Some of you out there in Widget-land may have noticed that we taught a few of the Widgets we build a neat new trick – how to update themselves without the end user ever having to leave his/her desktop. We’ve wanted this feature for some time, and so have other Widget authors. In fact, some of our more proactive authors got tired of waiting around for us and went ahead and implemented Widget update for their own Widgets all by themselves!

Today we’re happy to announce that all Widgets can now take advantage of the new Widget update feature that we began testing and rolling out with the release of Yahoo! Widgets 4. For those of you who haven’t seen this in action, it’s pretty straightforward.

First, the user receives a notification that an update is available:

The user is instructed to view the Dock to see the available updates:

Upon clicking the button, the user is presented with a confirmation dialog:

And voilà! Upon clicking “Install,” the updated Widget is running on the user’s desktop.

We think this is a great feature for Widget authors, because it lets them offer their users a seamless update experience that’s well integrated with the platform. It’s also something that Widget users should love, because in addition to being a huge time-saver, it provides a consistent update interface across all Widgets and it helps us to better ensure your security; only Widgets that have passed the Yahoo! Widget Gallery security checks are eligible for auto-updates.

We’ve been testing this functionality with our own Widgets for a couple months, and we’re now ready to activate update notifications for all Widgets that are set up for it starting today.

A sidenote: we’re the first desktop Widget platform to roll out built-in universal Widget update check! Woohoo!

Developers: here’s how to configure your Widget to use auto-updates.

1.) Insert a unique identifier into your metadata.

Here’s your chance to use widget.xml in your Widget. This metadata file contains the string that uniquely identifies your Widget on our servers (as well as being the place to store the Widget’s name, author, copyright information, default dock image path, and so on). To guarantee a unique value from the get-go, we recommend that your identifier be a UUID, which can be easily generated using the UUID Vault Widget.

If you already have Widgets built that have a unique identifier that isn’t a UUID, don’t worry. We will accept any valid unique identifier (which can only contain alphanumeric characters, periods, hyphens, underscores, and/or exclamation points) as long as it’s truly unique and we have no duplicate already in our system.

An example metadata file with the unique identifier looks like this:

<?xml version="1.0" encoding="utf-8"?>

<metadata>
  <name>The Greatest Widget In The Universe</name>
  <version>1.5</version>
  <identifier>7F6C7DCD-29FC-4475-9408-B762F2048A65</identifier>
  <image usage="dock" src="Images/Dock/Icon.png"/>
  <author name="John Doe" organization="Awesome Stuff, Inc."
  href="http://www.example.com"/>
  <copyright>(c) 2007 Awesome Stuff, Inc.</copyright>
  <description>This Widget fights hunger, advocates for world peace,
  and brings you fresh coffee every morning with a smile.
  </description>
  <platform minVersion="4.0.5" />
</metadata>

2.) Be certain that your version numbers are incremented and in the correct format

Our update check mechanism is dependent upon the format we use for all of our own Widgets as well as Konfabulator itself. For now you’ll need to match this format, which is n.n for major versions and n.n.n for minor versions. Some examples of valid version numbers:

1.0
1.0.2
2.5
3.7.2

You cannot use version numbers such as 1.0a or 3.0b2.

When adding the version tag to your widget.xml file, have only the version number in it. Don’t add characters that aren’t numbers like “ver 3.5″ or “v1.0b”.

<version>1.5</version>

If you currently have a Widget in the Gallery whose version number contains non-numeric characters, you’ll have to change the version number in the Widget’s widget.xml file to the correct format before auto-updates will work.

It’s easy to forget to increment the version number in your metadata, so make sure you do that; otherwise your users won’t receive an update notification!

3.) Submit the Widget to the Gallery!

Once you’ve finished the first two steps, simply submit your updated Widget to the Gallery! We’ll automatically pick up the version number and identifier out of widget.xml during the review of your Widget.

And that’s it, really. In the future, we’re going to offer more granular controls for authors of properly configured Widgets (i.e. have valid unique identifier and version) to manage update notifications, including the ability to opt-out. But for now, if you don’t want to use the auto-update mechanism, simply don’t include the unique identifier in your widget.xml file.

We take our users’ security seriously here at Yahoo!. Because a big part of what people love about our product are the thousands of Widgets created by independent authors that are available through the Yahoo! Widget Gallery, our commitment to security extends to those Widgets as well. Every Widget in our Gallery goes through automated and manual checks to help ensure that it meets the standards for product safety and security that people have come to expect from Yahoo!. This process is revisited and updated to keep up with the latest threats.

Yesterday, Aviv Raff from Finjan’s Malicious Code Research Center made a presentation on security issues in widgets at the DEFCON conference. As part of his presentation, Aviv disclosed a vulnerability in the Yahoo! Contacts Widget. Thanks to Aviv, we were already aware of this issue and published an updated version of the Yahoo! Contacts Widget to the Yahoo! Widget Gallery on July 31. Our subsequent investigation revealed that the vulnerability Aviv described existed in more than just our Contacts Widget, and we’ve been taking a number of steps over the last several days to address this issue.

When a threat arises, we try to respond quickly. Typically, we first identify all the Widgets that are potentially affected by the security issue, immediately remove them from the Yahoo! Widget Gallery, and notify their authors that a fix is required. A lot of Widget authors may be wondering why we do things in that order and don’t give the authors of the affected Widgets notice before removing them from the Gallery. The answer is that by informing people of the vulnerability (even if those people are the authors) we increase the risk that someone might try to exploit it. We know the suddenness of events like these can be an inconvenience for our authors, for which we apologize. With that said, the safety and security of the platform is important to everyone in the Yahoo! Widgets ecosystem. In dealing with this particular vulnerability, we have tried to make things a little easier for authors by proactively reaching out with instructions on how to fix this issue and build more secure Widgets going forward.

In more serious cases, we next disable the affected Widgets that have already been downloaded from running on our platform. In those cases, of which this is one, we try to give the authors of the affected Widgets a short grace period to get security updates of their Widgets to existing users before the older versions are disabled.

We’ve always worked hard to live up to the trust our users place in Yahoo! Widgets. And it’s an ongoing effort. In future releases of the Yahoo! Widgets platform and Gallery, you will see continued improvements to help ensure the safety and security of our users as well as making events like these less burdensome for authors.

You’ve got a lot to say, and we like to hear it (most of the time). So, we’ve decided to take the conversation to meatspace by opening up Widgets HQ to a limited number of Widget authors for our first ever Konfabulator Developer Day.

Join us for a day of food, fun, and Widgety goodness (not to mention a viewing of Rob’s spoon) on the Yahoo! campus in scenic Sunnyvale, CA. In addition to the pure pleasure of hanging out with the Widgets team and your fellow Widget authors, the day will be filled with interactive chats on everything related to the world of Widgets.

Attendees will get free Widgets shwag (most important) and an inside look into:

• The Konfabulator architecture, API and a preview of some new features on the way
• Widget tips & tricks, and examples of cool widgets
• Ways you can promote your Widgets to the world, and possibly make money

Come ready to talk about your Widgets and have fun.

Date: Thursday 7 June 2007 (with optional Friday AM “office hours” to get one-on-one time with our team)

Location: Yahoo! HQ (701 First Ave, Sunnyvale, CA 94089)

Sign Up is Now Open ­ Limited Seats Available!

1. Be one of the first 20 people to RSVP to the event on Upcoming. Using your Yahoo!/Upcoming account, say that you’re “attending” the event.
2. We’ll send you an email within the next week that will include travel recommendations and confirmation instructions.
3. To those who confirm, we’ll then send info on logisitcs and agenda (as well as a fun survey to help us make the day just right)

We can’t wait to meet you and hear your feedback to help us guide the future of Konfabulator!

The Konfabulistas

Yes! Yahoo Widgets 4 is now available for download. This version has a lot of cool new features for users as well as developers of Widgets.

For those that think we’ve been sitting around drinking tequila and not really focusing on Konfabulator/Yahoo Widgets, today’s the day we show you what we’ve really been up to for these past months. Well, we’ve been drinking some tequila too, but let’s stay focused, shall we? What?!

Note, by the way, that our new release is called simply Yahoo! Widgets. No more ‘Engine’. It was too much of a pain to say, quite frankly. Not to mention users don’t care about engines, they care about Widgets. Developers might care about the engine, which is why as of this release we are once again calling the core engine Konfabulator! Why not? Everyone still calls it that both inside and outside of Yahoo!, anyway.

And now, without any further ado, let’s get into all the awesomeness we’ve added in this release.

Read the rest of this entry »

As mentioned in my last post, we’ve started out countdown to Yahoo! Widgets 4!

We’ve spent the past 10+ months working on this release. During this time we’ve increased the size of our team (the proof is in our About Box) and spent a good amount of energy trying to figure out how to best serve our customers and developers in this increasingly competitive space.

While most of our changes are under the hood, we’ve also got some great new user-visible features coming as well. We’ve also simplified a lot of our user interface based on user testing, etc. And we’ve made it easier than ever to get new Widgets into your collection.

We’ve decided that this release deserves a proper countdown, Konfabulator-style. This time, we give you a glimpse behind the scenes at Widgets HQ. Each day there’ll be some new clue as to what’s coming in our ‘Conference’ cam shot on our Whiteboard.

We think both users and Widget developers will be very pleased with what we’ve done this time around. And we’re not done yet. We still have a long list of things we’re about to start on for our next release. But first thing’s first: Yahoo Widgets 4!