> You think lack of thermal protection is a feature?
I read that as: vendor-controlled software sitting in hardware will be buggy and those bugs won't get fixed. Thermal protection implemented in user-controlled software can, over the long term, provide better safety because bugs can be fixed.
Then stick it in a user-flashable chip, but still ship it pre-flashed. The point it that failing to init something at runtime should never be a safety problem.
The point is that if you run a new OS on the hardware (say, OpenBSD...) and it doesn't set things up, that failure to configure the running system should not result in a safety problem. Now one obvious way to do this is to do it in hardware, but the point was made that then you have to hope that the hardcoded safety measures are bug-free. So, the obvious fix is to do it in firmware, and allow updating the firmware, but do ship with it pre-flashed in persistent memory. Thus, doing nothing is safe, if a bug is found you can fix it, and yes a user could flash unsafe firmware but they'd have to go out of their way to do so; the default is to be safe regardless of what the main system OS does.
A user has to go out of their way to flash an OS too, I'm not sure I buy the argument that open architecture is going to surprise people who also know how to flash an OS to a very new and unsupported device. No one is trivially flashing different OSes to pinephone and thus they'd need a good deal of domain knowledge to even achieve this goal.
Effectively that means no one is flashing an OS to the pinephone, getting it to work but somehow is ignorant to the fact that pinephone has a battery and that battery could present danger if handled improperly.
It seems like a safety measure that increases complexity which could potentially decrease safety just as likely as it is to increase safety.
Because reflashing the chip that stores the OS can't affect the battery. It's simple physical isolation. What if the entire chip with the OS physically fails? The code with the protection should still run.
When dealing with Lithium cells, the less software the better. If there's need to change dis/charging parameters from software, then that must be done behind a hardware protection with higher priority, so that the users still have control but cannot play outside safety limits.
Not implementing a hardware safety seems really a bad deign choice to me.
Every electronics project working with Li-Ion batteries in my opinion should use an overcharge/discharge protection circuit, it's basic safety.
I don't want software to be able to control whether or not my phone turns into a bomb
Edit: from this discussion https://news.ycombinator.com/item?id=24596248 it looks like it is using http://files.pine64.org/doc/datasheet/pine64/AXP803_Datashee... as a separate IC