Open Source Isn't Dead

CodesInChaos

> The reasoning provided by their CEO, Bailey Pumfleet, is that AI has automated vulnerability discovery at scale, That sounds like an excuse. The real reason is probably that it's hard to make a viable business out of developing open source.

tananaev

I have an open source project and started receiving a lot of security vulnerability reports in the last few months. A lot of them are extremely corner cases, but there were some legit ones. They're all fixed now. Closed source software won't receive any reports, but it will be exploited with AI. So I definitely agree with the message of this article.

funvill

This is just an excuse to close source their project while blaming AI. Spineless bullshit excuse instead of owning your choices. Shame

pixel_popping

At the same time, I heavily support open-source and contribute a lot, but I can't necessarily agree that security-through-obfuscation doesn't play a major role in slowing down attacks. Cloudflare have based its whole security being closed-source (for example on its anti-bot mechanism) to be hard to reverse engineer, and they remain leaders as of today with few serious security breaches. Some things just can't be truly secure as well, ddos protection is mostly a guessing/preventive game, exposing your firewall config/scripts will make you more vulnerable than NOT. If your codebase isn't exposed, attackers are constrained by the network and other external restrictions which greatly reduce the number of possible trials, even with a swarm of residential proxies, it's not the same at all from inspecting a codebase in depth with thousand of agents and all models.

dzonga

a lot of the vulnerabilities in web-apps are people trying to be too smart for their own good. use battle-tested frameworks such as Rails, Django then you won't make rookie security mistakes.

RRRA

How long before LLM perform perfect disassembly exploitation...

shay_ker

It's a good question - is blackbox hacking as effective as whitebox hacking, for AI agents? I've gotta assume someone at Anthropic is putting together an eval as we speak.

theturtletalks

Enshittification has come for VC backed open-source. As someone on Twittter said, open source has deemed commercial open source obsolete especially when users can point Calude Code to calcom on GitHub and ask it to make them scheduling features directly into their product. That’s what spooked Cal.

reenorap

All content is going to go behind paywalls. There is zero incentive or reason for content creators to let AI slurp their content for free and distribute it and get all the money from it. Everything new will be licensed and if AI companies want access to it, they will need to pay for it, just like we will.

misiti3780

I have a large open source project and noticed the number of LLM generate PR is making it unmanageable. Every two weeks, I go in, kill all of them and when someone complains or asks why, I realize it was a real person and then I merge it. is anyone else seeing this / fixed this problem ?

righthand

Open source is dead, AI-pundits are applying the wrong lessons. No one has to accept AI or play the game all these AI companies don’t work if everyone stops publishing. Let the AI generated content industry have the publish space, they're very adamant about taking it over and watering it down with slop. I wrote some very nice expressive text for our deployment guide. My project manager took the guide and had Gemini break it down into plain boring bullet points. AI and the pundits can gf themselves in their journey to kill human expression. Here is what I wrote in the guide: "Post Deploy Responsibility If you made it this far, say “Wow I really did it and it was so easy!” Did you say it? Good. Now you are entirely responsible for any issues or bugs that may arise from the newly deployed code. Don’t go anywhere until the deploy has finished (usually takes a few minutes). While an issue or bug may not leave you directly at fault, you are responsible for coordinating any rollbacks or remediations that may be needed until the next deploy." Here is what the product manager slopped it into: "- Post deploy responsibility - You are responsible for performing QA upon deployment - You are responsible for any issues or bugs that may arise from newly deployed code - You are responsible for coordinating any rollbacks or remediations that may be needed until the next deploy" My paragraph wasn't long, hard to understand, or poorly written. I wouldn't have objected to a rewording or some changes but the project manager chose to just copy paste it into Gemini and copy and paste it back. So my take is that they didn't understand what I wrote. Which is a few sentences long and frankly sad if a paragraph is too intense for you to read. When my project manager did this during the meeting I said, "RIP human expression" and their response was a very hasty "no that's not what's happening". This is what all the pundits want to do to everyone and society. Don't believe them that "it's just a tool", that is just a tactic to get you to rollover so they can shove more AI in your face.

linuxhansl

So Cal.com favors security through obscurity. Open Source was always open to "many eyes" in theory exposing itself to zero-day vulnerabilities. But the "many eyes" go for the good and the bad actors. As far as I am concerned... Way to go Cal.com, and a good reminder to never use your services.

Divs2890

Closing your source doesn't close your attack surface,it just closes the community that would have helped you defend it. Security through obscurity is a kind of tradeoff, not a strategy.. i mean that's what I feel.

Bridged7756

It's just an excuse. Classic open source rug pull here.

julianozen

There is another product I use that has a freemium model. They hope to monetize a paid tier for users who use the product a lot. In order to build trust, they open source their product. I forked it, removed the blocks from the freemium feature in 15 minutes using Claude Code. Never published the code to anyone else, just used it myself Unfortunately, I think it isn’t going to be tenable for systems to be fully open sourced going forward.

Peer_Rich

cofounder here going closed source does not mean we are not fighting fire with fire we are using a handful of internal AI vulnerability scanners for months now being open source simply reduces risk by 5x to 10x according to several security researchers we are working with https://cal.com/blog/continuous-ai-pentesting-vulnerability-...

jongjong

I decided to not open source my latest project but it has nothing to do with security concerns. My code is perfectly secure and bug-free. My concern is mostly financial. Most people would be in a better position to monetize my software than I am... Using AI to obfuscate the origin while appropriating all the key innovations. I wouldn't get any credit. Also, I'm not really interested in humans anymore. I have human fatigue.

bzmrgonz

Strix was so close to being the hero we deserve. I think these blue torches like strix should offer their services for free to open source ships out at sea. There are 3 wins here, GLOBAL GOOD WILL, testimonial and reviews, and market loyalty reward.

phkahler

Can any of the AI systems read binary yet? Perhaps generate source code from object file? Is so, that would make access to source redundant for that type of analysis.

skal9606

Seems like flimsy reasoning from the Cal.com CEO. How should we think about Strix vs. foundational model releases like Mythos?