[dane-pgp]

> anybody can add their own signing key

That's assuming the hardware supports it. I'm imagining a (very likely) world where devices will either no longer support self-generated keys, or where using such keys makes your device unable to access the mobile network or the internet. (The latter sort of device might in theory be buildable, and run Debian just fine, but I don't think it would have enough buyers for a manufacturer to waste money on producing it).

> If not, it's tivoization, and it breaches GPL.

Contracts (and software licences) cannot override the law. If a government wants to ban self-generated keys (and/or make anti-Tivoization clauses unenforceable), then it can easily do so, and make all "Debian phones" either not feel like Debian, or not feel like phones.

[goodpoint]

> Contracts (and software licences) cannot override the law

I never said they could.

> If a government wants to ban self-generated keys (and/or make anti-Tivoization clauses unenforceable), then it can easily do so

Wrong. That would require abandoning copyright enforcement.

Tivoization breaches the GPL. When a license is in breach, integrators, developers and users have no right to use such software.

[dane-pgp]

> That would require abandoning copyright enforcement.

Who do you think writes copyright laws?

Obviously I'm not suggesting a government would just abandon the entire concept of copyright, but it could amend its copyright law to say that a copyright holder cannot claim (in court) that their proprietary rights were breached solely due to a defendant applying "security measures" to prevent software tampering.

That would be grossly unfair to people whose code is then used in ways that go against their wishes, but government policies don't have to be fair. (For the avoidance of doubt, I'm not accusing you of saying that they have to be fair, I'm just providing some obvious context to help make my position clearer to anyone reading this).