If something isn’t growing, it’s dying. With the slew of neglected devices not receiving Android Oreo, it could be argued that the update system is one of Android’s fatal flaws. Fuchsia is trying to be different. This week in Fuchsia Friday we look at Fuchsia’s ambitious update system.
One of the newest additions to Fuchsia is Amber, an update system “with the ambition of updating all components running on a Fuchsia system” including basic things like apps all the way down to the Zircon kernel and the bootloader. At time of writing, it only has the ability to update packages (packages contain apps).
Currently powering Amber is an open source update security system called The Update Framework. Almost 10 years in development, The Update Framework (or TUF) is designed to secure multiple layers of the software update process, and an implementation of it is currently in use at Docker as ‘Notary’.
Please note that Amber is still in a very early stage, and the Fuchsia team has not yet completely settled on using TUF. Thus, more so than usual, aspects of this article are very likely to change by release.
The Update Framework is an incredibly detailed system, but the gist of it is this: When a new update is created, all the information about it is signed with a private key. This information is then stored in one or more online repositories. When you look for an update, multiple repositories are searched and compared, not only to ensure the latest version but also to ensure that none of the repositories have been compromised.
Once you’ve downloaded the update, but before it’s installed, another check is run to make sure the file you downloaded is the same one you were promised. If, for any reason, it doesn’t match up, a different download source is used. This repeats until a matching download is found. This process should guarantee that no malware will be installed disguised as an update.
At the moment, there’s no online repositories set up for Fuchsia updates. Amber is currently designed to help Google’s own app developers more quickly test changes. To this end, Amber includes tools to create and manage a local update repository[source link].
Every system that uses The Update Framework will do so differently. Fuchsia’s implementation with Amber doesn’t work exactly like Docker’s Notary. The most significant change is that when looking for updates, Amber looks at two different version numbers.
One is what it calls the “human version“, (something like ‘0.5’, ‘1.0-beta’, or ‘3.4.7’) which is important for compatibility. If something major changes in an update, the “human” version number should increase. Otherwise, with simple updates like bug fixes, Amber will generate and assign it a unique, internal version number.
The goal of this version system is compatibility. Because Fuchsia is designed to be modular, apps are built from smaller pieces (called modules). Each app needs to rely on some modules to give the same results tomorrow as they do today. The one small change to a module could completely stop an app from working.
For example, lets say there’s a “Contacts” module that returns phone numbers like “5551234567” today. What if an update changes that to “(555) 123-4567” down the line? Apps relying on “Contacts” might show visual issues or break entirely. Having two separate version numbers should help compatibility across upgrades.
This is only a best guess though, as there is not much of a version management system in place yet. It’s hard to be certain how Amber will work down the line, and we’ll certainly need to revisit it in time. I’m interested to see how well it handles driver updates and updates to the Zircon kernel. Tell us what you think in the comments.
If you have any questions about how Fuchsia will work, reach out in the comments or on Twitter. You may find your answers in a future article!
Fuchsia Friday is a new series where we dive into the Fuchsia source code and interpret what the current state of the OS might mean for the finished product. All information in this article is speculation based on available information and is subject to change.
Read more in our Fuchsia Friday series:
- Fuchsia Friday: Ledger picks up where you left off
- Fuchsia Friday: Everything is an Entity
- Fuchsia Friday: A system built for ‘Instant Apps’ on steroids
- Fuchsia Friday: The structure of Google’s Lego-like modular OS, explained
- Fuchsia Friday: How Flutter is paving the way for Fuchsia (and our first Fuchsia app!)