[dane-pgp]

Even if the government went to the trouble of creating the Debian package, they wouldn't allow it to run on an OS that doesn't support a particularly restrictive "Secure Boot" setup, which would provide the mobile network with a remote attestation that you are running only "certified" packages and system services (including a minimal set of mandatory ones).

Naturally, this certification process would ban apps which could spoof the UI of any official apps, but the ban would have to go further and include any apps which users have built from source themselves. End-to-end encrypted messaging apps (without backdoors) would similarly be banned.

At that point, the fact that you have the source code for all of the software running on your surveillance device isn't much comfort. What good is a phone when you are unable to speak?

[goodpoint]

Are you implying that Debian does not support Secure Boot? Because it does.

[dane-pgp]

I did worry that my comment might incorrectly imply that, so I deliberately reworded it to say a particularly restrictive "Secure Boot" setup, but I guess that's still ambiguous.

You're right, Debian "supports" such a set of restrictions, in the sense that a manufacturer could build devices that would comply with these hypothetical laws while only using vanilla Debian packages, but my point was that such a device wouldn't really feel like Debian, since the moment you installed an unapproved application (or removed a mandatory application) half the functionality would stop working.

[goodpoint]

No. Debian supports Secure Boot, and that means anybody can add their own signing key and sign and boot their own kernel, packages and everything else.

As long as users can update the signing keys it's all good.

If not, it's tivoization, and it breaches GPL.

[dane-pgp]

> anybody can add their own signing key

That's assuming the hardware supports it. I'm imagining a (very likely) world where devices will either no longer support self-generated keys, or where using such keys makes your device unable to access the mobile network or the internet. (The latter sort of device might in theory be buildable, and run Debian just fine, but I don't think it would have enough buyers for a manufacturer to waste money on producing it).

> If not, it's tivoization, and it breaches GPL.

Contracts (and software licences) cannot override the law. If a government wants to ban self-generated keys (and/or make anti-Tivoization clauses unenforceable), then it can easily do so, and make all "Debian phones" either not feel like Debian, or not feel like phones.

[goodpoint]

> Contracts (and software licences) cannot override the law

I never said they could.

> If a government wants to ban self-generated keys (and/or make anti-Tivoization clauses unenforceable), then it can easily do so

Wrong. That would require abandoning copyright enforcement.

Tivoization breaches the GPL. When a license is in breach, integrators, developers and users have no right to use such software.

[dane-pgp]

> That would require abandoning copyright enforcement.

Who do you think writes copyright laws?

Obviously I'm not suggesting a government would just abandon the entire concept of copyright, but it could amend its copyright law to say that a copyright holder cannot claim (in court) that their proprietary rights were breached solely due to a defendant applying "security measures" to prevent software tampering.

That would be grossly unfair to people whose code is then used in ways that go against their wishes, but government policies don't have to be fair. (For the avoidance of doubt, I'm not accusing you of saying that they have to be fair, I'm just providing some obvious context to help make my position clearer to anyone reading this).

[hierandthere]

In this context: Does Mobian on PinePhone support Secure Boot?