On March 5, a contributor opened PR #40954 against the systemd repository: “userdb: add birthDate field to JSON user records.” The PR cited California’s AB-1043, Colorado’s SB26-051, and Brazil’s Lei 15.211/2025 as rationale.
On March 18, systemd maintainer Luca Boccassi, a Microsoft employee, merged it.
On March 19, a revert was proposed, citing privacy concerns, philosophical objections to Linux distributions acting as identity authorities, and legal complexity for volunteer projects. Four minutes later, the systemd organization locked the conversation. Three minutes after that, Lennart Poettering closed the PR: “It’s an optional field in the userdb JSON object. It enforces zero policy.” The field stays.
birthDate#
birthDate is an optional property in systemd’s JSON user record schema, the same extensible format that already stores display names, shell preferences, and SSH keys. It is stored in YYYY-MM-DD format, excluded from the list of fields a user can modify on their own account, and settable only by administrators through homectl. Any application can read it.
Lennart Poettering’s position is that systemd defines an optional schema field, not an enforcement mechanism. The field sits in the record until someone decides to populate it. Nothing in systemd compels that decision.
This distinction is technically correct, and it is also how infrastructure gets built. The schema is standardized, the data persists on disk when written, and the only missing piece is a mandate to populate it.
Downstream#
By the end of March, distribution forums and mailing lists were fielding the same question: what are you going to do about this?
Canonical’s VP of Engineering set the template, stating that the work in the installer and systemd was done by an external contributor, not by Canonical, and that the company has no intention of considering implementations until its legal department evaluates whether and how to respond. Fedora’s project leader deferred to legal counsel. System 76, which ships hardware with Pop!_OS preinstalled in California, acknowledged they may eventually have to comply.
Distributions outside U.S. jurisdiction drew a cleaner line. Garuda Linux, whose servers are hosted in Finland and Germany, responded directly: “We have no operations in California. Last time I checked, California law does not yet apply where I live.” Zorin OS and MX Linux issued similar statements. MX Linux correctly identified California’s law as self-reporting, not verification: no external validation required, not even an actual age, just age ranges.
The engineering response is not limited to systemd. MidnightBSD, a BSD, modified its license to prohibit use by residents of jurisdictions that require age verification for operating systems, naming Brazil (effective March 2026), California (effective January 2027), and prospectively Colorado, Illinois, and New York. Then it shipped release 4.0.4 with its own age attestation tools (aged and agectl), offering compliance for users who need it while keeping the license exclusion in place for jurisdictions it considers overreaching. The same legislative pressure that produced the systemd field produced a parallel implementation in a completely separate codebase.
The pattern was consistent across all of them: not a single maintainer expressed enthusiasm for storing users’ dates of birth. As Garuda’s team stated: “None of the Linux distribution maintainers want to implement age verification. The distro devs are on the same side as the ones criticizing them.”
My first contribution to systemd#
The systemd PR was not isolated. The contributor who opened it, Dylan Taylor, submitted patches to Arch Linux’s installer and Ubuntu’s desktop provisioning system during the same week. A separate contributor filed a parental controls portal against xdg-desktop-portal that would consume the birthDate field as a data source. Only systemd merged; Arch’s PR remains an open draft and Ubuntu’s were closed without merging. But the full architecture was laid out publicly: storage in systemd, collection in the installer, and exposure through a desktop portal.
This is the layered architecture that Part 3 described Meta lobbying for: verification at the device level, not the platform level. The difference is that instead of Apple or Google building it, external contributors submitted patches to open-source infrastructure that ships on nearly every major Linux distribution.
The Register reported that Meta, through the Digital Childhood Alliance, was identified as the primary funder behind age verification legislation. The TBOTE Project, an open-source intelligence investigation into the lobbying behind these laws, has traced Meta’s deployment of 86+ lobbyists across 45 states. Separately, TBOTE analyzed $2 billion in grants flowing through the Arabella Advisors network, looking for connections to age verification advocacy. Not all of that money is confirmed as related; the investigation is ongoing. Whether Taylor’s patches were connected to that operation is not established. What is established is that the legislation created the obligation, and the obligation produced the code.
Who still ships SysV?#
The SysV compatibility layer is gone in v260. Linux From Scratch shipped its first systemd-only release in March. The distributions that run without systemd (Devuan, Artix, Alpine, Void) are unaffected by the birthDate field, but they represent a small fraction of the Linux desktop installed base. For the distributions that dominate actual usage (Ubuntu, Fedora, Arch, Debian, openSUSE), systemd is not optional.
The field is on systemd’s main branch and will ship in the next tagged release. Every distribution that tracks upstream will pick it up in a routine update. Even distributions that review upstream changes closely (and several flagged this one) still face the same decision: carry the field or maintain a patch to remove it.
The storage layer is in place. The schema defines where a Linux system stores a user’s date of birth. A future mandate that requires collection does not need to solve the storage problem, because the storage problem was already solved and merged into one of the most widely deployed software projects on Earth.
The bottom of the stack#
The first post in this series argued that age verification infrastructure becomes surveillance infrastructure. The third documented Meta’s lobbying campaign to shift verification from platforms to devices. The fourth showed that the tools to protect children already exist on every phone and that no one is incentivized to enable them by default.
The systemd merge is what it looks like when that lobbying chain reaches the bottom of the stack.
Here is the timeline:
- Legislation passes (AB-1043, SB26-051).
- Legislation creates obligation.
- Obligation produces a good first issue.
- A Microsoft employee merges it.
- The revert is locked in four minutes and closed in seven.
- The field ships downstream to every major Linux distribution.
- Michigan’s HB 4429 would require operating system providers to determine or estimate the user’s age at activation. New York’s S8102A requires age assurance at the device level. Illinois, North Dakota, and Utah are advancing similar proposals.
Each step is defensible in isolation. AB-1043 is law. The PR was a reasonable engineering response to the law. The schema is technically clean. The field is optional. And the sum of those individually reasonable steps is that a volunteer-maintained init system now has the schema in place to serve as the identity layer for age verification on every Linux desktop that ships systemd.
The obligation is entirely external: legislation backed by Meta’s record $26.29 million federal lobbying spend in 2025, of which age verification was a major focus, aimed at every layer of infrastructure except its own platforms. The distributions did not ask for this, the maintainers do not want it, and Meta never had to touch a line of code.