[azalemeth]

Fuchsia still makes me deeply nervous inside. I get that linux has plenty of problems, but it really feels like Google have started to write an OS for the purposes of (a) having better remote control over the software that users run, and (b) being able to be free of the GPL. Security is the panacea that lets this happen, but I'm really not sure that it will inherently be better: iOS has effectively this model and it hasn't stopped a large number of nation-state actors effectively abusing it for hiding rootkits on victim's phones. The trade off for this is flexibility: the only reason I use an Android phone is because I can, with the right 3rd party OS, actually have a linux-based pocket computer that trusts me rather than its vendor.

[staticassertion]

People say this about a lot of security things. Ultimately, a lot of security is about constraining systems, and that makes people nervous. When I got my first Android phone I could root it pretty trivially and run a fully customized ROM, these days it's not really practical on many devices.

And for the same exact reason that I have less control over my phone, I also trust it radically more for my current threat model.

iOS is maybe a counter-example. It relies a lot more on the walled garden, which helps a ton with malware, but not as much with "legit app got owned".

It's worth noting that you explicitly believe Android to be "free-er", even though I would say the average Android device is safer. The two things aren't always at odds, and with Android it's also very device specific.

Another good example is HSMs and TPMs. Many people fear that these devices are inherently untrustworthy, but they also drive a lot of important modern OS security.

My position here is that Linux is something of a disaster with regards to security and it truly can not get better for a number of pretty fundamental reasons. If I had Google money I'd absolutely be investing in ways of removing Linux from my security boundaries - something they've already done to some extent with gvisor.

[badRNG]

>When I got my first Android phone I could root it pretty trivially and run a fully customized ROM, these days it's not really practical on many devices.

Some of the easiest phones to do this to today, namely the Pixel phones, are also some of the most secure stock Android phones on the market. Freedom and security are not mutually exclusive.

[conioh]

> > When I got my first Android phone I could root it pretty trivially and run a fully customized ROM, these days it's not really practical on many devices.

> Some of the easiest phones to do this to today, namely the Pixel phones, are also some of the most secure stock Android phones on the market. Freedom and security are not mutually exclusive.

What's so safe about it once you unlock the bootloader and install a custom ROM / rootkit (since by disabling boot verification you don't actually know that what you're booting is the custom ROM you intended to to boot or something else)?

[josephcsible]

What do TPMs do that's actually important?

[turminal]

> People say this about a lot of security things

Unfortunately those people are often correct.

[DashAnimal]

Please I beg you - don't let HN become another online discussion site. Aim for quality, give examples, don't just rely on vague comments that are meant to provoke emotion and nothing else.

[staticassertion]

After that first ~dozen words I gave an example, a counter example, and discussed why this is a somewhat fundamental issue.

[tiffanyh]

> "(b) being able to be free of the GPL"

Wouldn't the easier path have been just for Google to contribute (or fork) Free/Open/NetBSD?

[mda]

Seems like BSD/Linux seems fundamentally not compatible with what they want to achieve technologically. It is not a license issue.

[leucineleprec0n]

Google won’t be producing Ad Campaigns against GPL, no. Yet the licensing model of the Linux Kernel & the kernel developer policy towards drivers & driver interfaces effectively renders Android hostage. This complicates Android’s architecture greatly which is why they’ve spent exorbitant sums of time trying to ameliorate the damage.

Anyways, if you’re going to build an alternative or fork another stack —- you might as well hit two birds with one stone. Fuchsia’s relatively distinct capability-based, quasi-microkernel (it is not in fact a microkernel on a strict read) architecture is a chance to cleave off technical debt and start anew on security, and it’s relative modularity dovetails into the whole driver, kernel interface issue.

[SubjectToChange]

Android already isolates drivers from the linux kernel via binder IPC and HAL. Fuchsia is basically designed to operate in a similar way.