[shevy-java]

"over a decade ago, the repository has been licensed under GPLv2. And that’s not changing"

Well - people can continue the GPLv2 fork anyway. So ultimately what Cal.com would do here does not matter; that's the beauty of GPL in general. It is a strict licence. I think GPLv2 was the better decision for the Linux kernel than, say, BSD/MIT.

> That code is exposed to constant scrutiny from attackers, defenders, researchers, cloud vendors, and maintainers across the globe. It is attacked relentlessly, but it is also hardened relentlessly.

It is clear that there is a business decision with regards to Cal.com jumping away from discourse, but the claim that open source is automatically better than closed source, when it comes to security, is also strange. Remember xz utils backdoor? Now, people noticed this eventually. Ok. How many placed trojans exist that people are unaware about? Perhaps there are more sophisticated backdoors. Perhaps AI is also used to help disguise them. I don't think that merely because something is open source, means it is automatically good or better with regards to security. Can you trust software? In California there are recent censorship bills to restrict 3D printing further, allegedly to curb on plastic guns (but in reality sponsored by lobbyists from the industry). Can a 3D printer print out a 3D printer that is not restricted? Is the state sniffing after people via laws not also a restriction? I guess it is possible to ensure a clean open hardware and open software system acting in tandem. But you kind of have to show that this is the case. See this old discussion about Trust, on reddit: https://old.reddit.com/r/programming/comments/1m4mwn/a_simpl...

[fsflover]

> the claim that open source is automatically better than closed source, when it comes to security, is also strange. Remember xz utils backdoor?

The XZ attack is an extremely rare event coming likely from a state actor, which actually proves that FLOSS is a big target not easy to attack without huge effort. It was also caught not least thanks to the open nature of the repository. Also, AFAIK it wasn't even a change in the repo itself.

In short, using FLOSS is the way to ensure security. Whenever you touch proprietary staff, be careful and use compartmentalization.

[Orygin]

Yeah I found this comment to be weird. At least the XZ backdoor was found before it went live anywhere. How many companies were hit by the Solarwind supply chain attacks?

[unsungNovelty]

> I think GPLv2 was the better decision for the Linux kernel than, say, BSD/MIT.

I differ here. The reason why the corporations run Linux Foundation which pays Linus is cos of this license. Otherwise, they would take what they want and not interfere like they do with FreeBSD and OpenBSD. BSD/MIT leads to better compliance.

The only reason it stays this way is cos Linus owns the trademark. Wait until Linus steps down. Most likely a someone who aligns more with corporates will take charge and you'll see changes then.

If interested - https://www.unsungnovelty.org/posts/05/2023/open-source-proj...

[Chaosvex]

That's quite the thread. It seems like a good chunk of posters didn't even begin to grasp the point.

[TeMPOraL]

We're talking about SaaS businesses anyway. Open Source doesn't really matter there - you never actually know what's running on their servers.

[fsflover]

Unless this is AGPL.

[maxloh]

Nope. You can never verify they run the same code from their repo. You cannot physically access their system after all.

[fsflover]

Illegal actions are often hard to prove, and yet laws somehow work in general. Same here with obeying the license.