Good:
- Clients are thin: obviously great as we aim to decouple the platform from specific languages, and support many languages. Inclusion and all that. "Protocols, not libraries" is a good tenet to practice, though client libs are ok when they're very thin.
- No specialized platform features for testing: once again I love how the same concepts of capability routing, realms, etc are used to enable testing without specialized "testonly" framework features. The framework intermediary component is implemented entirely in terms of the Launcher and Environment capabilities, which are "free" in that we hand them around willy-nilly with no concern. Launcher and Environment are hierarchically contained (the mess you might make is isolated to your realm) and don't offer any escalation paths.
- Abstractions: we're hiding the implementation details well behind client libs and shards. Props.
Needs work:
- Monikers in the ABI: in order to use realmbuilder you need to spawn the framework intermediary as a child component of the test, which will manage a child collection for you. You spawn it by launching a component via a URL. This is problematic for SDK users in several ways. The framework intermediary component doesn't currently exist in SDK images (I believe), and even if it did, promoting the launch URL fuchsia-pkg://fuchsia.com/fuchsia-component-test#meta/framework-intermediary.cm into a hard contract is not great for reasons we've discussed before.
- Limiting usage: there's very little in the way of people using realmbuilder outside of tests. I guess we can't really stop that, seeing as this is all achievable using table-stakes fuchsia.sys.* capabilities, but it's still concerning to be making something with appmgr/sysmgr-like qualities so readily available. Perhaps if the framework intermediary became a feature of being managed by test_manager we'd have more safety in knowing that this won't come back to haunt us?
I have some ideas for solutions, but I wanted to hear people's take on the problem first.
--
All posts must follow the Fuchsia Code of Conduct https://fuchsia.dev/fuchsia-src/CODE_OF_CONDUCT or may be removed.
---
You received this message because you are subscribed to the Google Groups "component-framework-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to component-framewo...@fuchsia.dev.
To view this discussion on the web visit https://groups.google.com/a/fuchsia.dev/d/msgid/component-framework-dev/CAK0PkCEt95sNa-1cPQGujYtbh4pSYsdQ5G9RSsqUKM5179ZOdg%40mail.gmail.com.
Hi folks,Please stop me if this is something that we're already planning on addressing in the upcoming RealmBuilder RFC.With the current and upcoming work to extend RealmBuilder to offer more (thin) client libs across more languages, as well as the desire to do so via the Fuchsia SDK, I went looking at realm_builder.fidl and fuchsia_component_test.shard.cml to learn how stuff works. There's lots to like, and some matters of some concern for OOT.Good:
- Clients are thin: obviously great as we aim to decouple the platform from specific languages, and support many languages. Inclusion and all that. "Protocols, not libraries" is a good tenet to practice, though client libs are ok when they're very thin.
- No specialized platform features for testing: once again I love how the same concepts of capability routing, realms, etc are used to enable testing without specialized "testonly" framework features. The framework intermediary component is implemented entirely in terms of the Launcher and Environment capabilities, which are "free" in that we hand them around willy-nilly with no concern. Launcher and Environment are hierarchically contained (the mess you might make is isolated to your realm) and don't offer any escalation paths.
- Abstractions: we're hiding the implementation details well behind client libs and shards. Props.
Needs work:
- Monikers in the ABI: in order to use realmbuilder you need to spawn the framework intermediary as a child component of the test, which will manage a child collection for you. You spawn it by launching a component via a URL. This is problematic for SDK users in several ways. The framework intermediary component doesn't currently exist in SDK images (I believe), and even if it did, promoting the launch URL fuchsia-pkg://fuchsia.com/fuchsia-component-test#meta/framework-intermediary.cm into a hard contract is not great for reasons we've discussed before.
- Limiting usage: there's very little in the way of people using realmbuilder outside of tests. I guess we can't really stop that, seeing as this is all achievable using table-stakes fuchsia.sys.* capabilities, but it's still concerning to be making something with appmgr/sysmgr-like qualities so readily available. Perhaps if the framework intermediary became a feature of being managed by test_manager we'd have more safety in knowing that this won't come back to haunt us?
I have some ideas for solutions, but I wanted to hear people's take on the problem first.
--
I'm hearing three ways for OOT developers to use the framework intermediary:
- Similar to how this works today in-tree. Users will need to know not only the launch URL for the intermediary, it's also suggested that they'd need version pinning. Not a fan since we don't have evolution mechanisms for moniker-based identifiers. We haven't (formally!) introduced monikers into the FSI, and I don't think we should start.
- Distribute a prebuilt framework intermediary component via the SDK, and let developers include it in their test packages. The mechanics for how this would work are TBD. The same mechanics would likely be useful to solve other known OOT development needs, such as using isolated devmgr or fake Scenic in tests, or having OOT test runners. Hermetic packaging is cool.
- Make the framework intermediary part of the testing platform, a component managed by test_manager or just fold the functionality into test_manager code, then offer the FrameworkIntermediary capability to test components. Exposing RealmBuilder as a FIDL protocol would work, and FIDL offers a full toolkit for managing evolution.
To view this discussion on the web visit https://groups.google.com/a/fuchsia.dev/d/msgid/component-framework-dev/CAK0PkCHJr9VjR_A7M7OOVepmD4oYfy%3DdLZ5FWfBjmnW4TzqHvg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/fuchsia.dev/d/msgid/component-framework-dev/CAK0PkCHJr9VjR_A7M7OOVepmD4oYfy%3DdLZ5FWfBjmnW4TzqHvg%40mail.gmail.com.
Great, I also prefer what's behind door #2.I've read Bryan's RFC that Hunter linked to back when it was published. I'm not seeing the connection. What's the security issue introduced by packaging test support components like the intermediary or a fake Scenic in your test package?
To view this discussion on the web visit https://groups.google.com/a/fuchsia.dev/d/msgid/component-framework-dev/CAK0PkCGq6YbtzNAAsx%3DYjoTOXiZ%3DLp0cavPOVwPzy_r_fPvYjw%40mail.gmail.com.
Does Option #2 limit us from updating the prebuilt components with non-API breaking changes independently of the parent package, like for security updates?
To view this discussion on the web visit https://groups.google.com/a/fuchsia.dev/d/msgid/component-framework-dev/CAMmMHD4i%2B5_xuLdHPNdZNNeRVOtSoz-X-_rTMa_PMaZJ6%3D7uvg%40mail.gmail.com.
FWIW, I think it's worth differentiating robustness from security here. Co-packaging may increase the number of things a test or platform component may do, but given the context it's likely not a security issue. It's just a hazard for robustness as the test author may accidentally do something we wouldn't like for them to do, but I'm not sure there needs to be a technical solution to that problem.
On Tue, Aug 31, 2021 at 10:22 AM 'Yegor Pomortsev' via component-framework-dev <component-f...@fuchsia.dev> wrote:Does Option #2 limit us from updating the prebuilt components with non-API breaking changes independently of the parent package, like for security updates?That feels like it would defeat the purpose. Letting the test author maintain control of the specific version being used seems core to option #2. It's akin to pinning the version of the shared library the test is using, which is something we allow.
(I'm a big fan of option #2 if it wasn't clear 🙂)
On Tue, Aug 31, 2021 at 1:38 PM Suraj Malhotra <surajm...@google.com> wrote:FWIW, I think it's worth differentiating robustness from security here. Co-packaging may increase the number of things a test or platform component may do, but given the context it's likely not a security issue. It's just a hazard for robustness as the test author may accidentally do something we wouldn't like for them to do, but I'm not sure there needs to be a technical solution to that problem.Agreed that there's no blinking-marquee saying "THIS IS A VULNERABILITY THAT NEEDS FIXING", but robustness issues can also grow up to become security issues if you're unlucky.On Tue, Aug 31, 2021 at 10:22 AM 'Yegor Pomortsev' via component-framework-dev <component-f...@fuchsia.dev> wrote:Does Option #2 limit us from updating the prebuilt components with non-API breaking changes independently of the parent package, like for security updates?That feels like it would defeat the purpose. Letting the test author maintain control of the specific version being used seems core to option #2. It's akin to pinning the version of the shared library the test is using, which is something we allow.+1(I'm a big fan of option #2 if it wasn't clear 🙂)100% agreed that #2 is the correct direction. But I don't want to say, "go with option #2 and we're done here." It's worth considering how we can make that option more robust.
To view this discussion on the web visit https://groups.google.com/a/fuchsia.dev/d/msgid/component-framework-dev/CAMkOBfuuWnjp542OW46uCoTtghHPB2HjyDTTs9evJWe82Ogvug%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/fuchsia.dev/d/msgid/component-framework-dev/CAP%3D28cf1YB8rhLGG1N41xnst-KWW-vy0hCmBv8eXDqX3WJsm5A%40mail.gmail.com.
Agree with the consensus around Option #2. Do we think this is something that should gate the launch, or would it be alright for the initial customers to consume it through an absolute URL if that helps us release earlier?
To view this discussion on the web visit https://groups.google.com/a/fuchsia.dev/d/msgid/component-framework-dev/CAK1yh2kuwzrXNOw8o4EhS7fkS-fTte-69t5c5LFGd8zuFDjOhg%40mail.gmail.com.
Agree with the consensus around Option #2. Do we think this is something that should gate the launch, or would it be alright for the initial customers to consume it through an absolute URL if that helps us release earlier?I'm not clear what the challenge is in limiting usage of RealmBuilder to tests. What's stopping us from marking the realmbuilder FIDLs testonly?