[Debian-med-packaging] Please allow relicensing for older versions of two single files from PHYLIP

Joe Felsenstein joe at gs.washington.edu
Wed Feb 26 01:42:54 UTC 2014

Andreas Tille --

> you might remember some past discussion about the license of PHYLIP.

Oh yes, I remember it. Indeed.

> Since we tried to include PHYLIP in official Debian for the profit of
> users of the large pool of biological software inside Debian[1] we asked
> you about a  more relaxed license to provide it in the main distribution
> rather than in non-free.  I have understood that you are not interested
> in a license change of the whole code.  However, we now have the case
> that the well known program seaview is using just two single files from
> PHYLIP (namely src/dnapars.c and src/protpars.c) and the code copies are
> not from a recent but rather from an older version (3.52c).  I wonder
> whether you would agree upon relicensing just these two single files to
> preferably GPL 3 (as the seaview code).

I could ask our University's licensing people to let me place them
under GPL 3.  In fact I have been seriously considering asking them
to put PHYLIP under some Gnu or open license, as I am getting towards
retirement and have no programmers of my own to work on it.  They would
probably be open to this, as PHYLIP brings in no money, being so
widely available as "free beer". So I would then put it up as an open-source
project and let others do more contributing.  That way it could even outlive me.

I have one qualm (aside from the usual complaint that Gnu and O/S
licenses have no way to have any royalty reach the coders when
their code is sold or access to it is sold).  That is that there is in
fact a serious problem with all the version 3.5c code, and which is
a security hole.  3.5c programs use the deprecated function
gets()  to read from files.  This function is vulnerable to a buffer
overflow attack.

Probably there is no danger if the programs are only called by
Seaview, but I would hope someone could patch those calls just
to make sure. Since the release of 3.6 in 2000, this security hole has been
plugged.  I have not made any statements about the existence of
this vulnerability, as that might signal which installations of PHYLIP
could be exploited.

Let me know your thoughts about this.

Joe Felsenstein         joe at gs.washington.edu
 Department of Genome Sciences and Department of Biology,
 University of Washington, Box 355065, Seattle, WA 98195-5065 USA

More information about the Debian-med-packaging mailing list