@kyle You mean the overpriced smartphone that really isn't better off being made in the USA because of the NSA supply/shipping chain compromises?

@briana The point is to bring the supply chain closer to *our* oversight and we are in the US. I talk about some of your concerns in https://puri.sm/posts/protecting-the-digital-supply-chain/ and this is also why we offer anti-interdiction services for those w/ that threat: https://puri.sm/posts/anti-interdiction-services/

@kyle Even disregarding that, what about the fact that RYF certification actually makes the hardware less secure over time as you are not allowed to update isolated firmware?

@briana That argument has more relevance on Intel platforms w/ Meltdown and Spectre and CPU microcode. Beyond that the goal is to limit and remove any binary blob firmware, especially w/ security impact altogether and use FOSS alternatives.

My understanding on the phone is that there are fewer proprietary blobs remaining that would likely need a security update or impact the security of the device in a reasonable way.

@kyle @briana In fact these blobs are stored on replaceable modules, so I guess they actually are user-updatable in a way... ;)

@dos @kyle That would be highly wasteful. Throwing away modules just because you don't want to update the firmware for certification reasons?

@dos @kyle And that's not to mention that the modems are not cheap

@kyle I fail to see how the modem and redpine chips are not impactful on security? Yes, you could replace those modules in theory to update the firmware, but that would be highly wasteful. Throwing away perfectly good hardware just because you don't want to update the firmware for certification purposes?