It's not a real hole. It's a meta-hole. But we still view it as a hole, so it's a hole.
That hole opened up again in Australia this week, where a "loud minority" got personal when Australian Taxation Office chief information officer Bill Gibson expressed concerns about open source security.
The assumption which makes this a meta-hole is that if the security scheme is open source, the security scheme is vulnerable. Thus visible software is vulnerable software. Catch-22 there.
That's what makes Red Hat's latest announcement worth reading. They've made their certificate system open source.
This is code originally obtained from AOL, some of which was already open source because it was part of the Apache Web server or Red Hat Directory Server.
It's a major move from new CEO Jim Whitehurst, who came to the company from (shudder) Delta Air Lines. You may recall he had to prove his bonafides before a Matt Asay inquisition. (Matt had Jim sit in a comfy chair.)
Jim's lucky they didn't have me conduct that interview. I would have asked what college he went to. (Rice University, our mutual alma mater, has a college system.) Then I would have poked him with the soft cushions.
This doesn't mean the supposed contradiction between open source and security will disappear, any more than racism will fade because we acknowledge it.
But it's a start.[poll id=71]