Secure: fuchsias kernel is a “practically sized kernel” - many call it a microkernel but it doesn’t take that too far. The kernel retains control over memory allocation, facilitates and enforces IPC and maintains an enumerable set of processes and threads. The kernel does not implement any high level drivers, it contains very few parsers. It has a consistent set of interfaces to userspace that are relatively few. The component system design carves out the “root resource” very early in the boot process and moving pieces down to dedicated delegates with limited access scopes and limited responsibilities. The component system is loosely coupled to, but leans on the package system which along with the content addressed filesystem ensures that code which is executed is _exactly_ what was originally built and specified - if that is violated it does not run. The verified boot path combines these features providing an end to end cryptographic path from signed bootloader images to the fully booted operating system. Builds done by the team apply many modern security practices, with hardened toolchain features, about half the code (as of a few years ago, probably more now) in rust, most of the other half in professionally reviewed c++. Some of the early third party researchers who attacked the system found that while they could identify some bugs (that we fixed promptly), lateral movement through the system was extremely difficult.
Updatable: as mentioned above the package system maintains a content-hard guarantee. It reduces cost of isolation and versioning using artifact sharing (as a result of content addressing) between versions where unchanged. Isolation properties of the design completely eradicate DLL hell. IPC interfaces in the core system provide stable APIs and are designed and reviewed with care to manage the evolution story and enable component interchange due to no invasive unmanaged coupling between components. Many components have been replaced with v2+ over the years with little to no fuss. The preferred deployment design follows an a/b update strategy making updates extremely safe.
Performant: most components in the system are medium sized in terms of responsibility as compared to common alternatives or common extremes. This optimizes for low latency for related task data locality and computation while maintaining a lot of separation between major components. While IPC has a latency cost, a lot of user facing performance amortizes well due to the implicit multiprocessing thah can result. All core components are written in fast systems languages. There’s always more to do on performance with a nascent system, but the architecture is setup in a generally good place for modern computing topologies and some of the implementations are decently strong for their age.
Simple: as it is a whole operating system and it has its own flavors of things, there may seem like a lot to learn which sounds complex, but many of the independent components and/or layers have simple interface boundaries with often fairly clear constraints and boundaries, which simplifies many aspects of understanding as a whole. Similarly the appropriately medium sizing of the kernel, of components, of interfaces with a generally “good taste” of sizing manages the numeracy complexity to a good level also. It’s quite easy to build associative memory for the system architecture and the components. Years on from when I worked on it I still have good recall for a ton of the system - hell I have a better memory for parts of fuchsia than the code bases I work on every day since I left.
