How Exactly do Developers Handle age Verification?
Posted by Squiggin1321@reddit | linux | View on Reddit | 48 comments
With the laws about operating system level age verification in places like California, Colorado, and the UK, who’s makes the decision to implement age verification? Do the developers of each distro get the choice? If one distro adds age verification can we just boycott them and move to a different one, or is it at the kernel level and we just have to deal with it?
No-Dentist-1645@reddit
Well the distros themselves need to make a decision, but one thing is absolutely for sure: they can't just "ignore it". The law isn't in effect yet but if they don't have a plan when it does go in effect, they will be unable to provide their OS within California.
So, distros have two options: either not implement any age verification in any way and block California, or implement it. If they do choose to implement it, they can either apply it globally (which would not be nice), or only apply it specifically within the jurisdictions that require it (much better).
One thing is for certain though: this is not the distro maintainers' fault. Boycotting them is stupid, they are just as much of a victim as users like you and me. If you want to do something about it, contact legal representatives within your jurisdiction, but blaming distros for something they are quite literally legally required to do is dumb
daemonpenguin@reddit
Boycotting something that spies on you is not stupid, it's self defence. Developers may be "victims", but that doesn't mean we need to support their efforts to stick malware in our systems. That would be truly stupid.
Just move to a distro that doesn't use age verification.
No one said anything about blaming distros. You're just shilling for spyware at this point. People should use operating systems which respect their rights, not use spyware out of a misplaced sense of loyalty.
No-Dentist-1645@reddit
Is it really that hard to understand that nothing is ever fully black and white, or did you really need to antagonize me as a "spyware shill" just because I think boycotting a distro is attacking the completely wrong people?
What would the point be of "boycotting a distro"? Do you think lawmakers would care that X Linux distro lost some users? Would that lead to laws being amended?
If you actually want to make some change, the obvious way to do that is what I mentioned above
daemonpenguin@reddit
And yet you're out here telling people their actions don't matter and not to use operating system which respect them. Right.
Of course not. That's not why people boycott distributions which include age verification. Not sure why this is a hard concept to understand. Boycotting helps the users, not the legal system or the distro makers.
That's your whole argument though. Continue to use distros out of habit or loyalty. Why else would a user stick with a distribution which is enabling anti-user software? You're calling the developers victims, but they're the ones writing the code to hurt people. Sticking by them would be self-harming and pointless.
No-Dentist-1645@reddit
No it isn't, and it never was. You just don't understand the difference between "not using something" and "boycotting"
No-Dentist-1645@reddit
14 hours later, zero answer to my question of what boycotting would even be supposed to do or help with anything. I guess that answers my question in a way: it wouldn't do anything, some people just want to blindly complain without moving for any change to actually be done, because that's what people do. Even when the people they're "rising up against" aren't even the ones who make the decisions.
daemonpenguin@reddit
I am not sure how you don't understand this. Boycotting distros which implement age verification means the users are running distributions which respect their privacy.
It doesn't change laws or distro policies, it's not meant to. It's not revenge against distro maintainers. It's the only practical move for people who want a privacy-respecting OS.
In other words, people should use what works for them, not run OSes that work for someone else.
Of course it's "wouldn't do anything" in terms of legalities. It's not meant to. It just gives people what they want.
No-Dentist-1645@reddit
https://en.wikipedia.org/wiki/Boycott
Boycotting is not "I am not going to use this because I don't like it", it's specifically an act of protest. If you don't want to use it, that's perfectly fine: you do you and I am not going to stop you. But "boycotting" is encouraging protest and a movement, which just doesn't make any sense since the people you are "boycotting" can't actually take the decisions you want.
Correctthecorrectors@reddit
here's the reality. people don't want spyware on their computer period. it doesn't matter if it's North Korea or the usa demanding, they don't want it on their OS.
What you're saying is basically saying " don't blame the distros for following North Korean law, if you have a problem with it contaxt Kim Jong Un and as him to change the law in North Korea, stop asking the distros to do something illegal in North Korea"
Victomless "crimes" are not crimes. Either fight it, go under ground, or just end the OS, but complying is simply not an option for a free and fair society. you don't give an inch to authoritarianz whether it's Kim Jong Un, Trump or Gavin Newsome
No-Dentist-1645@reddit
You don't live in an absolute dictatorship like North Korea. Sure, everyone likes to complain about the US and they are very authoritarian and it can be difficult to get movements going, but the legal system still exists and people have managed to make changes.
Many community members are fighting it through these legal methods, such as System76's developer. They have contacted some representatives and they are actually considering making exceptions for open source operating systems like Linux.
I'm sure "end the OS" is some great feedback that they would value hearing and considering, you should let them know they can just do that. Maybe you should maintain your own distro too with ideas as brilliant as those.
"Go underground" is not a real option for large distros like Ubuntu with millions of active users, if they refuse to comply the government will just fine them or geo-block them.
Tons of distros like RHEL and Ubuntu are used on a lot of government sectors, ignoring the law would be suicide.
C0rn3j@reddit
There is currently no age verification anywhere.
Yes, not even in systemd, people love to link a specific PR that added a birthday field, then throw around whatifs when you point out there's no verification.
That's a very good question which the lawyers of various distributions are currently looking into.
Correctthecorrectors@reddit
dylan Taylor didn't merge that in their for optional purposes. so saying "it's just a birthday field" is innacurste. it's not just a birthday field it's a sign systemd is compromised
C0rn3j@reddit
And here we have one of the less stable people proving my point.
Correctthecorrectors@reddit
none of that is doxxing. it's all publically advertised information. the point still stands, they're letting some completely unqualified first time contributor merge spyware into an init system used by the vast majority of Linux distributions. That's a huge red flag.
No-Dentist-1645@reddit
I have a public LinkedIn profile too. However, if someone didn't like something I said on my Reddit account, and thought that the "reasonable course of action" was to let everyone know my full name, address and employer to do whatever anyone wanted with just because "it was already public I formation somewhere", I would definitely call that doxxing
Correctthecorrectors@reddit
Ok Dylan whatever you say
No-Dentist-1645@reddit
Quite literally yes, it is very normal. Again, that is very much how 99% of Open Source programs work. Absolutely anyone can open a PR for absolutely any reason, and the maintainers can choose to merge it or not. Your implication that this isn't normal, and that this specific case was "fast tracked" is completely false and disingenuous, and only proves that you have absolutely zero idea how systemD has always maintained their software. I guarantee that you never even checked their repository prior to this event, and yet you talk as if you completely understand it and "this instance is so much different from normal" (it isn't).
You once again completely ignored the entire point of open source. I have viewed the PR diffs, there is literally nothing complicated beyond just adding an extra field to a database and adding the documentation for it.
A hundred thousand people have probably seen the PR at this point. Don't you think if there really was a security vulnerability, secret backdoor, or literally anything more than what those 100 lines of code showed, everyone would know about it at this point?
Correctthecorrectors@reddit
Spyware is Spayware call it what you want to call it.
No-Dentist-1645@reddit
I would not call "a text file where I can choose to store my date or birth, or not" spyware. Seems we may disagree on that.
If that is the case, here is another text file where you can choose include your birth date or not: https://pastebin.com/
I guess I just delivered you spyware going by your definition.
Besides that, your claims are that:
1. The PR author does not have "enough experience" to submit a PR.
This is wrong, since I have mentioned time and time again that the entire point of Open Source Software is that anyone can contribute. You are claiming that "only sufficiently experience people should be able to contribute", but this just flat out isn't how most OSS is maintained, you would be incorrect with claiming that.
Even then, a simple graphql query for the author's github account can disprove you:
A user with over 400 total commits and 122 Pull Request contributions spread accross 40 repositories is more than just experienced.
And again, there are hundreds of examples of PRs submitted with way less experience than that, which were all similarly merged. I could provide examples upon your request but this comment is already fairly long.
2. The PR was "unfairly fast tracked", suggesting evil hidden intentions or "compromise"
This is also wrong. The PR took 14 days to be merged, between March 4th and 18th.
Using the GitHub API, I found a total of 21824 PRs merged in less than 14 days. Clearly this is neither "fast tracking" nor "special treatment".
TLDR: all of your "claims" are provably incorrect. I have no clue how you can make claims such as "they don't have enough experience" and "they were unfairly fast tracked" when you clearly have absolutely zero knowledge on how things are usually handled internally, spouting "claims" while being so confidently incorrect is truly something.
aliendude5300@reddit
100% this. 7+ people reviewed it for two weeks before it made it in. And it was a trivial change. Fast tracked? How long should it have taken to be merged in?
Correctthecorrectors@reddit
it shouldn't have been merged in because no one with serious computer science security credentials would let something like that in an operating system
No-Dentist-1645@reddit
If the collective developers of one of the most used (arguably the most) init systems in all of computing don't know about CS security, I don't know who does. You must be an incredibly notorious and recognized Cybersecurity specialist, with dozens of certifications and diplomas, to be able to confidently claim you know better than them, I'm impressed!
aliendude5300@reddit
Define fast tracked. How long should a PR take to be merged in?
No-Dentist-1645@reddit
It quite literally was added as an optional field. There is nothing else to it, saying systemd is "compromised" only sounds like conspiracy talk
djustice-system@reddit
I literally saw a retired mi6 agent post that the uk govt paid for backdoors in systemd. idr her name now, this way years back. just saying. I seent it. also there's a nice index of cve's for it. if you actually read any of the code, you'd see why... it's "future-proofed" for many things that may never happen, leaving lots of wiggle room for for fail.
unix way: do one thing well. systemd: do all of the things well enough.
on the law topic: chroot isn't going anywhere and neither is the internet.
No-Dentist-1645@reddit
Sure. And I'm the king of England...
LigPaten@reddit
Man you gotta love when people just throw their crazy online.
djustice-system@reddit
if you were i couldn't care less, just calling it like I see it... i didn't realize I should've kept up with the sauce at the time. then again, I don't really care what sort of software you run. just like reddit doesn't care what I have to say without a source. even if i had proof on hand, i couldn't make anyone read it. kind of like how systemd is open-source and you still won't read it.
anyways, happy hacking. or circle-trolling, whatever this platform is for.
aliendude5300@reddit
It's optional in systemd. Big corporate distros can use it to store info and even require a value in their installer, but that doesn't mean systemd has ANY sort of policy making it required. systemd isn't compromised.
daemonpenguin@reddit
BigLinux has age verification.
fek47@reddit
Yes, indeed. We don't have enough information available yet to be able to make a informed decision. Don't rush to conclusions yet.
Squiggin1321@reddit (OP)
That’s a good point. Things are just to up in the air right now to interpret the documents, at least in the US, especially with how hard people are pushing back.
natermer@reddit
The laws only apply to you if you are doing business within those states.
Also the laws are incredibly vague and poorly written. This is often very intentional as it gives the government a lot of leeway on how they actually want it enforced.
Usually it would then be up to some administrative agency within the government to decide on the actual details of how it is supposed to work, within the leeway allowed to them by the letter of the law.
Also there is a distinct chance that much of it is entirely unenforceable and it will just be another example of the tens of thousands of other laws that are technically on the books, but nobody really cares about.
It isn't like the government of the UK can just wave a magic wand and demand "age verification" into existence. And even if it does work then it probably is going to be quite stupid.
In the USA and other countries there has "age verification" stuff on the books for a very long time now.
For example... When you go on a website and it has a pop up saying 'You must be 18 or older to view'. That is the actual law. That is the actual age verification laws already on the books in effect.
Remember that you are dealing with open source software here. If you don't like it doing something you can just turn it off.
Apprehensive_Milk520@reddit
Hate to say it's the beginning of the end, but I've been around long enough to recognize the signs. I plan ahead.
And yes, the DOB field in systemd did prompt me to finally leave Arch after many, many years, but that wasn't the only reason I left Arch and systemd.
Fortune favors the prepared, though, and so with the injection of DOB in systemd, I decided the time had come. I prefer to stay one step head of the inevitable, to by myself time.
Age verification makes no sense - the operating system isn't a gate keeper. And all that data collected will be used to keep track of all us citizens, not to mention being used for targeted marketing. Where I go or what I do on my own computer should be of no one's concern but my own.
For me, it's a privacy issue - but I'm old as a dinosaur, I don't even like my smartphone, don't trust it, lol. But of course, I'm one of those people who still has a landline... :)
It's all the other things that can be ushered in along with age verification that are frightening, like requiring a legally recognized identification (driver's license, SSN, greencard, etc) and face scanning - it can range from innocuous all the way to the extreme of "big brother", and beyond. Think 1984, Animal Farm, THX 1138...
And what about servers? GNU/Linux is both a server and a desktop - it's how you install it, what you make it to be from the barest bones on up. When you install GNU/Linux on a server, what purpose would age verification serve? And who in the organization would be responsible for inputting their information? Oh, but then they can easily make a mod to the law, no age verification for businesses, but you need to input your organization's EIN. Then that becomes a whole slippery slope and different creature, entirely, since verification would be against IRS databases.
It can become so invasive it's not even funny, it's downright terrifying. And all this can be passed off as being in the interest of the safety of state's or country's citizens. Because citizens are deemed sheep and can't take care of themselves. Let's just lump everyone together, when the government is the entity of which we truly need to be in fear.
Sorry - is my closet hippie showing? lol
fek47@reddit
This is a very prudent strategy. I'm preparing for the worst but hoping for the best. I encourage everyone to start preparing now but not acting before enough information is available. It will take some time before we know enough to make a definitive decision.
daemonpenguin@reddit
The distro developers or the owners of the distro.
Yes. Developers decide everything that goes into the distribution.
Yes.
No. Even if it was kernel-level (which it is not) each distro would have the choice to enable that kernel module or not. You can just run distributions made in countries without age verification laws.
DoubleOwl7777@reddit
you decide. nothing is kernel level. you are free to do whatever you want.
SpeedDaemon1969@reddit
And if it ever is, we can recompile.
Monoplex@reddit
The laws are so horribly written it's impossible to give an answer. They were written by people that think the only two operating systems in existence are iPhone and Laptop.
SpeedDaemon1969@reddit
The same ones who thought they were smart 20 years ago when they called every computer a "hard drive".
RomanOnARiver@reddit
My understanding is the operating system needs to have some kind of API or environmental variable and app developers can reference that the same way they reference what your language is or what your theme is, or if you're in light or dark mode, etc. But the whole thing is so vaguely written and so unclear, who really knows.
Safe-Average-1696@reddit
Big Linux (Brazilian distribution) did it to comply with their laws, it's implemented as an OPTIONAL parental control app.
It's in rust and it uses Linux kernel mechanism (ACL, PAM, nftables)
The administrator (parent) choose to monitor their children account based on age.
It's local only and parents have to activate it if needed for each children account.
Parents can monitor when children can connect to their session and how long they can, what app they can use, they can choose filters for web browsing too.
https://github.com/biglinux/big-parental-controls
Glad-Weight1754@reddit
subredit without image upload. Awesome.
Squiggin1321@reddit (OP)
I’m confused, why is this relevant in any regard?
Glad-Weight1754@reddit
I wanted to post a picture how it looks on macOS.
Correctthecorrectors@reddit
what will end up happening is as the governments become authoritarian, the laws will start to carry less meaning as basic humans rights becomes grouped in with the dark web and software. the internet essentially forms into alliance with darknet websites and free speech with everything being done using encrypted communication, tor and vpns. Eventually there will be an uprising and a revolution because of it as more and more people are forced underground. Thats the most likely outcome evnatually. All very unnecessary and prevantable but that seems to be the route the powers that be desire as they start to lose control of the capitalist system.
Squiggin1321@reddit (OP)
I hate how pessimistic this is but I’m partially inclined to agree. There’s a possibility that things change, but it appears unlikely with the rise of autocracy around the world.
torsten_dev@reddit
You decide. If someone implements something you don't like you fork.
Community driven distros will pick the solution the community wants.