Hot take: AI’s not going to kill open source code security • The Register

Opinion Cal.com has closed its business codebase, abandoning years of AGPL-3.0 licensing in a transfer that has alarmed the developer neighborhood that helped construct it and despatched ripples by means of the broader open supply world.

“Open source is dead,” says Cal.com co-founder and CEO Bailey Pumfleet. However my conversations with high open supply builders such as Linux kernel maintainer Greg Kroah-Hartman counsel it’s not. And I actually do not assume it’s.

Punfleet made this declaration as a result of the corporate is shifting its principal program from the GNU Affero Basic Public License (AGPL) to a proprietary license, as he sees AI as an excessive amount of of a risk to this system’s safety. Or, as he instructed me, “AI attackers are flaunting that transparency,” so “Open source code is basically like handing out the blueprint to a bank vault. And now there are 100× extra hackers finding out the blueprint.”

If that sounds acquainted, it ought to. It is an historical argument that letting folks learn your code routinely makes it extra weak. It wasn’t true within the ’90s; it is not true now. Take into account, if you’ll, that the majority business code right this moment is open supply. If something, open supply has confirmed to be far safer than proprietary code through the years. 

Now it’s true that AI makes discovering safety holes simpler and sooner than ever. Particularly, everybody’s nervous today that the Anthropic Mythos Preview will drown the maintainers of smaller open-source projects in a flood of bug reports. 

It is also true that some safety stories, comparable to Black Duck’s 2026 Open Source Security and Risk Analysis (OSSRA) paper, declare there’s been a 107 p.c surge in open supply vulnerabilities per codebase. Certainly, lending assist to Pumfleet’s argument, Jason Schmitt, Black Duck’s CEO, claims, “The tempo at which software program is created now exceeds the tempo at which most organizations can safe it.”

However, with AI, we are able to additionally hope to patch newly found safety holes as they’re discovered. Cal, clearly, does not wish to take that probability. Or, maybe, as he indicated, Pumfleet feels the corporate cannot afford it. 

For, as Drew Breunig, a well-regarded tech strategist, argued in a latest weblog publish, code safety has now come to “a brutally easy equation: to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them.”

In a manner, this can be a restating of Linus’s Legislation. As we speak, as a substitute of “given sufficient eyeballs, all bugs are shallow,” maybe it needs to be restated as “given sufficient tokens, all bugs are shallow.” That presumes, after all, that you could afford sufficient tokens to remain forward of your attackers. 

Simon Willison, Django co-creator, nevertheless, argues, “Since safety exploits can now be discovered by spending tokens, open source is MORE valuable because open source libraries can share that auditing budget whereas closed supply software program has to seek out all of the exploits themselves in personal.”

Evidently, some would-be opponents are making hay about Cal’s sudden coverage shift. Ryan Sipes, Mozilla Thunderbird Product & Enterprise Growth Supervisor, mentioned on YComb: “Our scheduling software, Thunderbird Appointment, will always be open source. Come discuss to us and construct with us. We’ll provide help to exchange Cal.com.”

By and enormous, although, the developer neighborhood is not shopping for Cal’s story.

On Reddit, one individual questioned how severe Cal has ever been about safety. Citing a number of latest patches for safety holes, he commented, “These problems were not the result of sophisticated hacking; they stemmed from elementary oversights in authentication and entry management.”

One cynical remark in Slashdot said, “If the instruments are so good that you’re afraid they are going to be used to show your safety flaws… perhaps you need to use the instruments to seek out the safety flaws your self, after which repair them relatively than declaring security through obscurity. This can be a fig leaf over the will to again out of the open-source neighborhood now that the product has reached profitability.”

Pondering of safety by obscurity, Peter Steinberger, creator of OpenClaw, tweeted, “When you take a look at GPT 5.4-Cyber and its capacity for closed source reverse engineering, I’ve dangerous information for you.” In case you have not checked out GPT 5.4-Cyber but, OpenAI’s reply for Mythos, OpenAI claims it can reverse engineer binaries to supply code.

If it will possibly ship on that promise, you’ll be able to kiss the all the time bogus “safety by obscurity” argument goodbye for good. We’ll lastly get to see what’s actually inside Home windows – and will not that be enjoyable!. And, oh sure, dropping open supply to enhance your safety will cease being a factor. 

Thoughts you, up to now, no different corporations or tasks have adopted Cal’s relicensing footsteps. I doubt any will. 

Sure, AI is radically altering open supply programming. I do not faux to know what open supply coding will appear to be by this time subsequent yr. AI’s transformation of programming is simply too broad for me to even make an informed guess. What I can say, although, is that we’ll be higher off studying how one can use AI and open supply collectively relatively than retreating into outdated, discredited proprietary licensing fashions. ®