[challenger-derp]

If they really really want to track people:

- Sir, you have to install this application, it's available on both iOS and the Google Play Store.

- Do you have a Debian package?

- Give me a moment to check our database of alternative OSes.. Why yes, yes, we do have this as a Debian package.

- ... Well... is the app truly compulsory?

- Yes Sir, indeed it is I'm afraid. Security, safety and all that.

- ...

[dane-pgp]

Even if the government went to the trouble of creating the Debian package, they wouldn't allow it to run on an OS that doesn't support a particularly restrictive "Secure Boot" setup, which would provide the mobile network with a remote attestation that you are running only "certified" packages and system services (including a minimal set of mandatory ones).

Naturally, this certification process would ban apps which could spoof the UI of any official apps, but the ban would have to go further and include any apps which users have built from source themselves. End-to-end encrypted messaging apps (without backdoors) would similarly be banned.

At that point, the fact that you have the source code for all of the software running on your surveillance device isn't much comfort. What good is a phone when you are unable to speak?

[goodpoint]

Are you implying that Debian does not support Secure Boot? Because it does.

[dane-pgp]

I did worry that my comment might incorrectly imply that, so I deliberately reworded it to say a particularly restrictive "Secure Boot" setup, but I guess that's still ambiguous.

You're right, Debian "supports" such a set of restrictions, in the sense that a manufacturer could build devices that would comply with these hypothetical laws while only using vanilla Debian packages, but my point was that such a device wouldn't really feel like Debian, since the moment you installed an unapproved application (or removed a mandatory application) half the functionality would stop working.

[goodpoint]

No. Debian supports Secure Boot, and that means anybody can add their own signing key and sign and boot their own kernel, packages and everything else.

As long as users can update the signing keys it's all good.

If not, it's tivoization, and it breaches GPL.

[dane-pgp]

> anybody can add their own signing key

That's assuming the hardware supports it. I'm imagining a (very likely) world where devices will either no longer support self-generated keys, or where using such keys makes your device unable to access the mobile network or the internet. (The latter sort of device might in theory be buildable, and run Debian just fine, but I don't think it would have enough buyers for a manufacturer to waste money on producing it).

> If not, it's tivoization, and it breaches GPL.

Contracts (and software licences) cannot override the law. If a government wants to ban self-generated keys (and/or make anti-Tivoization clauses unenforceable), then it can easily do so, and make all "Debian phones" either not feel like Debian, or not feel like phones.

[goodpoint]

> Contracts (and software licences) cannot override the law

I never said they could.

> If a government wants to ban self-generated keys (and/or make anti-Tivoization clauses unenforceable), then it can easily do so

Wrong. That would require abandoning copyright enforcement.

Tivoization breaches the GPL. When a license is in breach, integrators, developers and users have no right to use such software.

[hierandthere]

In this context: Does Mobian on PinePhone support Secure Boot?