[Debian-med-packaging] Please allow relicensing for older versions of two single files from PHYLIP

Andreas Tille andreas at an3as.eu
Wed Feb 26 07:48:06 UTC 2014

Hi Joe,

thanks for your quick reply.

On Tue, Feb 25, 2014 at 05:42:54PM -0800, Joe Felsenstein wrote:
> Andreas Tille --
> > you might remember some past discussion about the license of PHYLIP.
> Oh yes, I remember it. Indeed.


> > Since we tried to include PHYLIP in official Debian for the profit of
> > users of the large pool of biological software inside Debian[1] we asked
> > you about a  more relaxed license to provide it in the main distribution
> > rather than in non-free.  I have understood that you are not interested
> > in a license change of the whole code.  However, we now have the case
> > that the well known program seaview is using just two single files from
> > PHYLIP (namely src/dnapars.c and src/protpars.c) and the code copies are
> > not from a recent but rather from an older version (3.52c).  I wonder
> > whether you would agree upon relicensing just these two single files to
> > preferably GPL 3 (as the seaview code).
> I could ask our University's licensing people to let me place them
> under GPL 3.  In fact I have been seriously considering asking them
> to put PHYLIP under some Gnu or open license, as I am getting towards
> retirement and have no programmers of my own to work on it.  They would
> probably be open to this, as PHYLIP brings in no money, being so
> widely available as "free beer". So I would then put it up as an open-source
> project and let others do more contributing.  That way it could even outlive me.

This would be *really* great and I guess several people will applause
this move!  Please be assured that the whole Debian Med team will stand
behind you and might help in case some arguments might be needed.

> I have one qualm (aside from the usual complaint that Gnu and O/S
> licenses have no way to have any royalty reach the coders when
> their code is sold or access to it is sold).  That is that there is in
> fact a serious problem with all the version 3.5c code, and which is
> a security hole.  3.5c programs use the deprecated function
> gets()  to read from files.  This function is vulnerable to a buffer
> overflow attack.
> Probably there is no danger if the programs are only called by
> Seaview, but I would hope someone could patch those calls just
> to make sure. Since the release of 3.6 in 2000, this security hole has been
> plugged.  I have not made any statements about the existence of
> this vulnerability, as that might signal which installations of PHYLIP
> could be exploited.

I have put the seaview author in CC to keep him informed.  I have no
idea for what reason he has kept / conserved the 3.5c version and he
might raise his voice about this.

> Let me know your thoughts about this.

While I agree that the harm of the two affected files might make seaview
not an effective intrusion vector into your system it sounds reasonable
to use the latest version.  I also hope that you will be successful in
convincing your University's licensing people to allow a GPL licensed
PHYLIP.  Considering that you want to make sure that the code will
outlive you I'd recommend to put it into a repository at some common
hosting platform (sourceforge, github, googlecode or so).  This might
attract people outside of your university and if I correctly understood
the role of PHYLIP there is severe interest in this code.  I might even
imagine that parts of it might be bundled in a dynamic library that
could be simply used by projects like seaview rather than using
potentially outdated code copies.

Kind regards and all the best for your retirement (hey, for me that
would mean I could code just for fun all the day ;-))



More information about the Debian-med-packaging mailing list