[amluto]

Unfortunately, it’s not totally nuts. Designing a system that has replaceable firmware and retains the security properties one would want is nontrivial. Malicious software should not be able to reflash the device without genuine user consent, and any reflagging should wipe all key material. They could do a JavaCard like thing where different apps have different security domains, but that needs either hardware help or complicated software.

IIRC Chromium OS has a little washer that can be physically removed to allow end-user rekeying. Without that washer removed, if you put it in dev mode, you get a warning on the display. Doing this for a reasonable price in the tiny form factor would be tough.

[hackerb9]

Tough, but not insurmountable. Especially compared to the work of reimplementing GPG and actually having it be trustworthy. (They mention it is harder than they thought, but they are continuing on. That says to me they have not yet thought hard enough about it!)

Here's an idea: If you look at the metal ring on the Somu, you'll see it is actually two separate pieces with a small gap between them. In hardware, they are two touch buttons, but the software treats them as identical.

Maybe they could manufacture the Somu with the gap between them soldered closed. If someone wants to put it in "dev mode", they have to first cut the solder bridge apart.

I think that would satisfy the GPL3: user has ultimate control, but also meet the security concern that the user might not know the implications of what they're doing.