Hi folks,

This week’s lead story looks at Cal.com moving its core codebase behind closed doors, as the company argues that AI-driven vulnerability discovery is making open development harder to defend.

Elsewhere, Expo hires Meta’s former React lead as it raises fresh funding and launches a new agent for building mobile apps; France pushes ahead with plans to move public systems from Windows to Linux; and a mix of security issues, new tools, and governance updates continue to shape the open-source ecosystem.

As usual, feel free to reach out to me with any questions, tips, corrections, or suggestions: forkable[at]pm.me.

Paul

<Open issue>

Cal.com draws a line under open source

AI is putting new pressure on open source. Maintainers are already battling a surge of machine-generated “AI slop,” but the bigger challenge might be just beginning: tools that can scan codebases and surface vulnerabilities at scale.

Last week I reported on Anthropic’s Claude Mythos and Project Glasswing, and the rise of AI systems that can hunt for vulnerabilities in widely used software. This week, Cal.com, an open-source Calendly alternative that provides scheduling infrastructure for developers, is pushing its core codebase behind closed doors.

Cal.com has moved its main production codebase into a private repository, while releasing a stripped-down, MIT-licensed community version called Cal.diy for self-hosting.

CEO Bailey Pumfleet argues that openness now comes with a cost. He said access to source code lowers the barrier to finding weaknesses. “It’s easier to perform a bank heist if you have the blueprints to the vault,” Pumfleet said. “It’s a lot easier to see the inner workings of something and reverse engineer it to find a vulnerability.”

Asked whether stronger hardening could offset the risk, Pumfleet said: “Simply having the code open increases the risk dramatically.

“It’s not closing the code or hardening it; it’s just that we’re doing both,” he continued. “Simply hardening it does not decrease the risk enough.”

The argument arrives as tools like Mythos have shown they can uncover vulnerabilities that sat undetected for decades, including a flaw in OpenBSD dating back 27 years.

Not everyone accepts this logic, however. Critics argue that closing code reduces the number of people who can find and fix bugs, and that security depends on scrutiny rather than secrecy. Others suggest the move reflects commercial pressure dressed up as a security decision.

Developer Simon Willison pointed to recent analysis by Drew Breunig, which argues that AI-driven vulnerability discovery raises the cost of securing software for everyone — and that open source helps spread that burden across a wider pool of contributors, rather than concentrating it within a single company.

Pumfleet, for his part, agrees with this view, but said that it all comes down to a question of resources. He said approaches that rely on continuous, large-scale analysis would require budgets Cal.com doesn’t have, adding that closing the codebase is “the biggest method of risk reduction we can take right now to secure our customers.”

There is also a longer history behind such actions. Companies built on open source have frequently restricted access to parts of their codebases — whether through licensing changes, enterprise carve-outs, or fully closing core components. That context has led some critics to question whether security is the sole driver here, or whether it also serves as a justification for tighter control.

Pumfleet rejects that framing. “The decision is entirely about security,” he said. “We already have control over the product being open source, and we don’t really stand to gain much from being closed source. It’s really just a question about de-risking on the security side.”

Read more: The New Stack | Cal.com | Drew Breunig

<Patch notes>

Expo hires Meta’s React lead, launches agent, nabs $45M

Open-source React Native development platform Expo has hired Meta’s former React lead Seth Webster, who most recently emerged as executive director of the all-new React Foundation after Meta donated the project.

In tandem, Expo also announced $45 million in funding and the launch of Expo Agent. Expo sits on top of React Native, handling much of the infrastructure needed to ship apps, and it’s now pushing into agent-driven development by combining code generation with deployment and testing.

Read my interview with Seth Webster for The New Stack on the link below.

Read more: The New Stack

France ditches Windows for Linux

In yet another sovereign tech push from Europe, France is moving public sector systems off Windows and onto Linux to reduce reliance on US tech vendors.

Read more: TechCrunch

EU age-checking app already cracked

The EU is rolling out an open-source age verification app, but hackers say they broke it in minutes. It raises questions about whether these systems can actually protect kids—or just create new risks.

Read more: European Commission | Politico

Backdoors found in WordPress plugins

Dozens of WordPress plugins used by thousands of sites were found with hidden backdoors.

Read more: TechCrunch

Microsoft shares Surface data with Linux Foundation

Microsoft is handing over key Surface device data to the Linux Foundation’s Battery Data Alliance to help improve battery life on Linux.

Read more: TechRadar

Nvidia launches quantum-focused AI models

Nvidia unveiled new open models aimed at accelerating quantum computing research.

Read more: Tom’s Hardware | Nvidia

Mozilla launches Thunderbolt AI client

Mozilla has launched a new AI client called Thunderbolt, focused on running models locally or in self-hosted setups. The pitch is tighter control over data and infrastructure, aimed at developers and teams who don’t want to rely on hosted AI services.

Read more: Ars Technica | Thunderbolt

Vercel open-sources AI agent framework

Vercel released Open Agents, a toolkit for building custom AI coding agents. The idea is to let companies run their own agents on their own infrastructure, rather than relying on hosted tools.

Read more: Tessl

Laude’s moonshots

Laude Institute, a nonprofit funding critical open research, has unveiled eight academic teams as finalists in its new “Moonshots” program. The groups are working in the open and will compete over the next six months for $10M lab-scale funding to help solve “humanity’s hardest problems.”

Read more: Laude Institute

OSI names new executive director

The Open Source Initiative (OSI) has appointed Duane O'Brien as executive director, some six months after his predecessor Stefano Maffulli announced he was stepping down.

Read more: The Open Source Initiative

<Final commit>

Linux allows AI! But not the sloppy kind…

Linux 7 landed this week, bringing the usual mix of hardware support updates, performance tweaks, and under-the-hood changes that keep the kernel ticking.

However, arguably the more interesting facet was a little tidbit that came alongside it: a new policy on AI-assisted contributions to the kernel. AI tools are officially allowed, but with important caveats.

AI agents mustn’t add “Signed-off-by” tags, with only humans able to legally certify the Developer Certificate of Origin (DCO).

As per official documentation, the human submitter is responsible for:

• Reviewing all AI-generated code

• Ensuring compliance with licensing requirements

• Adding their own Signed-off-by tag to certify the DCO

• Taking full responsibility for the contribution

Put simply, AI is allowed, but no slop.

Read more: The Register | GitHub