hekate/microsoft-systemd-findings-public
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
microsoft-systemd-findings-.../20-red-hat-investigation.md
hekate 3de563455b Formatting
2026-03-23 18:47:20 +00:00

284 lines
17 KiB
Markdown
Raw Permalink Blame History

# Red Hat / IBM Investigation
## Summary
Red Hat is absent from the age verification policy debate despite incubating systemd for 14 years and shipping RHEL - a commercial product with direct AB-1043 compliance obligations. Zero lobbying on child safety bills. Zero official statements. Zero corporate positioning. A former Red Hat developer who moved to Amutable now sits on the Fedora committee that decides whether to ship the birthDate field.
---
## 1. The Governance Migration
systemd governance migrated through three corporate homes:
| Period | Control | Key Personnel |
|---|---|---|
| 2010-2022 | Red Hat | Poettering (creator), Zbigniew (maintainer), others |
| 2022-2026 | Microsoft | Poettering, Brauner, Boccassi, Kühl (via Kinvolk) |
| 2026-present | Amutable | Poettering, Brauner, Kühl, Zbigniew, de Meyer |
Red Hat no longer employs any of the people who controlled the birthDate merge/revert decisions. IBM/Red Hat layoffs (2024-2025) created the conditions for this talent drain.
## 2. Zbigniew Jedrzejewski-Szmek - The Critical Node
Red Hat's upstream systemd developer and Fedora systemd maintainer. Third most active systemd committer historically. Career path:
Red Hat (Plumbers Team) → Amutable (late 2025)
He is associated with issue #40974 (the ageGroup alternative to birthDate). He sits on FESCo (Fedora Engineering Steering Committee, elected F43) - the body that decides whether Fedora ships the birthDate feature. No conflict-of-interest disclosure exists in any public record.
Structurally identical to the Poettering conflict: an Amutable employee with decision-making authority over whether a feature that benefits Amutable commercially reaches production in a major distribution.
Sources:
- https://github.com/keszybz
- https://communityblog.fedoraproject.org/f43-fesco-elections-zbyszek/
- https://www.redhat.com/en/authors/zbigniew-jedrzejewski-szmek
- https://fedoraproject.org/wiki/User:Zbyszek
## 3. Red Hat Personnel at Amutable
Three of eleven Amutable personnel have Red Hat backgrounds:
| Person | Red Hat Role | Amutable Role |
|---|---|---|
| Lennart Poettering | Senior Principal Engineer (14 years) | Chief Engineer |
| Zbigniew Jedrzejewski-Szmek | Plumbers Team, upstream systemd | Engineer |
| Joaquim Rocha | GNOME/Wacom developer | Engineer (via Kinvolk → Microsoft) |
Red Hat is the second-largest source of Amutable talent after Microsoft (6 of 11 via Kinvolk acquisition).
## 4. IBM/Red Hat Lobbying - The Silence
IBM spent $5.53M on federal lobbying in 2024. None on age verification.
| Company | 2024 Federal Lobbying | Age Verification Lobbying |
|---|---|---|
| Meta | $26,300,000 | Yes - KOSA, COPPA 2.0, ASAA |
| Microsoft | $10,353,764 | Yes - KOSA, COPPA 2.0 |
| IBM/Red Hat | $5,530,000 | None found |
IBM's disclosed lobbying topics: AI policy, intellectual property, cloud, quantum, cybersecurity, federal IT modernization, defense, semiconductors, and generic "privacy regulation." Zero LD-2 filings naming KOSA, COPPA 2.0, AB-1043, ASAA, DAAA, or any child safety legislation.
No registered position (support or oppose) on AB-1043 from IBM or Red Hat. No testimony to the California legislature. The OSI, FSF, and Linux Foundation also submitted nothing - silence across the entire open-source ecosystem.
Sources:
- https://www.opensecrets.org/orgs/ibm-corp/lobbying?id=D000000720
- https://www.opensecrets.org/orgs/ibm-corp/summary?id=D000000720
## 5. Red Hat's Commercial Exposure
AB-1043 defines "operating system provider" as anyone who "develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device." This covers RHEL.
No explicit exemption for enterprise, server, or headless deployments. Penalties: $2,500 per affected child (negligent), $7,500 (intentional). Compliance deadline: January 1, 2027.
Red Hat has California customers. RHEL is a commercial product. Red Hat has issued zero public statements about compliance planning. Nine months to deadline. Unprecedented silence for a major compliance-affecting regulation.
The EFF noted AB-1043 burdens "fall particularly heavily on developers who aren't at large, well-resourced companies."
Sources:
- https://www.eff.org/deeplinks/2026/03/ab-1043s-internet-age-gates-hurt-everyone
- https://hackaday.com/2026/03/05/californias-problematic-attempt-to-add-age-verification-to-software/
## 6. Fedora Community Response
Four active discussion threads on discussion.fedoraproject.org:
1. "California Age Verification" (/t/181968) - primary thread, 7+ pages
2. "A Practical Architectural Solution" (/t/183387) - technical proposal
3. "Cross distro solution" (/t/182944) - cross-distro coordination
4. "Request for spiritual bypass option" (/t/183378)
Jef Spaleta (Fedora Project Leader) proposed: local file in /etc/ populated during account creation, local D-Bus API (org.freedesktop.AgeVerification1), no telemetry, no online verification, no data sharing. Age bracket API - apps query OS for bracket, OS responds locally.
Nothing shipped. Status: EXPLORING. No FESCo vote on the birthDate field.
FESCo composition for F43 includes both Zbigniew (now Amutable) and Timothee Ravier (Red Hat CoreOS). No conflict-of-interest discussion has occurred.
Sources:
- https://discussion.fedoraproject.org/t/california-age-verification/181968
- https://discussion.fedoraproject.org/t/a-practical-architectural-solution-to-os-level-age-verification-laws/183387
## 7. Sovereign Tech Fund
The German Sovereign Tech Agency allocated EUR 399,000 to systemd (2025-2026). Purpose: "extending systemd to improve security, integrity, and robustness for multi-user systems." Also ran a bug bounty for systemd through YesWeHack.
The grant scope ("multi-user systems," "security, integrity, and robustness") aligns with the userdb/homed subsystem where birthDate was added. No public evidence directly links the STF grant to the birthDate work. No Red Hat involvement in the STF grant found.
The STF contractor identity for the EUR 399K grant remains unknown.
Sources:
- https://www.phoronix.com/news/STF-2026-systemd-PHP
- https://www.sovereign.tech/programs/fund
## 8. Christian Brauner - No Red Hat Connection
Brauner's path: Canonical (~2017-2022) → Microsoft (~2022-2025) → Amutable (January 2026). Never at Red Hat. The Red Hat connection to Amutable runs through Poettering (14 years) and Zbigniew (direct hire), not Brauner.
## 9. UAPI Group
Red Hat is not listed by corporate name. Fedora CoreOS is listed as a member project (maintained by Red Hat's Timothee Ravier). The UAPI Group was founded by Poettering, Boccassi, and Brauner - two of three now at Amutable, one at Microsoft.
Source: https://uapi-group.org/
---
## Key Structural Observations
1. Red Hat built systemd, then lost control of it. Poettering spent 14 years at Red Hat creating and developing systemd. IBM's acquisition (2019) and subsequent layoffs (2024-2025) pushed key developers to Microsoft and then Amutable. Red Hat now depends on a project governed by a commercial competitor.
2. The Zbigniew conflict mirrors the Poettering conflict. An Amutable employee who advocated for the birthDate field sits on the committee that decides whether Fedora ships it. No disclosure. No recusal. No governance mechanism to require either.
3. Red Hat's silence is louder than its competitors' lobbying. Microsoft lobbied for KOSA. Meta lobbied for ASAA. Red Hat said nothing. AB-1043 affects RHEL directly. The January 2027 deadline is nine months away. Zero public compliance planning.
4. The talent pipeline is one-directional. Red Hat → Microsoft → Amutable. No one has moved from Amutable or Microsoft back to Red Hat.
---
## 10. Zbigniew's FESCo Disclosure Gap (Wayback Machine Evidence)
Wayback Machine snapshots of github.com/keszybz establish a definitive timeline:
| Date | GitHub Bio | Event |
|---|---|---|
| Aug 22, 2025 | "Working on open source stuff at Red Hat" | Amutable incorporated Aug 21 |
| Dec 4, 2025 | "Working on open source stuff at Red Hat" | FESCo nominations open |
| Dec 17, 2025 | (interview published, zero employer disclosure) | FESCo interview: "What else should community members know?" Answer: "n/a" |
| Jan 6, 2026 | "Working on open source stuff at Red Hat" | Voting still open (closes Jan 7) |
| Jan 8, 2026 | - | Elected to FESCo (842 votes, 2nd highest) |
| Jan 27, 2026 | "Working on open source stuff at Red Hat" | Amutable publicly announced same day |
| Feb 6, 2026 | "Working on open source stuff at Amutable" | First snapshot showing Amutable |
| Mar 23, 2026 | Amutable on GitHub | Fedora wiki still says "I work for Red Hat" |
The word "Amutable" has never appeared on Fedora Discussion forums. No community member raised his affiliation during or after the election. 214 Fedora voters elected him believing he worked for Red Hat.
Wayback sources:
- https://web.archive.org/web/20251204040135/https://github.com/keszybz
- https://web.archive.org/web/20260106201724/https://github.com/keszybz
- https://web.archive.org/web/20260127234217/https://github.com/keszybz
- https://web.archive.org/web/20260206034339/https://github.com/keszybz
## 11. CCIA Membership - The Undisclosed Litigation Channel
Red Hat is a CCIA member. IBM does not disclose this on its Positions and Associations page (which lists 13 associations receiving $50K+/year). CCIA is the most aggressive litigator against age verification in the US:
- CCIA v. Paxton (W.D. Tex.) - injunction granted Dec 2025 against Texas SB 2420
- CCIA v. Brown (D. Utah) - enforcement blocked Feb 2026 against Utah SB 142
- Additional filings in Kansas, Alabama, Michigan, Florida
CCIA sues "on behalf of its members." Red Hat is a member. IBM is Red Hat's parent. IBM is a party-in-interest to active federal litigation against age verification through a subsidiary relationship it does not publicly disclose.
A Chevedden shareholder proposal demanding lobbying transparency received 48% support at IBM's April 2025 annual meeting. IBM opposed it.
Sources:
- https://www.ibm.com/policy/positions-and-associations
- https://en.wikipedia.org/wiki/Computer_%26_Communications_Industry_Association
- https://ccianet.org/litigation/ccia-netchoice-v-paxton/
- https://ccianet.org/litigation/ccia-v-brown/
- https://www.theregister.com/2025/04/11/ibm_shareholders_asked_to_back/
## 12. STF €855K - Deep Dive
### Funding Structure
The Sovereign Tech Agency GmbH (HRB 268739 B, Charlottenburg; formerly Analog Intelligence GmbH) is a SPRIND subsidiary funded by BMWK. Two separate systemd investments:
| Period | Amount | Scope | Contractor |
|---|---|---|---|
| 2023-2024 | €455,000 | Not fully described | Not publicly disclosed |
| 2025-2026 | €399,840 | "Security, integrity, and robustness for multi-user systems" | Not publicly disclosed |
Total: €854,840 in German government funds for systemd. Separately, the Bug Resilience Programme contracted Neighbourhoodie Software (Berlin, Jan Lehnardt CEO) for test coverage work on systemd-resolved. Different budget stream - James Coglan (Neighbourhoodie) authored 7 PRs tagged "STF milestone M1," increasing resolved test coverage from 16% to 52%.
### What Poettering Said About the Money
At FOSDEM 2025, Poettering stated systemd has "a little bit of funding" through SPI donations and STF grants, and that the project used STF money "for things that don't interest the core developers, for example reworking the systemd web site."
Source: https://lwn.net/Articles/1008721/
### The Contract Structure Gap
The STF uses application-based simplified procedures, not competitive procurement. No tender notices for either systemd grant appear on vergabe.de, service.bund.de, ted.europa.eu, or DTVP. The STF requires one "contractor of record" per project but does not publish that name. The tech page for the 2025-2026 grant says "still under construction."
### The Address
Implisense lists exactly two companies at Bornholmer Straße 80 A, 10439 Berlin:
- Amutable GmbH (HRB 278404 B) - Kühl as managing director
- Assembled Parts UG (HRB 254424) - Kühl as managing director
Source: https://implisense.com/en/addresses/10439-berlin-bornholmer-strasse-80-a
### Timeline Problem
- 2023-2024 grant (€455K): Active while Poettering, Zbigniew, Brauner were at Microsoft. Contracting party could be Microsoft or an individual.
- Amutable incorporated August 21, 2025.
- 2025-2026 grant (€399,840) announced October 2025 - two months after Amutable's incorporation, three months before public announcement. If the contractor changed from a Microsoft-era entity to an Amutable-related entity, that transition happened during stealth.
### Prior Grant History
Chris Kühl co-founded Endocode AG (now Hoverture Deutschland AG, HRB 150748 B - renamed April 2022). Endocode received €474,058 from EU Horizon 2020 for the FASTEN project (grant 825328, "Fine-Grained Analysis of Software Ecosystems as Networks," 2019-2022). CORDIS lists the grant under "Hoverture Deutschland AG" because that is the current legal name. Kühl-led entities have received EU research grants before.
Source: https://cordis.europa.eu/project/id/825328
### Assembled Parts UG Financial Opacity
No Jahresabschluss found on Bundesanzeiger for Assembled Parts UG. As a Kleinstkapitalgesellschaft (€5,000 capital), it files only simplified balance sheets. Revenue flows cannot be traced through public filings.
### All Systems Go! Conference Funding Shift
The systemd developer conference (organized by Assembled Parts) had corporate sponsors including Meta and Red Hat in 2018-2019. The 2025 edition switched to "100% funded by attendees" - no corporate sponsors. This shift coincides with the STF funding period.
Source: https://foss.events/2025/09-30-all-systems-go.html
### Resolution Path
A German IFG (Informationsfreiheitsgesetz) request to BMWK or SPRIND - via FragDenStaat.de - requesting the contractor of record for both systemd investment rounds. Assembled Parts UG's Jahresabschluss, if ever published, would also resolve this.
### What Cannot Be Confirmed
No public source connects either STF grant to Amutable, Assembled Parts, or any named individual. The hypothesis is structurally supported (same address, same people, overlapping mission, prior grant history, no competing entity) but not evidentially confirmed. The STF's non-disclosure of contractor names is the blocking factor.
Sources:
- https://www.sovereign.tech/tech/systemd
- https://www.sovereign.tech/tech/systemd-2025
- https://www.sovereign.tech/programs/fund
- https://www.phoronix.com/news/STF-2026-systemd-PHP
- https://lwn.net/Articles/1008721/
- https://neighbourhood.ie/blog/2025/07/23/nh-stf-s01e04-systemd
- https://cms.system.sprind.org/uploads/Corporate_Governance_Bericht_SPRIND_Gmb_H_2024_d89330a028.pdf
- https://www.northdata.com/Sovereign%20Tech%20Agency%20GmbH,%20Berlin/Amtsgericht%20Charlottenburg%20(Berlin)%20HRB%20268739%20B
## 13. PR #40954 Corporate Affiliation Map
systemd GitHub org members and their participation in the birthDate merge:
### Actively participated in PR #40954:
| Person | Affiliation | Role |
|---|---|---|
| Luca Boccassi (bluca) | Microsoft | Approved + merged |
| Mike Yuan (YHNdnzj) | Independent / KIT | Approved |
| Lennart Poettering (poettering) | Amutable | Review discussion, did not formally approve |
### Silent on both PRs (#40954 and #41179):
| Person | Affiliation | Merge Access |
|---|---|---|
| Yu Watanabe (yuwata) | Red Hat | Yes - #1 committer for 4 years |
| Frantisek Sumsal (mrc0mmand) | Red Hat | Yes |
| Lukas Nykryn (lnykryn) | Red Hat | Yes |
| Peter Lemenkov (lemenkov) | Red Hat | Yes |
| Zbigniew (keszybz) | Amutable (ex-Red Hat) | Yes |
| Daan de Meyer (DaanDeMeyer) | Amutable (ex-Meta) | Yes |
Red Hat has four org members with merge access. None left a public trace on either PR. The company that built systemd over 14 years was absent from its most contested merge decision.
Poettering's quote closing the revert (PR #41179, March 19): "It's an optional field in the userdb JSON object. It's not a policy engine, not an API for apps. We just define the field, so that it's standardized iff people want to store the date there, but it's entirely optional. Hence, please move your discussion elsewhere, you are misunderstanding what systemd does here. It enforces zero policy, it leaves that up for other parts of the system."
Sources:
- https://github.com/systemd/systemd/pull/40954
- https://github.com/systemd/systemd/pull/41179
- https://github.com/orgs/systemd/people
- https://www.sambent.com/the-engineer-who-tried-to-put-age-verification-into-linux-5/
---
## Methodology
All information from public sources: GitHub profiles, Wayback Machine snapshots, conference talks, Fedora community forums, OpenSecrets lobbying data, legislative records, corporate registries, IRS filings, news coverage, CCIA litigation filings. No non-public information accessed.
Reference in a new issue View git blame Copy permalink