That statement is hard to reconcile with the fact that the phone is allegedly compliant with, and is being submitted for, RYF certification¹, which it would never qualify for if the phone has binary blobs.
1. “And we are compliant with, and submitting for, the “Respects Your Freedom” certification from the Free Software Foundation.” — https://puri.sm/posts/librem-5-shipping-announcement/
For example most CPU's are written in something like verilog or vhdl and include internal ram on the chip and include a prom with a little bit of code that handles start up tasks.
From what I can see Librem 5 is a general purpose computer with 2 sealed black box modem modules.
Yes, there can be any level of proprietary evil inside those seal boxes... and inside your disk drive controller of your PC.
The question then really is can that proprietary evil control the functions of your computer.
With the disk drive controller, probably pretty hard, with intel ME, probably pretty easy, with the Librem modems? My guess is probably pretty hard.
Modem can record audio or location and send it out on remote request when it's powered on. When modem is used to access internet it can add JS code to html pages and execute code that way.
Touch controller can record touches that look like pin entry (it can observe touches, and make some guesses about frequently repeated touch patterns after powerup/wakeup) and replay them after some secret swipe gesture. If UI patterns are known, touch controller can probably tap information out to a web page somewhere and hit submit.
Just because there's no direct access to memory, doesn't mean even these "sealed black boxes" can't affect/use software running on the main CPU via other channels.
Also if the drivers are not written in a manner that they consider devices they control hostile, I would be surprised if modem would not be able to return specially crafted/unexpected messages over USB that would allow for arbitrary code execution in the kernel or in userland.
Though without an assurance I can get it to work on my carrier, I'm hesitant to drop Librem 5 level money on my first true Linux phone... meanwhile, the PinePhone sits comfortably in "buy as a second phone for now" territory, and I'm anxiously waiting to hit the buy button on that one.
If it can wash the naivety away from many people's (and customers') eyes when it comes to companies who loudly advertise themselves as different, open, transparent, a breath of fresh air and so on, that's good to take. They aren't any better, neither internally or externally. You find the same tactics, the same opacity as soon as something derails, and the same characters in there (+ a couple of extra hotheads).
I still remember how appalled I was, when the main 2 open-source software companies in my countries spent years suing each other, while fighting like pigs in mud over any possible online platform. How conflicting with their professed PR bullshit that was.
I'm not doubting the things you said in the interview which certainly make it sound like a difficult place to work but it is easy to see that resentment colors your perspective. I might feel the same myself were I in your place.
Huge loss of credibility right there.
Me-as-CEO: We're shipping "only dozen or couple of hundred orders per month" and hemorraging money. We must prioritize.
CTO: Well you currently have no backups whatsoever.
Me-as-CEO: That certainly sounds like a priority. What do you propose?
CTO: Let's move away from one of the largest CDN in the U.S. to accommodate a potential Tor userbase
Me-as-CEO: Well, it's been great working with you.
People aren’t going to use ToR to purchase a device from a store that collects PII that defeats the purpose of using it its right there with using ToR to log into your Facebook account.
Seems like they've bitten off quite a chunk of really hard work, that they can't finish by themselves, which this article confirms.
It would be nice if they opened up a little about issues they're having. All they're doing by hiding things is helping spread rumors. For example this one:
https://www.phoronix.com/forums/forum/phoronix/latest-phoron...
It doesn't help, that the rumors seem plausible. From the disassembly video, it was clear that the SoC has no cooling whatsoever, outside of the thermal connection to the mainboard. Power management is always an issue with mobile devices, so that doesn't surprise me either.
Those are not just rumours. The CEO said they have to add heat pipes in next iteration. He also said he had to charge the phone twice a day (and all or almost all of Lunduke's pictures are taken with a phone connected to the charger, which is not the easiest way to proceed usually, so we can guess it is pretty much needed).
Also Purism is aware of the rumour about the theory that perhaps the phone can't really make calls (the 'In the wild' paragraph in https://puri.sm/posts/librem-5-aspen-batch-photo-and-video-u... leaves no doubt about that). And yet they still haven't showed anything demonstrating otherwise, which would be super easy to do. So they let the rumour amplify...
