Dylan M. Taylor is not a household name in the Linux world. At least, he wasn’t until recently.The software engineer and longtime open source contributor has quietly built a respectable track record over the years: writing Python code for the Arch Linux installer, maintaining packages for NixOS, and contributing CI/CD pipelines to various FOSS projects.But a recent change he made to systemd has pushed him into the spotlight, along with a wave of intense debate.At the center of the controversy is a seemingly simple addition Dylan made: an optional birthDate field in systemd’s user database. The change, intended to give Linux distributions a lightweight, optional mechanism to comply with emerging US state laws on age verification, was immediately met with fierce resistance from parts of the Linux community. Critics saw it not merely as a technical addition, but as a symbolic capitulation to government overreach. A crack in the philosophical foundation of freedom that Linux is built on.What followed went far beyond civil disagreement. Dylan revealed that he faced harassment, doxxing, death threats, and a flood of hate mail. He was forced to disable issues and pull request tabs across his GitHub repositories.He has shared his opinions in a blog post that the change is not "age verification":A common misconception about this change is that it introduces "age verification" to Linux. It doesn't. None of the PRs I submitted involve ID checks, facial recognition, or third-party verification services. You can enter any value, including January 1st, 1900.So, we interacted with Dylan over email to ask him about the controversy, the code change, and the personal toll it has taken.Q: A lot of backlash isn't about the code change, but about what it represents. Do you (also) think this is the first step toward OS-level surveillance, even if unintended?A: Moving towards OS-level surveillance is definitely not the intention. This field is almost completely inconsequential for surveillance because the signal reported in most cases will be “yes, this user is 18+”. One interesting thought I’ve had is actually that if we strip this signal to websites/apps and do not report an age range at all, but the vast majority of users DO, that actually gives us a more unique and trackable browser fingerprint. Privacy-wise, it’d be wise to “blend in” and always report the most common value. Tor browser thinks this way to make users less fingerprintable. Also, most users have something much more trackable and sensitive on their computer stored in a way that is usually unencrypted: their browser cookies.Q. You say this is "just attestation, not verification" but we know that infrastructure always gets repurposed later. This is where the legit fear lies. Today it's birthDate. Tomorrow could it be location, identity, or verification tokens? I understand that you are providing a workaround but where should we draw the line between compliance and resistance?A. Funny you mention that, location is already a field in userdb. Like birthDate, this field is also trivially nullable, stored locally, and can be set to anything. As long as we are talking about a user self-attesting a date - especially with the ability to enter any value we want - we aren't in the realm of identity tracking. I draw the line at when a third party internet-connected service is doing validation of ID. Let’s be honest though, I strongly believe such a thing isn’t possible on a FOSS operating system environment unless they could control what was bootable on the device at a firmware level, enforce signatures to ensure that you couldn’t boot something unrestricted, remove the ability to be root, and block LD_PRELOAD so signals couldn’t be faked. There’s probably more ways to circumvent that. What I’m trying to say is real ID verification on Linux would be awfully hard to implement, and I guarantee you, nobody would put up with it. They’d fork to a version that doesn’t have it immediately as a protest. Right now, we’re considering implementing something akin to the date pickers that were ubiquitous when signing up for internet services in the early 2000s where it’s just an honor system. Things like actual ID checks and/or facial scanning + age estimation would be just too incompatible with Linux where we have the freedom to change whatever we want to.Q. Let's be direct. Should FOSS projects adapt to laws they fundamentally disagree with? Because these kinds of laws are certainly in conflict with what a lot of Linux users believe in.A. Unfortunately, in a lot of cases, the answer is yes – at least for any distribution with corporate backing. The small independent distributions are much more flexible to refuse as a protest. If we ignore regulations entirely, we risk Linux being something that companies are not willing to contribute to, and Linux may be shipped on less hardware. I’m talking about things like Valve and System76 (despite them very vocally hating these laws). That does not help us; it just lowers the quality of software contributions due to less investment in the platform and makes Linux less accessible to the average person. We need Linux and other free operating systems to remain a viable alternative to closed systems.Q. Do you think regulations like these will reshape desktop Linux in the next 5-10 years where we might have "compliant Linux" and "Freedom-first Linux"?A. Unfortunately, yes, to some degree this is likely. I imagine the split will be mostly along the lines of independent distributions and those with corporate backing. We’re already seeing it as far as which distributions plan on implementing some sort of age verification and which ones are not, and that sucks. I’d rather nobody have to deal with this mess at all, but this is the reality of things now. As I said in the previous response, the corporate-backed distributions really have no choice in the matter. Companies are notoriously risk-adverse, but something like Artix or Devuan? Those are small and independent enough where the individual maintainers may be willing to take on more risk. I was actually thinking about what this would look like if we added it to Calamares and chatting about that with the maintainers before that thread got brigaded by bad actors posting personal information and throwing around insults. I completely support the freedom for the distro maintainers to choose their risk tolerance. If the distribution is based out of Ireland or something (like Linux Mint) without these silly laws in the jurisdiction the developer operates in, I think that we should leave it up to them to make a choice here. If we add a date picker to the installer (and I think we should), it has to be built in a way that at build time there is a flag to enable or disable the feature. We can even default it to off, and corporate distributions using Calamares or those not willing to take the risk could flip it on if they need to. That way if maintainers of the distributions do not wish to collect the birth date, they won’t have to, and no forking is required to patch it out. I do strongly feel we need to enable the user to modify their own system as they see fit.Q. Were you surprised by the intensity of the backlash? Did the criticism make you rethink your decision?A. I understood that the change was not going to be popular, but I was expecting civil discourse and a level-headed response. Things like death threats and harassment are not okay, especially when it negatively impacts unrelated third parties. However, the doxxing (and I am NOT just talking about my name, email and resume – that stuff is on my website, and is reasonably public. I don’t commit with a pseudonym and I think it’s reasonable to critique my contributions), hate mail, racism, homophobia, anti-semetism, editing of my photo, turning my profile picture into memes and making fun of my appearance, etc. made me lose a bit of faith in the FOSS community. I’m really disappointed at the reaction. We should do better than this. There are plenty of people I strongly disagree with. Reacting in this manner is childish and uncalled for. If you’re trying to convince someone they are wrong, being aggressive about it and trolling is not exactly compelling. It will make them feel even more justified in some cases.Q. How are you personally dealing with being at the center of a controversy like this? A. Honestly, not super well. The death threats are extremely unwelcome and trying to get my social security number, phone number, and address taken down from pastebins and anonymous imageboards is not exactly how I planned to spend my time, to put it lightly. I am just trying to filter out the noise and focus on addressing the constructive feedback, but people have been posting my information and harassing me on basically any repo I have on GitHub, in the issues/PR tabs. I’ve had to disable those. I find it disgusting that people are willing to place takeout orders with my information which makes businesses waste food, and it really wasn’t funny sending Mormon missionaries to my house. They pay for their own gas, and that nonsense isn’t fair to them. It’s not fun to see the nasty side of humanity, and people were saying some pretty unhinged stuff to me and about me. Nobody appreciates that. On a positive note, I know a good bit of other maintainers and developers in the Linux community and all of them were super supportive and reached out to see if I was doing okay. I appreciate that. Shoutouts to those of you from the Arch Linux project and Universal Blue/Bazzite who made sure I was doing well. Thank you for that.Q. Would this backlash demotivate you from continuing your contribution to Linux and open source in the future?A. I still love Linux and free and open source software, and would like to stay involved. Whenever I find something that is personally useful to me and I identify a way I can improve it or add functionality, I love to contribute back to the original authors and the community. It’s great to be able to be involved, and I still plan on doing so. It’s very obvious that those harassing me are a very small but vocal part of the FOSS community and I try to see the better side of people. I would really appreciate if the personal attacks stopped though. It’s childish and unconstructive.Closing ThoughtsWherever you stand on age verification laws or Dylan's code change, the response he received is unwarranted. Harassment, doxxing, and death threats have no place in any community, let alone one that prides itself on openness and collaboration. There are more civilized ways to disagree.Dylan's answers reveal the real dilemma: how does an open source ecosystem, built on the principals of freedom and decentralization, respond to legal pressure from the real world? His position is that corporate-backed distributions may have no practical choice. That is rational, even if it is uncomfortable for many to hear.