> For system-level folks, Rust is one of the most exciting security developments of the past few decades. It elegantly solves problems which smart people were saying could not be solved. Fuchsia has a lot of code, and we made sure that much of it (millions of LoC) was in Rust.

> Our kernel, Zircon, is not in Rust. Not yet anyway. But it is in a nice, lean subset of C++ which I consider a vast improvement over C.

A few thoughts on this.

1. Why is it that Chrome hasn't had more Rust adoption? It's so obvious - Chrome constantly has to make the tradeoff of security vs performance with regards to things like parsing in sandboxed code. There's so much potential - Firefox started with the obvious place, encoding and decoding, which are too dangerous for C/C++ but too performance sensitive for OOP.

Feels like it's gotta be organizational, and somehow Fuschia has managed to break off from the part of Google that's still clutching to C++.

2. I'd be interested in hearing more about the design of Fuschia. Rust in userland is cool, or kernel modules too, but a memory unsafe kernel is an unfortunate thing. Even just the teaser of "not yet at least" is changing my view on the OS (I find the idea of another memory unsafe kernel/userland more depressing than exciting, even if there are neat things like capabilities).

3. Also curious to hear about their experience with a strict subset of C++. Again, looking at Chrome, we now see common ITW exploits - and Chrome is perhaps the single most fuzzed piece of software in the world, and leverages many modern C++ techniques (or the Google equivalent of them).

As for the rest, verified execution seems interesting - is this like what iOS does, where it's basically impossible to RWX (except with an escape hatch for JITs, but behind a permission boundary)?

TBH if Google pivots Fuschia to do something interesting like bottom-up memory safety with novel isolation mechanisms, I'll bite. Until then, I'll wallow in this awful pit we continue to dig ourselves into.

> Why is it that Chrome hasn't had more Rust adoption?

Mostly likely because Chrome started in C++ (WebKit) and so there is millions of lines of existing C++. Fuchsia, being new, didn't have that legacy.

Note: they're looking into it

https://www.chromium.org/Home/chromium-security/memory-safet...

Fuchsia's kernel (Zircon) is based on LK [0] [1] ("Little Kernel"), it's not a from scratch thing. Would be interesting to know when LK started, the first commit[2] in the git repo is a big code drop so doesn't tell the story.

[0] https://fuchsia.dev/fuchsia-src/concepts/kernel/zx_and_lk [1] https://github.com/littlekernel/lk [2] https://github.com/littlekernel/lk/commit/1d0df6996457273367...