Cal.com moves from open source to closed source, keeps a DIY fork for hobbyists

The pivot

Cal.com has announced it is closing its production codebase after five years as an open‑source project, saying security concerns forced the change. It has been reported that the company moved its production repository to private and rebranded the public, self‑hosted fork as calcom/cal.diy — “Cal.diy” will remain available under the MIT license for developers and hobbyists. This was framed as a gut‑wrenching, customer‑first decision; the company hopes to return to wider openness someday, but not while they believe risk to user data is rising.

The reason: AI and a faster threat landscape

Cal.com says AI is changing security, not just productivity — and fast. It has been reported that modern AI tools can scan open codebases and surface vulnerabilities at machine speed, and the company points to an example where AI allegedly uncovered a 27‑year‑old BSD kernel flaw and produced a working exploit in hours. Cal.com argues that, in that environment, publishing production blueprints is increasingly risky; the firm alleges that keeping everything public would be like handing attackers the layout of the vault.

What this means for the community

There’s a trade‑off here: transparency versus operational security. Cal.diy keeps the spirit of community development alive — but the production codebase has diverged, with major rewrites in authentication and data‑handling that will remain closed. Developers and open‑source advocates will surely push back; some will grieve, others will fork and tinker. Still, the company’s message is clear: for now, protecting customer data trumps the ideological purity of full openness. Is this a one‑off or the start of a broader trend as AI upends how we think about software risk? Expect a lively debate.

Sources: cal.com, Hacker News