Per the very first reply on their thread discussing it in their forums, which I linked directly to for the post title:
We’ll NEVER require any verification or identification from the user.
However, what’s gonna happen should the attempts to age-gate the XDG portal screw over alt-init distros like Artix too? My guess is maybe they start blocking regions which force age gating like Arch Linux 32 is doing.
It saves you from what exactly? As a rational crank, surely you have an explanation.
Unless you use xdg-desktop-portal, the field that systemd added does absolutely nothing.
It’s an optional information field for user accounts, systemd doesn’t require that it is filled nor does systemd do anything to verify or check the field. User accounts also store e-mail and location and you are free to not enter that information or to enter fake information.
I don’t see the vulnerability, especially considering that you’re comparing it to an SSH vulnerability (which, it should be noted, was caught in testing and never released).
The rational is systemd has a huge amount of features that normal desktop users will never need. If you use something like OpenRC or Runit the experience is not much (or any) different. All those features will introduce complexity and potential bugs and vulnerabilities.
Sure it doesn’t add much, but many of the systemd things are ‘not much’. But together it is a lot.
Luckily it was the case, but it was way too close for comfort. It doesn’t change the fact that bloated systems like systemd are what enable these types of attacks. If you use many of its features I’m sure its great, all software has bugs and holes in it. But the point is that if you don’t need the features you don’t need to expose yourself to the extra bulk and risks. Same for things like sudo vs doas. Almost everyone uses sudo but 99.9%+ doesn’t use any features that doas doesn’t have. And then of course systemd invents its own alternative 😅.
And then there is the Unix philosophy. If we need age verification, why does it need to be in the init system? Why not a separate package that can be installed along side any init system / kernel / desktop environment / etc? If it lives in the init system, every init system needs to implement their own version of it.
I understand the arguments against systemd. It isn’t just an init system and it fulfills multiple roles, which goes against the Unix philosophy.
That being said, systemd does store user information. Since this issue requires the storage of additional user information, in order to comply with the law, the systemd team are making their software compatible with complying with the law.
Ultimately, it’s the end user who gets to determine how the software is configured. You can ignore the birthdate field and systemd will not do anything to prevent you from doing so. systemd doesn’t require the data in order to operate, it doesn’t verify the data and it doesn’t prompt you to enter the data. The consequences of ignoring this addition are exactly zero.
It’s simply there because a law exists and users of systemd (like xdg-desktop-portal) require a location to store the data.
I hate the age verification laws and think they’re going to cause more problems than they claim to solve. I’m not cheering on these laws, I’m simply pointing out that attacking systemd for adding an optional field in order to allow compliance isn’t rational.
Aim the ire at the people making the laws, not the volunteer developers who are following laws even if they don’t like them.
I think the issue outside of capitulation is the matter of systemd’s obligation or lack thereof to make this change. Systemd by law isn’t required to do anything. xdg-desktop-portal more so is, but that raises a bigger question: Why is a jurisdiction specific requirement being rolled into this? Do all jurisdiction specific requirements need to be loaded for optional use? Why is this being shunted to xdg-desktop-portal to handle the brunt of this?
Ultimately the PR was closed and for this very reason:
Expanding on that, the outright shortsightedness of the request is made more clear further into that discussion: https://github.com/systemd/systemd/issues/40974#issuecomment-4018655808
Yet. it’s a foot-on-the-door to demand more stuff, and some distros have already shown they are going to merrily open up their arses and ours.
This is something being created in response to laws being passed by politicians, it’s not a secret plot by systemd and distro maintainers to… whatever it is that you’re implying.
This is about as scary as the realName, emailAddress or location fields. They’re completely optional and not validated in any way. You can call yourself Linus Torvalds set your e-mail address to gaben@valve.com and your location to Mars… nothing about the system is going to check or care if you’re lying. Similarly, now you can set your birthdate to April 20th 69BC if you’d like. It doesn’t mean anything.