Dylan M. Taylor — an Arch Linux installer contributor and NixOS package maintainer — submitted a pull request adding an optional birthDate field to systemd’s userdb.

Here’s what the field actually does:

• It sits in a JSON user record
• It’s completely optional
• You can put any value in it (including fake ones)
• There’s no ID check, no facial recognition, no third-party verification
• A location field with identical properties already existed. Nobody cared about that one.

The intent: give corporate-backed Linux distros a lightweight mechanism to comply with US state age verification laws without building something invasive. Taylor explicitly said it’s self-attestation, not verification.

Lennart Poettering’s systemd project merged it. And then the internet caught fire.

What followed went way beyond “I disagree with this commit”:

• Death threats sent to Taylor directly
• Doxxing — his SSN, phone number, and home address posted on imageboards and pastebins
• Racist, homophobic, and antisemitic messages flooding his inbox
• Fraudulent takeout orders placed using his home address
• Mormon missionaries sent to his house (creative, I’ll give them that)
• Photo manipulation and mockery spread across forums

Taylor had to disable issues and pull request tabs across ALL his GitHub repositories. He spent time scrubbing his personal info from pastebins and anonymous boards.

This is a guy who writes Python for the Arch installer for free. On his own time. And people tried to get his social security number published because of a JSON field.

“It doesn’t introduce ‘age verification’ to Linux. None of the PRs involve ID checks, facial recognition, or third-party verification services. You can enter any value, including January 1st, 1900.”

On whether FOSS projects should comply with laws they disagree with:

“Unfortunately, in a lot of cases, the answer is yes — at least for any distribution with corporate backing. If we ignore regulations entirely, we risk Linux being something that companies are not willing to contribute to.”

On the future split:

“Unfortunately, yes, to some degree this is likely. I imagine the split will be mostly along the lines of independent distributions and those with corporate backing.”

He specifically named Valve and System76 as companies that vocally hate these laws but would comply anyway because they can’t afford not to.

Within days of the merge, someone forked systemd and stripped the birthDate field out entirely. They called it Liberated systemd.

Here’s the angle nobody’s talking about: this fork is mostly symbolic right now. But it matters because it draws the battle line. You’re going to see distros start picking sides:

Likely to comply: Ubuntu, Fedora, openSUSE, any distro with corporate backing
Likely to resist: Artix, Devuan, Gentoo, and any distro maintained by individuals

Taylor himself acknowledged this split is coming. The independent distros are “small enough where the individual maintainers may be willing to take on more risk.”

→ Translation: corporate distros comply because lawyers say so → independent distros resist because they have no lawyers to tell them not to → users migrate based on ideology → two parallel Linux ecosystems emerge.

Age verification laws are spreading like wildfire:

• California — Age-Appropriate Design Code
• Colorado — similar protections for minors
• UK — Online Safety Act requiring age checks
• Australia — social media age verification bill passed
• Brazil — child protection regulations
• EU — proposals in the works

Every one of these laws trickles down to software. And systemd runs on basically every Linux server and desktop on Earth. So when a government says “verify age,” every piece of software in the chain has to decide: comply, resist, or pretend it doesn’t apply to you.

The birthDate field was the first crack. It won’t be the last.

Between you and me, there’s a growing market of small businesses that want Linux but don’t have time to figure out which distro protects their data. Here’s what you do: package a hardened install with privacy-first defaults — no telemetry, no age fields populated, no cloud sync. Sell it as a service with quarterly updates.

Example: A sysadmin in Prague started offering “compliance-free” NixOS configurations to local co-working spaces. He charges €40/month per machine for maintenance. 12 spaces signed up in two months → €5,760/year recurring from a weekend project.

Timeline: 2-3 weeks to build the first config. Revenue in month one if you already know your local business scene.

Here’s the play: those US state laws don’t just affect Linux distros. Every SaaS company serving users in California and Colorado needs age verification. Most of them are scrambling. Build a lightweight self-attestation API that plugs into existing auth flows. Charge per integration.

Example: A freelance dev in Medellín built a simple age-gate widget using Next.js + a date picker. She listed it on a compliance marketplace and charges $200/integration. 15 SaaS startups bought it in Q1 → $3,000 in three months, and she’s adding GDPR date-of-birth handling next.

Timeline: 1 week to build the MVP. Start cold-emailing SaaS founders on Indie Hackers immediately.

The Liberated systemd fork proved the demand exists. Here’s what you do: take an existing minimal distro (Artix, Void, Alpine), strip anything compliance-related, document it beautifully, and put it on GitHub with a Patreon. The privacy crowd will pay for someone else to do the auditing.

Example: A security researcher in Bucharest maintains a stripped-down Artix spin focused on journalists and activists. He documents every removed component. His Liberapay pulls in €380/month from 200+ supporters, and he did the first build in a single weekend.

Timeline: One weekend for the initial spin. 1-2 months to build an audience via Reddit r/privacy and Lemmy communities.

Nobody is tracking which distros implement age verification and which don’t. This information is scattered across GitHub commits and mailing lists. Here’s what you do: create a weekly newsletter that monitors systemd forks, distro announcements, and law changes. Monetize with sponsorships from VPN companies and privacy tools.

Example: A tech writer in Nairobi launched a Substack tracking African data protection law changes and their impact on open source. She hit 2,000 subscribers in 6 weeks. A local VPN company sponsors her at $400/month. Total effort: 3 hours per week of reading and writing.

Timeline: First issue in 2 days. Sponsorship revenue within 6-8 weeks if you pitch privacy-adjacent companies early.

Startups building on Linux have zero idea what age verification laws mean for their stack. Most CTOs haven’t even heard of the systemd birthDate field. Here’s what you do: record a 2-hour course covering what’s changing, what distros are affected, and how to stay compliant without surrendering privacy. Price it at $29.

Example: A DevOps engineer in Bangalore recorded a course on “GDPR Compliance for Linux Servers” last year. It’s pulled in $8,200 with zero ad spend — just organic search from panicked sysadmins Googling compliance terms. He updates it quarterly with 20 minutes of new content.

Timeline: 1 week to script and record. Revenue starts trickling in month two from SEO.