Fuchsia is designed to update. However it's also a work in progress. This section highlights some of the work that is ongoing or hasn’t started yet that will promote Fuchsia’s ability to change and update.
While Fuchsia ABIs are largely defined in FIDL, there are still some legacy ABIs that are defined in other terms that don’t have the same affordances for updatability.
zx_object_get_info
is defined in FIDL, but its output type (the buffer
parameter) is a byte buffer that’s opaque to the FIDL definition and is formatted in terms of a zx_info_*_t
C struct.The Fuchsia IDK and SDKs built on top of it can be used to develop Fuchsia components without checking out Fuchsia’s source code or using Fuchsia’s own build system. However there remain developer use cases that are not yet possible out-of-tree.
The new Component Framework (aka CFv2) has full control over the sandbox of component instances, and expresses sandboxes in terms of capabilities that decouple contracts from implementation details.
The legacy Component Framework (appmgr
) supported sandbox features that allowed access to certain global namespaces and would expose components to platform implementation details that had no affordances for updatability such as versioning or transition support. The new Component Framework either enforces isolation or forbids access to these namespaces entirely. For instance the hub becomes hierarchically contained, only offering information about the component’s realm and its children but never of its parent, since a global hub is a form of ambient authority.
The components v2 migration is an ongoing multi-year effort. Currently the team is focused on migrating system components.
The fullness of the platform surface should be strictly defined, and expressed in terms such as FIDL that afford for updatability via such mechanisms as versioning and support for transitions. Currently there exist some aspects of the platform surface that don’t meet these requirements.
appmgr
sandbox feature, which offered this information to components using raw file access that did not afford for updatability. This is now deprecated, new usage is discouraged, but there are still a few allowlisted legacy usages remaining.fuchsia-pkg://
launch URLs. These URLs don’t have updatability affordances. Instead out-of-tree components find themselves exposed to platform implementation details such as the names of specific packages containing specific components that implement certain platform capabilities. These tests often break between Fuchsia platform and SDK revisions, even though no API or ABI breaking change is registered in the SDK or platform surface. Beyond deprecating existing usages, we should take steps to prevent these issues from reoccurring.ffx
plugins, nor does it have a schema. Therefore moving forward we should not support SL4F for system automation by out-of-tree tests, and introduce an alternative solution.Fuchsia supports multiple diagnostics tools for understanding the system’s internal state and for troubleshooting problems. Internal diagnostics exposes implementation details by its nature, surfacing such information as process names and hierarchies.
This information is useful for instance when troubleshooting a defective system or when collecting a snapshot such as after a crash. In such instances, internal implementation details are of interest. However, diagnostics don’t make for good public contracts.
fuchsia.diagnostics.ArchiveAccessor
capability, as specified by a selector. The selector consists of a component moniker, a diagnostics hierarchy path selector, and a property selector. Monikers may expose platform implementation details such as the topology and names of platform components. Hierarchy and property selectors may also be considered implementation details, and in addition don’t have updatability mechanisms. These are known instances of out-of-tree components in Fuchsia-based products that use diagnostics selectors to read system diagnostics information at runtime. These components are exposed to platform implementation details and often break when these details change. Clients of Fuchsia diagnostics that are outside of the platform itself should be ported to using strictly-defined FIDL protocols to read precisely the information that they need, and the open-ended ArchiveAccessor
capability should be restricted for further use by out-of-tree components.mem
collect and expose performance information in such terms as the names of processes and their interrelationships. This information is useful to investigate the performance of some systems, but it reflects private implementation details, not public contracts.Several SDK tools are offered to Fuchsia developers, most importantly ffx
and its many commands. The new ffx
tool interacts between the host and a Fuchsia target in terms defined in FIDL, which affords for updatability. However some legacy tools are still offered to out-of-tree developers that don’t have the same updatability affordances.
fssh
tool and provides the host with a developer experience similar to a remote root shell on a target Fuchsia device. The client may circumvent the intended platform surface such as by directly observing, starting, and killing system processes.ffx
commands. This exposes developers to platform implementation details that can’t easily change such as the names of packages and components, and expresses inputs and outputs as human-readable text rather than typed and structured data.ffx
commands, for instance ffx component
, expose internal implementation details such as component monikers and topologies. These are meant for diagnostics and troubleshooting, not as an API.API and ABI compatibility can be checked using continuous integration with static analysis tools and build systems. In addition, the Fuchsia Compatibility Test Suite (CTS) can test different supported combinations of platform and SDK versions. These tests can extend the notion of compatibility from APIs and ABIs to also ensure that expected behaviors that are important are preserved.
The CTS project is new and coverage is fairly low. CTS is a form of defense in depth, so increasing coverage helps ensure that compatibility is as intended, even if CTS coverage never reaches 100% of the platform surface.