Date: 2007-08-06 00:37:00
the difference between free and Free
As the author of several Yahoo! widgets, I got an email from Yahoo regarding a potential security vulnerability in one of my widgets (the Earthquakes widget). The security vulnerability involves interpreting potentially untrustworthy information retrieved from the web as executable Javascript code using the equivalent of eval. Full details are available on the Konfabulator forum, if you're curious.

More interesting than the vulnerability itself is the way Yahoo has handled it so far. They used an automated program to analyse the source code for each widget in their gallery, and identified those that may have this vulnerability. After identifying those widgets, they temporarily removed their listing from the public widget gallery pending an update. Then they sent out an email to the widget authors.

The email described three ways for authors to address this problem. Two involved minor code changes; one was a proper fix using a new method of doing the same thing, and the other was a hack that worked around the specific problem. The third method was for the author to convince Yahoo that their automated tool had a false positive and the problem did not exist in that particular widget. If a widget author failed to take one of these actions by 16 August, then the widget in question would be disabled from running on other peoples' computers on that date.

This is a fairly strong response from Yahoo regarding this problem. Indeed, this is potentially a serious problem - such a widget that runs arbitrary Javascript code derived from information on an external web site has the potential to do a great deal of damage if the external web site sends specific malicious instructions. Yahoo doesn't want their widget engine implicated in any kind of large-scale exploit, so they have taken this aggressive position.

The real point of all this is that Yahoo has the ability to exert control over which specific widgets you may and may not run using the Yahoo Widget Engine. This may have been something that all users "agree" to using the standard clickthrough license agreement, but I don't remember what it said and I'm sure nobody else has read it either. This type of control is technically feasible in many situations—Microsoft could theoretically prevent specific malicious programs from running on Windows—but Yahoo has shown that they aren't afraid to wield this control when the situation arises.

While the Yahoo Widget Engine is free (gratis), it is not Free (libre). The widget engine runs on your computer and appears to follow your instructions, but Yahoo ultimately retains control over its operation. They may prevent specific widgets from running, or may prevent the widget engine from running at all, depending on their whim. A truly libre widget engine would do exactly what you told it to do without taking instructions from any other person or entity. And it would come with source code, so you could verify this for yourself and even modify it if you wanted.

Although I believe in libre software, I will likely continue to develop widgets for the Yahoo widget engine. It's very easy to do and is a great way to build good-looking cross-platform simple gui apps. There's no fundamental difference in the control Yahoo exercises over their Widget Engine, and the control Microsoft exercises over Windows. I am, however, left wondering just how much effort would be involved in building a libre Yahoo-compatible widget engine. Would it be worth it?
I think it's a tricky question because most users see the widgets as a Yahoo service as much as a the-author-of-the-widget service. If a widget is nasty, Yahoo will be held responsible for it, no matter what disclaimers they put in their EULA. That being the case, I think it's appropriate for Yahoo to take some amount of responsibility for the security of the widgets. I don't know how far that goes.

A possibly related question: suppose Sunsite (or whatever its modern equivalent is - you know, any major software archive and download site) discovers that one of the programs it distributes is horribly insecure. What are the bounds of Sunsite's responsibility? Should it stop providing that package for download? Should it contact the author and say "we won't allow your package to be downloaded until you fix it"? Does blocking the nasty software constitute an infringement of some kind against the user's right to have that software if they choose to? Or does FAILING to block it constitute an infringement of the user's right to have Sunsite not knowingly hand them nasty software?

That's not exactly the same situation because presumably, if you download a horribly insecure package from Sunsite, you can keep using it even if they stop letting others download it. But it seems like there can be degrees of that, between "the software is a service entirely provided by us on our Web site" and "the software lives entirely on your computer and we have no further relationship with your use of it, once you've downloaded it." It sounds like Yahoo widgets are somewhere in that middle ground.
I am, however, left wondering just how much effort would be involved in building a libre Yahoo-compatible widget engine.

This sounds somewhat similar to issues regarding OSes... you'd like it so that buggy software can't crash the OS, or other running processes. Obviously, getting that right takes a lot of work.

Granted, this is different, and isn't something that OSes currently protect against, but the usage is also different. You really hope that a widget isn't going to turn your machine into a bot.

I think it's actually a great thing that Yahoo is doing this, even if it is motivated by financial/legal concerns. There's a lot to be said for automated code inspection to pick stuff like this up, and I hope we see more of it in the future. Though I think we also should have some way to over-ride...
Greg Hewgill <>