Greg Hewgill (ghewgill) wrote,
Greg Hewgill

the difference between free and Free

As the author of several Yahoo! widgets, I got an email from Yahoo regarding a potential security vulnerability in one of my widgets (the Earthquakes widget). The security vulnerability involves interpreting potentially untrustworthy information retrieved from the web as executable Javascript code using the equivalent of eval. Full details are available on the Konfabulator forum, if you're curious.

More interesting than the vulnerability itself is the way Yahoo has handled it so far. They used an automated program to analyse the source code for each widget in their gallery, and identified those that may have this vulnerability. After identifying those widgets, they temporarily removed their listing from the public widget gallery pending an update. Then they sent out an email to the widget authors.

The email described three ways for authors to address this problem. Two involved minor code changes; one was a proper fix using a new method of doing the same thing, and the other was a hack that worked around the specific problem. The third method was for the author to convince Yahoo that their automated tool had a false positive and the problem did not exist in that particular widget. If a widget author failed to take one of these actions by 16 August, then the widget in question would be disabled from running on other peoples' computers on that date.

This is a fairly strong response from Yahoo regarding this problem. Indeed, this is potentially a serious problem - such a widget that runs arbitrary Javascript code derived from information on an external web site has the potential to do a great deal of damage if the external web site sends specific malicious instructions. Yahoo doesn't want their widget engine implicated in any kind of large-scale exploit, so they have taken this aggressive position.

The real point of all this is that Yahoo has the ability to exert control over which specific widgets you may and may not run using the Yahoo Widget Engine. This may have been something that all users "agree" to using the standard clickthrough license agreement, but I don't remember what it said and I'm sure nobody else has read it either. This type of control is technically feasible in many situations—Microsoft could theoretically prevent specific malicious programs from running on Windows—but Yahoo has shown that they aren't afraid to wield this control when the situation arises.

While the Yahoo Widget Engine is free (gratis), it is not Free (libre). The widget engine runs on your computer and appears to follow your instructions, but Yahoo ultimately retains control over its operation. They may prevent specific widgets from running, or may prevent the widget engine from running at all, depending on their whim. A truly libre widget engine would do exactly what you told it to do without taking instructions from any other person or entity. And it would come with source code, so you could verify this for yourself and even modify it if you wanted.

Although I believe in libre software, I will likely continue to develop widgets for the Yahoo widget engine. It's very easy to do and is a great way to build good-looking cross-platform simple gui apps. There's no fundamental difference in the control Yahoo exercises over their Widget Engine, and the control Microsoft exercises over Windows. I am, however, left wondering just how much effort would be involved in building a libre Yahoo-compatible widget engine. Would it be worth it?

  • 2013 in review

    2013 is the year when everything changed. The biggest event was the birth of our daughter Lily. She was born prematurely in Shanghai while we…

  • 2012 in review

    2012 has been fairly quiet. Maybe it just seems that way because I haven't actually written anything new in this blog since last year's annual…

  • new photo galleries

    I've been busy processing photo galleries from the last year (or two) and putting them online for your perusal. Vancouver 2010 Northland…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded