Hacker News

> Open source creates a useful urgency: when your code is public, you assume it will be examined closely, so you invest earlier and more aggressively in finding and fixing issues before attackers do.

This should be the mentality of every company doing open source.Great points made.

> I want to be fair to Cal.com here, because I don’t think they’re acting in bad faith. I just think the security argument is a convenient frame for decisions that are actually about something else. […] Framing a business decision as a security imperative does a disservice to the open-source ecosystem that helped Cal.com get to where they are.

That sure sounds like bad faith to me.

I've started to opensource my side projects (as long as the code is in a state that I'm not too ashamed of). Seeing how easily I can reverse engineer binaries, clone various applications, and just generally build stuff from scratch with AI assistance, I think there is no moat in hiding your source code. If you can use my code to build something better than me, I wish you the best of luck!

"over a decade ago, the repository has been licensed under GPLv2. And that’s not changing"

Well - people can continue the GPLv2 fork anyway. So ultimately what Cal.com would do here does not matter; that's the beauty of GPL in general. It is a strict licence. I think GPLv2 was the better decision for the Linux kernel than, say, BSD/MIT.

> That code is exposed to constant scrutiny from attackers, defenders, researchers, cloud vendors, and maintainers across the globe. It is attacked relentlessly, but it is also hardened relentlessly.

It is clear that there is a business decision with regards to Cal.com jumping away from discourse, but the claim that open source is automatically better than closed source, when it comes to security, is also strange. Remember xz utils backdoor? Now, people noticed this eventually. Ok. How many placed trojans exist that people are unaware about? Perhaps there are more sophisticated backdoors. Perhaps AI is also used to help disguise them. I don't think that merely because something is open source, means it is automatically good or better with regards to security. Can you trust software? In California there are recent censorship bills to restrict 3D printing further, allegedly to curb on plastic guns (but in reality sponsored by lobbyists from the industry). Can a 3D printer print out a 3D printer that is not restricted? Is the state sniffing after people via laws not also a restriction? I guess it is possible to ensure a clean open hardware and open software system acting in tandem. But you kind of have to show that this is the case. See this old discussion about Trust, on reddit: https://old.reddit.com/r/programming/comments/1m4mwn/a_simpl...

Great piece. I thought the same of Cal's announcement; it basically boiled down to "we're willing to shift our entire business to a security-through-obscurity approach." It won't be long until systems are sophisticated enough that they can target an application over the course of a weekend, and try thousands of exploits across each possible endpoint you offer, to see what happens, regardless of whether or not your source code is public.

Anyone who's launched anything on the web -- anything at all -- and looked at the logs will see all sorts of endpoints being requested for /wp-admin/ or random WordPress plugins, even if their site has never, and will never, run WordPress. Imagine this at scale, with every possible attack method imaginable, blindly hitting everything on the web. That's where I think we're headed, and closed source won't fix that.

This article raises a lot of good points that strengthen the argument against keeping models away just because they're "too powerful". I remain disappointed to see AI corporations gloating about how powerful their private models are that they're not going to provide to anyone except a special whitelist. That's more likely to give attackers a way in without any possibility for defense, not the other way around.

> If your code is open source, your security team can scan it, your contributors can scan it, and independent researchers can scan it too.

Literally! If everyone can access the same system as Claude's Mythos, one solution is to have more people trying to identify your issue before the hackers have the chance to do it.

too bad. i wish they would go closedsource so that maybe everyone would stop using it. it's dogshit for countless reasons. including:

- refuses to even load on browser engines older than 2 years. for a webforum that's absolutely appaling. there's a barebones non-JS version. but it only loads for individual threads (not the forum homepage or anything else), so they must be linked to directly (e.g from a websearch engine)

- every single page navigation triggers the circle animation which blocks the view for up to 3 seconds. how is this not an obvious regression on webforum software that has existed for decades?

- various nonsensical functionality suggests an incoherent code base. like the input element for the searchbox disappearing if the browser window loses focus. if you switch tabs midway for whatever reason, you need to reopen the searchbox every time you get back. and you can't use an external editor to fill in the input. because as soon as you've focused the editor, the element that the editor hooked into no longer exists

- search results are crammed in a narrow responsive list with 5 entries. you need to press 'More' to see the rest of the results as yet another responsive list. you never know how many results there are in total. only that there are more than ones that loaded so far

- long threads are never rendered fully. only as incomplete chunks. so it doesn't work to set positional markers in the scroll buffer to jump back and forth. as soon as you scroll past the boundaries of the currently loaded chunk, the old content gets destroyed and replaced. it feels like having alzheimer's

- you can reply to any specific post in a thread and there will be a visual indicator about which post you replied to. except if you reply to the most recent post in a thread. so someones who reads a post has no way of knowing in advance whether it is being addressed to the post just above it, or to the thread as a whole

i hate discourse so much. i'll never understand why it got so much adoption by FOSS communities. it must be the virtue signalling

Does someone know which tools they are using for the multi day code ai code review?

> Large parts of it are delivered straight into the user’s browser on every request: JavaScript, …

Ooh, now I want to try convincing people to return from JS-heavy single-page apps to multi-page apps using normal HTML forms and minimal JS only to enhance what already works without it—in the name of security.

(C’mon, let a bloke dream.)

Their own software has become so bloated that now they're pivoting to bandwagon marketing. Soon some corporate enshittification platform will buy them.

Never used it as it asks me to burn an email address to post.