I did worry that my comment might incorrectly imply that, so I deliberately reworded it to say a particularly restrictive "Secure Boot" setup, but I guess that's still ambiguous.
You're right, Debian "supports" such a set of restrictions, in the sense that a manufacturer could build devices that would comply with these hypothetical laws while only using vanilla Debian packages, but my point was that such a device wouldn't really feel like Debian, since the moment you installed an unapproved application (or removed a mandatory application) half the functionality would stop working.
No. Debian supports Secure Boot, and that means anybody can add their own signing key and sign and boot their own kernel, packages and everything else.
As long as users can update the signing keys it's all good.
That's assuming the hardware supports it. I'm imagining a (very likely) world where devices will either no longer support self-generated keys, or where using such keys makes your device unable to access the mobile network or the internet. (The latter sort of device might in theory be buildable, and run Debian just fine, but I don't think it would have enough buyers for a manufacturer to waste money on producing it).
> If not, it's tivoization, and it breaches GPL.
Contracts (and software licences) cannot override the law. If a government wants to ban self-generated keys (and/or make anti-Tivoization clauses unenforceable), then it can easily do so, and make all "Debian phones" either not feel like Debian, or not feel like phones.
> That would require abandoning copyright enforcement.
Who do you think writes copyright laws?
Obviously I'm not suggesting a government would just abandon the entire concept of copyright, but it could amend its copyright law to say that a copyright holder cannot claim (in court) that their proprietary rights were breached solely due to a defendant applying "security measures" to prevent software tampering.
That would be grossly unfair to people whose code is then used in ways that go against their wishes, but government policies don't have to be fair. (For the avoidance of doubt, I'm not accusing you of saying that they have to be fair, I'm just providing some obvious context to help make my position clearer to anyone reading this).
You're right, Debian "supports" such a set of restrictions, in the sense that a manufacturer could build devices that would comply with these hypothetical laws while only using vanilla Debian packages, but my point was that such a device wouldn't really feel like Debian, since the moment you installed an unapproved application (or removed a mandatory application) half the functionality would stop working.