Greg Hewgill (ghewgill) wrote,
Greg Hewgill
ghewgill

the difference between free and Free

As the author of several Yahoo! widgets, I got an email from Yahoo regarding a potential security vulnerability in one of my widgets (the Earthquakes widget). The security vulnerability involves interpreting potentially untrustworthy information retrieved from the web as executable Javascript code using the equivalent of eval. Full details are available on the Konfabulator forum, if you're curious.

More interesting than the vulnerability itself is the way Yahoo has handled it so far. They used an automated program to analyse the source code for each widget in their gallery, and identified those that may have this vulnerability. After identifying those widgets, they temporarily removed their listing from the public widget gallery pending an update. Then they sent out an email to the widget authors.

The email described three ways for authors to address this problem. Two involved minor code changes; one was a proper fix using a new method of doing the same thing, and the other was a hack that worked around the specific problem. The third method was for the author to convince Yahoo that their automated tool had a false positive and the problem did not exist in that particular widget. If a widget author failed to take one of these actions by 16 August, then the widget in question would be disabled from running on other peoples' computers on that date.

This is a fairly strong response from Yahoo regarding this problem. Indeed, this is potentially a serious problem - such a widget that runs arbitrary Javascript code derived from information on an external web site has the potential to do a great deal of damage if the external web site sends specific malicious instructions. Yahoo doesn't want their widget engine implicated in any kind of large-scale exploit, so they have taken this aggressive position.

The real point of all this is that Yahoo has the ability to exert control over which specific widgets you may and may not run using the Yahoo Widget Engine. This may have been something that all users "agree" to using the standard clickthrough license agreement, but I don't remember what it said and I'm sure nobody else has read it either. This type of control is technically feasible in many situations—Microsoft could theoretically prevent specific malicious programs from running on Windows—but Yahoo has shown that they aren't afraid to wield this control when the situation arises.

While the Yahoo Widget Engine is free (gratis), it is not Free (libre). The widget engine runs on your computer and appears to follow your instructions, but Yahoo ultimately retains control over its operation. They may prevent specific widgets from running, or may prevent the widget engine from running at all, depending on their whim. A truly libre widget engine would do exactly what you told it to do without taking instructions from any other person or entity. And it would come with source code, so you could verify this for yourself and even modify it if you wanted.

Although I believe in libre software, I will likely continue to develop widgets for the Yahoo widget engine. It's very easy to do and is a great way to build good-looking cross-platform simple gui apps. There's no fundamental difference in the control Yahoo exercises over their Widget Engine, and the control Microsoft exercises over Windows. I am, however, left wondering just how much effort would be involved in building a libre Yahoo-compatible widget engine. Would it be worth it?
Subscribe

  • ljdump 1.1 - now supports comments

    I have updated ljdump so that it now supports downloading all journal comments. Comments are downloaded incrementally, just like journal entries, so…

  • livejournal backup copy

    Ever since I started using livejournal, it's annoyed me that the content I write is stored on somebody else's server. It's not that I don't have…

  • mac mini surgery

    A while ago I ordered 1GB of memory from crucial.com for my Mac mini, but hadn't yet installed it. Since Apple doesn't think the Mini is a…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 2 comments