"open source is dead" is the dumbest thing i've read this month

by ·

open source hot topic dev

last month, cal.com (a scheduling app that built its entire identity around being open source) quietly moved its core codebase behind closed doors. the reason they gave? AI makes public code too dangerous now. attackers can scan your repo, find the vulnerabilities, and exploit them faster than ever before.

okay, sure. that part's actually not wrong.

what IS wrong is what their CEO, Bailey Pumfleet, posted on LinkedIn the day after the announcement: "open source is dead."

bro. be serious for once.

the argument doesn't hold up

the logic goes: AI can read your open source code and find bugs, therefore hiding the code protects you. it sounds reasonable until you flip it around. if AI can find bugs in public code... it can also be used to audit public code. and that's exactly what's been happening.

Mozilla shipped 423 Firefox security fixes in a single month in April, with AI-assisted auditing helping catch issues that would've taken a human team months to find. Anthropic's own internal model found a 27-year-old integer overflow in OpenBSD's TCP stack that decades of human reviewers walked right past. the same technology cal.com is scared of is the technology making open source more secure, not less.

meanwhile, closed source software has its own nightmare track record. Ivanti's enterprise VPNs, closed source, got hit with multiple zero-days in 2025 that took weeks to even detect because there was no external scrutiny. security through obscurity has never worked. it just means fewer people looking for problems before the bad guys find them.

also, have you seen what open source just did

OpenClaw went from a weekend side project to 355,000 GitHub stars in five months. one guy, Peter Steinberger, built a fully open AI agent framework that surpassed React in GitHub stars, a project that took over a decade to get there. companies like Tencent are building on it. it's running on humanoid robots. it's powering agentic workflows across basically every messaging platform you can name.

all of it open source. MIT license. community governed. no one "protecting" the code.

and it's not like OpenClaw is some outlier. Linux powers the majority of the internet. Apache serves the web. half the security tooling that keeps actual infrastructure safe is open source. the entire modern dev stack is open source. calling open source dead in 2026 is like standing in a building held up by steel and announcing that steel is over.

what this actually is

cal.com had a hard time converting free users to paid plans. that's it. closing the source is a business move dressed up in a security costume. the AI threat narrative is convenient because it sounds technical enough that most people won't push back on it.

and look, i'm not even saying cal.com made the wrong business decision for themselves. maybe closed source genuinely fits where they're going. but posting "open source is dead" as a parting shot to the community that helped build your product is just a terrible take, and it deserves to be called out as one.

open source isn't dead. it's never been more alive. cal.com just left the party and tried to turn the lights off on the way out.