Hi,
thank you for raising these not totally unfounded concerns. But I can assure to you that chances are very low that anything like this could happen to the Librem5 and here is why.
First of all please keep in mind that we are not using some kind of OEM design to base the Librem5 upon. The design of Librem5 is 100% exclusively done for Purism and we control and monitor every step in this design process. We review schematics and our hardware engineers regularly request changes to match the very specific needs of Purism and our goals of privacy and security.
Second before and during the design process we create the hardware requirements that go into the product and hardware design. Every component, every part and every chip is 100% known to us and if we figure that some choices would endanger our goals, we will change it to match our goals again. It is almost not possible for the Chinese contractors to slip anything into the design without us knowing (more see below).
Third we are very closely monitoring the production process, from golden samples of PCBs to prototypes and first products. We do not only do this from remote analyzing the final products handed to us but we have a contracted supply chain manager located in China regularly doing supplier audits and also members of our engineering team are personally present in China at all critical moments - including myself.
Fourth we control the supply chain, also for all parts going into the device. Critical components will be sourced from trustworthy partners and supplied to the factory by us.
Finally we will, before we ship the products, very thoroughly inspect random picked samples from the production to make sure that absolutely nothing was changed - this inspection will include X-rays at a partner company in California.
But this does not mean there is no risk at all. With a lot of criminal energy it might still be possible to slip in counterfeit parts into our design which could be hard to detect. But this is, let’s be reasonable here, very unlikely. For this e.g. it would need to exist a counterfeit and weakened i.MX8 CPU made somewhere, which is not impossible but highly unlikely. And if there would be such a thing you would not even be able to easily avoid or detect it when making the device anywhere else in the world. Another critical component is the cellular baseband momde which might be concerning and for that we will use a modem Made in Germany, put on a modem PCB in the USA and which will be implemented into the devices in the USA during final assembly.
So bottom line, I think, is - we do everything we possibly can to make sure that malicious parts or design changes can not be made without us recognizing and we think that the risk is as low as we can possibly make it, almost regardless of design/fabrication location.
Cheers
nicole