Rendered at 12:08:11 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
FlamingMoe 17 hours ago [-]
From the docs, "It is strictly recommended for personal, non-production use."
Wow what a 180 from just a year ago when their blog said, "For companies that handle sensitive information, deploying open-source scheduling software on-premises can offer an extra layer of security. Unlike cloud services controlled by external vendors, on-prem installations let teams maintain full ownership of their infrastructure. " ¹
I just cannot trust a company that does a bait and switch like this.
I think this is less a bait and switch and more just a legal liability shield. They're not saying you 'cant' use it that way. They just don't recommend you do, and they won't support you at all for doing so. Which I think is completely fair. Also, these two things aren't in contradiction. Deploying on prem does offer more security, but then it's up to you to use it correctly.
loa_in_ 17 hours ago [-]
It being open source also allows you to actually have a read of the software and guarantee things yourself, which is the harder better path anyway.
tecoholic 15 hours ago [-]
This actually makes me wonder if cal.com has had a security breach in their hosted offering that they are not disclosing.
sqircles 15 hours ago [-]
It seems to be more that they're using "security" as a reason for going closed source, so this is just sticking with the story.
tecoholic 13 hours ago [-]
Fair point.
Reubend 9 hours ago [-]
But the OSS license already absolves them of responsibility. This might just be to set the tone that security fixes won't be prioritized to the standard that they used to be.
cortesoft 8 hours ago [-]
You seem really confident that an OSS license would protect them from liability… what is that confidence based on?
> IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
liamgm 5 hours ago [-]
This is good , switching from viral license to more corporate friendly licensig
sreekanth850 16 hours ago [-]
I still remember when they launched here. "Opensource Alternate to Calendly" was their post title.
fnoef 16 hours ago [-]
What do you want, it’s hard to resist VC money and “the enterprise offering”
theturtletalks 14 hours ago [-]
Not impossible though, I run a directory of open-source alternatives and rarely do you see what Cal.com did. Projects gets abandoned yes, but a pure bait and switch like this really grinds my gears. This is from someone who is self hosting Cal.com right now and now they are going to strip even more features.
pastel8739 10 hours ago [-]
Are you really claiming you would rather the project get abandoned?
sreekanth850 8 hours ago [-]
Problem is using opensource as GTM strategy, to get developer contribution, traction and then say fuckoff.
spiderfarmer 15 hours ago [-]
That's why I'm worried about Laravel taking on a huge sum.
hrimfaxi 17 hours ago [-]
[dead]
_ache_ 16 hours ago [-]
I just installed calrs, a recent alternative to cal.diy. It absolutely rocks! The only downside is that it requires me to activate STARTTLS as force-TLS-SMTP isn't supported (I had to check the source code). It’s young, very promising, and honestly, I don't know what I could ask for more.
I also replaced Radical with rustical, and I gained free push updates.
Their internal IT infrastructure runs self-hosted OSS wherever possible. I don't think cal.rs is a toy project, they know the perils and headaches of doing open source.
_ache_ 14 hours ago [-]
Yes, sadly. :(
luckydata 11 hours ago [-]
Who gives a shit. Cal.com is written by hand and the code is absolute garbage. Of all people that should be luddites I never imagined software engineers would be the most pointlessly staunch advocates of that philosophy.
ramon156 2 hours ago [-]
LLM-assisted is different from vibe-coded. Weird how you're so defensive about it, though
liamgm 5 hours ago [-]
sadly it's one of the strictly viral license AGPL , i prefer the more permisive one
conradev 15 hours ago [-]
Tempted to buy cal.zone or cal.sucks just to add the paid features to cal.diy. They even made a list!
Teams, Organizations, Insights, Workflows, SSO/SAML, and other EE-only features have been removed
cal.ws is $630 on Namecheap... the tokens required to build this are cheaper than the domain.
chrysoprace 11 hours ago [-]
Bonus: if you pick cal.zone you can have fun with pizza puns.
singiamtel 14 hours ago [-]
I'm surprised cal.zone is not taken already
holistio 10 hours ago [-]
It still isn't taken but it's now $20k.
raphaelcosta 17 hours ago [-]
It’s curious what they said in the email they sent me about the OSS version.
------
A few important changes to note:
We will no longer provide public Docker images, so your team will need to build the image yourselves.
Please do not use Cal.diy — it’s not intended for enterprise use.
OsrsNeedsf2P 16 hours ago [-]
Wait, I didn't even realize Cal.diy is owned by Cal.com. It seems like they're trying to get ahead of the open source community forking by doing this themselves
dabeeeenster 15 hours ago [-]
How curious. Are they trying to throw security shade on running open source? Very odd.
j1elo 15 hours ago [-]
Here is a simple trick: do accept plenty of open source contributions as-is, without any kind of copyright assignment nor requiring to sign anything that grants power to relicense.
There you go, guaranteed community ownership of the code, best face and "good will" as promised by choosing a FOSS license to begin with, and future rug pulls averted.
Seeing it from the other side of the fence: if you see that all contributors are required to cede controlling power into a single hand (except certain Foundations, yadda yadda), it's not proper Open Source in spirit, only in form; and closeups are just a change of mind away.
jiusanzhou 5 hours ago [-]
The irony of labeling this 'not recommended for production' while it's a fork of your own previously production-grade OSS is hard to miss. Feels less like a community edition and more like a liability shield. Curious how long before an actual community fork ends up being the thing people self-host.
bluehatbrit 17 hours ago [-]
Cal.com has always had an open source community edition, I've been using it for some time. Is this just a rebrand of that line?
I'm unpersuaded by the assertion that closing the source is an effective security bulwark.
From that page:
> Today, AI can be pointed at an open source codebase and systematically scan it for vulnerabilities.
Yeah, and AI can also be pointed at closed source as soon as that source leaks. The threat has increased for both open and closed source in roughly the same amount.
In fact, open source benefits from white hat scanning for vulnerabilities, while closed source does not. So when there's a vuln in open source, there will likely be a shorter window between when it is known by attackers and when authors are alerted.
goodmythical 15 hours ago [-]
The HN discussion on the announcement is just 90% posts of the theme "if a student can brute force your FOSS for $100, they can do you proprietary code for $200" and "if it's that cheap to find exploits, why don't you just do it yourself before pushing the code to prod?"
I believe that the reason the chose to close the source is just security theater to demonstrate to investors and clients. "Look at all these FOSS projects getting pwned, that's why you can trust us, because we're not FOSS". There is, of course, probably a negative correlation between closing source and security. I'd argue that the most secure operating systems, used in fintech, health, government, etc, got to be so secure specifically by allowing tens or hundreds of thousands of people to poke at their code and then allowing thousands or tens of thousands of people to fix said vulns pro bono.
I'd be interested to see an estimation of the financial value of the volunteer work on say the linux or various bsd kernels. Imagine the cost of PAYING to produce the modern linux kernel. Millions and possibly billions of dollars just assuming average SWE compensation rates, I'd wager.
Too bad cal.com is too short sighted to appreciate volunteers.
msteffen 15 hours ago [-]
> Millions and possibly billions of dollars just assuming average SWE compensation rates
Yeah, and average kernel devs are not average SWEs
luma 3 hours ago [-]
I think it's more prosaic, OSS is great for building a userbase but not great at generating revenue. So just wave the OSS flag while you build a userbase, then pull out whichever flimsy excuse seems workable at the time when you want to start step two of your enshittification plan.
The only thing new here is the excuse.
bee_rider 15 hours ago [-]
How are LLMs at reading assembly? I assumed they’d be able to read assembly about as well as any other language…
Is there such a thing as a closed source program anymore?
lrvick 15 hours ago [-]
Not only are they good at reading and writing machine code now, they are actively being used to turn video game cartridge dumps back into open source code the community can then compile for modern platforms.
There is no moat anymore.
cortesoft 8 hours ago [-]
They are REALLY good at it.
63stack 5 hours ago [-]
A much better argument would be "if you can point the AI to scan it for vulnerabilities, why not do that yourself and fix the vulnerabilities"?
hungryhobbit 16 hours ago [-]
If you believe they really did it for security, I have a very nice bridge to sell you for an extremely low price ...
Look, tech companies lie all the time to make their bad decisions sound less bad. Simple example: almost every "AI made us more efficient" announcement is really just a company making (unpopular) layoffs, but trying to brand them as being part of an "efficiency effort".
I'd bet $100 this company just wants to go closed source for business reasons, and (just like with the layoffs masquerading as "AI efficiency") AI is being used as the scapegoat.
rectang 16 hours ago [-]
Who says I believe it? ;)
I'm just choosing to focus on the substance of the argument itself, which I think is risible regardless of who makes it and why.
lrvick 15 hours ago [-]
As a former cal.com advocate, I am now going to be switching my two companies to cal.diy or a similar alternative and canceling my cal.com subscriptions.
I am now actively rooting for cal.com to go out of business now as a cautionary tale for any company thinking about taking open source projects proprietary.
FOSS || GTFO
pnw_throwaway 15 hours ago [-]
You might want to double-check the cal.diy maintainer before your wish is granted..
neerajdotname2 8 hours ago [-]
If you are looking for an alternative then please take a look at NeetoCal https://neeto.com/cal . It's closed source though.
Disclosure: I'm the CEO of NeetoCal.
fencepost 15 hours ago [-]
Can someone who's looked at the security of these systems give a bit more context on that?
The thing that's always concerned me with them is questions of "what level of access is required to the system(s) actually hosting my calendar data?" and "if this vendor is compromised, what level of access might an attacker in control of the vendor systems have?" Obviously this will vary by what kind of access controls backends have (e.g. M365, Google Workspace, assorted CRM systems, smaller cloud providers, self-hosted providers, etc.).
Edit: basically, with a lot of these systems, what's expected to be the authoritative data provider/storage?
dwedge 14 hours ago [-]
It rubs me the wrong way that it says it's "the open source community edition". Who decided this was the one? How of the community is Claude? Why open source and not free software?
Maybe I'm being critical but the copy gives me the ick
Edit: I just realised this is by cal.com. I'm leaving my comment intact, if anything it adds to my ick
swyx 17 hours ago [-]
are there notable open source forks or open source cal competitors that go for the "just keep it simple" vibe?
Wow what a 180 from just a year ago when their blog said, "For companies that handle sensitive information, deploying open-source scheduling software on-premises can offer an extra layer of security. Unlike cloud services controlled by external vendors, on-prem installations let teams maintain full ownership of their infrastructure. " ¹
I just cannot trust a company that does a bait and switch like this.
¹ https://cal.com/blog/open-source-scheduling-empower-your-tea...
> IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
I also replaced Radical with rustical, and I gained free push updates.
https://cal.rs/ and https://github.com/lennart-k/rustical
And if you wanna try it out. https://cal.ache.one/u/ache
Their internal IT infrastructure runs self-hosted OSS wherever possible. I don't think cal.rs is a toy project, they know the perils and headaches of doing open source.
------
A few important changes to note:
We will no longer provide public Docker images, so your team will need to build the image yourselves.
Please do not use Cal.diy — it’s not intended for enterprise use.
There you go, guaranteed community ownership of the code, best face and "good will" as promised by choosing a FOSS license to begin with, and future rug pulls averted.
Seeing it from the other side of the fence: if you see that all contributors are required to cede controlling power into a single hand (except certain Foundations, yadda yadda), it's not proper Open Source in spirit, only in form; and closeups are just a change of mind away.
From that page:
> Today, AI can be pointed at an open source codebase and systematically scan it for vulnerabilities.
Yeah, and AI can also be pointed at closed source as soon as that source leaks. The threat has increased for both open and closed source in roughly the same amount.
In fact, open source benefits from white hat scanning for vulnerabilities, while closed source does not. So when there's a vuln in open source, there will likely be a shorter window between when it is known by attackers and when authors are alerted.
I believe that the reason the chose to close the source is just security theater to demonstrate to investors and clients. "Look at all these FOSS projects getting pwned, that's why you can trust us, because we're not FOSS". There is, of course, probably a negative correlation between closing source and security. I'd argue that the most secure operating systems, used in fintech, health, government, etc, got to be so secure specifically by allowing tens or hundreds of thousands of people to poke at their code and then allowing thousands or tens of thousands of people to fix said vulns pro bono.
I'd be interested to see an estimation of the financial value of the volunteer work on say the linux or various bsd kernels. Imagine the cost of PAYING to produce the modern linux kernel. Millions and possibly billions of dollars just assuming average SWE compensation rates, I'd wager.
Too bad cal.com is too short sighted to appreciate volunteers.
Yeah, and average kernel devs are not average SWEs
The only thing new here is the excuse.
Is there such a thing as a closed source program anymore?
There is no moat anymore.
Look, tech companies lie all the time to make their bad decisions sound less bad. Simple example: almost every "AI made us more efficient" announcement is really just a company making (unpopular) layoffs, but trying to brand them as being part of an "efficiency effort".
I'd bet $100 this company just wants to go closed source for business reasons, and (just like with the layoffs masquerading as "AI efficiency") AI is being used as the scapegoat.
I'm just choosing to focus on the substance of the argument itself, which I think is risible regardless of who makes it and why.
I am now actively rooting for cal.com to go out of business now as a cautionary tale for any company thinking about taking open source projects proprietary.
FOSS || GTFO
Disclosure: I'm the CEO of NeetoCal.
The thing that's always concerned me with them is questions of "what level of access is required to the system(s) actually hosting my calendar data?" and "if this vendor is compromised, what level of access might an attacker in control of the vendor systems have?" Obviously this will vary by what kind of access controls backends have (e.g. M365, Google Workspace, assorted CRM systems, smaller cloud providers, self-hosted providers, etc.).
Edit: basically, with a lot of these systems, what's expected to be the authoritative data provider/storage?
Maybe I'm being critical but the copy gives me the ick
Edit: I just realised this is by cal.com. I'm leaving my comment intact, if anything it adds to my ick