and then pretend that dodging is the only solution.
I’m doing my part on that, you are invited to also do yours. But also do realize that “a revolt against current governments and capitalism” is a class action, not something that we can do by ourselves like patching an OS to remove age verification is.
And big linux groups cannot remove age verification as easily as users can, as a big group is likely to be sued while an individual isn’t as much.