[kwlug-disc] cell phone security and privacy

[Mikalai Birukou]

> Jason: Thanks for the NoPhone link. At some point I will upgrade to this.
> Immutable objects are a well known security technique, and the NoPhone is the
> ultimate expression of this.
>
> Mikalai: Installing Graphene via the Linux command line is a complex procedure.
> Suppose I want to hire somebody to do this for me, including the locking procedure
> (so the phone can't be tampered with while in transit to my house).
> That would not be allowed by the GPL 3.
> (In the language of the Graphene FAQ, an "immutable root of trust" is incompatible
> with the GPL 3.)
> ...
>
> I don't think the GPL 3 thing is FUD. You can buy preconfigured locked Graphene phones on the
> internet, this is a valuable service, and if Graphene used GPL 3 libraries then the library
> owners could sue for GPL 3 violation. From an FSF perspective this would be no different
> from Apple iOS using GPL 3 libraries. Graphene respects your freedom and Apple doesn't, but
> the language of the GPL 3 doesn't make allowance for Graphene. I think that writing a legal
> text for the GPL that accurately embodies the spirit of the GPL is a difficult and unsolved
> problem.
>
> ...
>
> Thanks for including the story of Daniel Micay and the Graphene project history.

Ah! Quote of a full paragraph from their Graphene own FAQ:

"""

In some cases, licensing is also an issue. GrapheneOS is permissively 
licensed and is usable for building devices with an immutable root of 
trust. GPLv3 is deliberately incompatible with these kinds of locked 
down devices, unlike GPLv2 code such as the Linux kernel. This means 
GrapheneOS can't include GPLv3 code without forbidding use cases we want 
to support. GPLv3 is no problem for our own usage, but we don't want to 
forbid using GrapheneOS as a replacement for the Android Open Source 
Project in locked down devices.

"""

Let's note "some cases". I think it is due to same same argument I 
expressed yesterday, that when party is conveying something to masses, 
usually commercially, GPL 3 clause kick in.

And looking at the history, one of ideas was that vendors sell devices 
with the os, i.e. do conveying.


I still think that in a narrative we through a baby with a bath water. I 
imagine the following.
Folks went to foundation for comments, those guys are suspicious of a 
modicum of power in hands of vendor, and tell that one can't do the 
locking. Then sad history happens at commercial company. Guys at 
foundation say "we told you so". We shrug the shoulders.


Better overall story is that you, the user, own something in digital 
networked space. Than you instantiate it on one device, another device. 
You lock it, do what ever, you are the boss of your own stuff.