xdg-desktop-portal

Portal-Based Age Signals

Age verification via xdg-desktop-portal is emerging as the primary path for Linux age reporting. An open pull request (PR #1922) defines the application-facing API. A merged systemd commit (PR #40954) provides the data layer. The original D-Bus proposal author now recommends this approach.

Active PR

xdg-desktop-portal PR #1922 (opened by David Edmundson, KDE) adds a parental controls / age range portal to the xdg-desktop-portal specification. The PR is open as of March 10, 2026. Discussion was locked after a social media influx; collaborative review continues among maintainers.

Separately, systemd PR #40954 was merged on March 18, 2026, adding a birthDate field to systemd's JSON user records. This is the data source the portal would read from. The storage layer has shipped. The API layer is pending.

The Pipeline

The age verification stack forming across the Linux ecosystem has three layers:

Layer 1: Data Storage — systemd userdb

Merged

systemd PR #40954 added a birthDate field (YYYY-MM-DD) to JSON user records managed by systemd-userdbd. The field stores the user's full date of birth — not a bracket, not a year, an exact date. It is set via homectl for systemd-homed users or via drop-in records in /etc/userdb/.

The field is readable by any process that can query userdb. Only administrators can write it. Lennart Poettering (systemd maintainer) argued that sandboxing — not field-level access control — should handle data exposure.

The PR explicitly cites AB 1043, CO SB 26-051, and Brazil Lei 15.211 as motivation. It coordinates with AccountsService MR #176 and xdg-desktop-portal PR #1922.

Ageless Linux response: become-ageless.sh already neutralizes this field. Regular mode sets all users to 1970-01-01. Flagrant mode sets it to null. The --persistent flag installs agelessd, a systemd timer that re-neutralizes every 24 hours.

Layer 2: Application API — xdg-desktop-portal

Open PR

PR #1922 adds an age range portal. Applications submit age thresholds (e.g., [9, 13, 16]) and receive a response indicating which range the user occupies (e.g., [13, 16] for a 14-year-old). The portal backend reads from the data layer (systemd userdb, AccountsService, or a distro-specific store) and returns only the applicable range — not the exact date.

Applications require a static manifest permission to call the portal. Rate limiting is discussed to prevent bisection attacks (querying with progressively narrower gates to determine exact age).

Layer 3: Desktop Integration

Future

Desktop environments (GNOME, KDE, etc.) would implement the portal backend and provide UI for entering birth date data during account setup. The portal spec defines the API; each desktop implements its own backend. GNOME might read from AccountsService; KDE might read from systemd userdb directly.

The Portal API (PR #1922)

The proposed portal is tentatively named org.freedesktop.impl.portal.ParentalControls (naming under debate — alternatives include "AgeRange" and "AgeSignals").

How It Works

An application provides an array of age thresholds. The portal returns the lower and upper bounds of the range the user falls within: 

Application sends:  gates = [9, 13, 16]

User is 12:   response = [9, 13]    (older than 9, younger than 13)
User is 17:   response = [16, -1]   (older than 16, no upper bound)
User is 8:    response = [-1, 9]    (younger than 9, no lower bound)

The design is intentionally coarser than returning an exact age. The application learns only which bracket the user occupies relative to thresholds the application itself chose. Different applications can submit different gate arrays — a social media app might use [13, 16, 18] while a gambling app uses [18, 21].

Bisection Risk

An adversarial application could submit many single-value gates across the full age range ([1], [2], [3], …) to determine exact age. The PR discussion acknowledges this and proposes rate limiting, but no mechanism is specified. The backend (desktop environment) is responsible for enforcement.

Why This Path Won

The original D-Bus proposal (org.freedesktop.AgeVerification1) was closed at freedesktop.org after community pushback over reputational risk. Aaron Rainbolt, the proposal's author, now considers the portal approach the likely path forward:

"The original D-Bus API I proposed probably isn't how an age API would be implemented in the future if it ended up happening. [The xdg-desktop-portal PR] has a more realistic API; this is probably the one you'll want to plan on blocking." — Aaron Rainbolt, March 2026

David Edmundson's rationale for the portal approach:

Existing Infrastructure

xdg-desktop-portal already handles permission-gated access to system data for sandboxed applications — file access, screen sharing, notifications, and other controlled operations. Age data fits naturally into this model as another piece of permission-gated user information.

Sandboxing Integration

Flatpak and Snap applications communicate with the host system through portals. A portal-based age interface integrates with existing sandboxing rather than requiring apps to additionally reach a separate D-Bus service.

Backend Flexibility

The portal spec separates the API (what apps see) from the backend (what the desktop implements). Different desktops can read age data from different sources — systemd userdb, AccountsService, a flat file — without changing the application-facing interface.

Discussion Highlights

"Operating systems have a trillion other bits of information available." — David Edmundson, debian-devel, March 2026

Edmundson dismissed data minimization concerns as "overblown" — the OS already exposes locale, timezone, display resolution, installed fonts, and hardware identifiers. Adding an age bracket is a marginal increase. From the Ageless Linux perspective, this is an argument for why the entire portal framework is a removal target, not just the age interface.

Notable Positions from the PR

  • AdrianVovk (collaborator): Advocated separating this as a distinct "AgeRange" portal, not conflating it with content-filtering parental controls
  • jackpot51 (System76): Urged caution, citing ongoing legislative discussions that may amend requirements for open source
  • HaplessIdiot & sersonz: Argued the API normalizes age as a queryable OS signal and represents surveillance infrastructure
  • PeterWithnall: Suggested designing around actual use cases (app filtering, content tagging) rather than purely legislative requirements

Ageless Linux Position

Monitoring

PR #1922 is open and under active review. No desktop environment has merged a backend implementation. We are monitoring for a resolution.

The data layer is already handled. systemd's birthDate field is neutralized by become-ageless.sh — set to the epoch (regular mode) or explicitly null (flagrant mode). The --persistent flag ensures it stays neutralized via the agelessd timer. Even if the portal ships, it will read neutralized data on Ageless Linux systems.

Preliminary Approaches

If the portal is accepted and desktop environments begin shipping backends, potential short-circuit strategies include:

1. Custom portal backend. A minimal xdg-desktop-portal-ageless that implements only the age verification portion of the portal API and returns an error for every query. Written in C, compiled at install time. Replaces the desktop's backend for this interface only.
2. Flatpak permission override. flatpak override --no-talk-name to revoke individual apps' access to the age portal, or a system-wide override that blocks the interface entirely.
3. Data layer neutralization. Already implemented. The portal backend reads from systemd userdb; on Ageless Linux systems, userdb returns epoch dates or null. The portal gets nothing useful even if it runs.

These are preliminary. We will finalize our approach when the portal specification and at least one desktop backend are concrete enough to test against.