Open Source Code Security Under Threat: How Cal.com’s License Shift Endangers the Ecosystem (2026)

Open Source Code Security at Risk Amid Licensing Shifts

Open source code security is under growing strain as prominent projects reconsider their licensing models, abandoning copyleft frameworks like AGPL-3.0 in favor of more restrictive terms. The recent decision by Cal.com to close its commercial codebase — after years of operating under the Affero General Public License — has sent shockwaves through the developer community. This move isn’t isolated; it reflects a broader trend where companies prioritize proprietary control over collaborative openness, potentially eroding the foundation of secure, community-driven software.

Why AGPL-3.0 Matters for Software Security

The AGPL-3.0 license was designed to close the "application service provider loophole" in the GPL, ensuring that even cloud-based modifications of open source software must be made available under the same terms. This strengthened reciprocity was seen as essential for preserving transparency and security in distributed systems. According to LWN.net, the GPL and its variants like AGPL were historically viewed as "scary" by businesses due to their strong copyleft provisions — yet those same provisions became a bulwark against proprietary enclosure of public code.

How Cal.com’s Shift Impacts Enterprise Adoption

Cal.com’s departure from AGPL-3.0 raises questions about the sustainability of community contributions. Developers who invested time improving the platform now face uncertainty: their work may be absorbed into closed systems without reciprocal benefit. This mirrors broader industry patterns where corporate interests override community norms, as noted in NSFOCUS’s analysis of open-source license changes, which warns that abrupt licensing shifts can introduce legal ambiguity and erode trust among contributors.

The Enterprise Dilemma: AGPL vs. Permissive Licensing

Meanwhile, enterprises like Google maintain strict internal policies against AGPL-licensed code, as documented on Hacker News. Google’s open-source policy explicitly prohibits AGPL software due to its requirement that network-delivered services must release their modified source code — a condition incompatible with proprietary cloud architectures. This institutional resistance reinforces the tension between open collaboration and commercial scalability, further isolating AGPL projects from enterprise adoption.

Supply Chain Risks from Unilateral License Changes

The consequences extend beyond legal compliance. When core infrastructure tools transition from open to closed models, security audits become fragmented. Community-driven vulnerability disclosures slow down, and patching delays increase. NSFOCUS highlights that license changes often occur without adequate community consultation, leaving downstream users exposed to unanticipated compliance risks and potential software supply chain vulnerabilities.

Protecting the Open Source Commons

Open source code security thrives on transparency, accountability, and shared responsibility. When key projects abandon licenses designed to preserve those principles, the entire ecosystem weakens. The Cal.com case is a bellwether: if more projects follow suit, the open source model risks becoming a curated marketplace of isolated components rather than a resilient, interconnected commons.

As corporate interests reshape the licensing landscape, the open source code security model faces its most significant challenge since the rise of proprietary cloud platforms. Without collective action to protect reciprocal licensing, the very foundation of collaborative innovation — and the security it enables — may erode beyond repair.