alt.hn

4/17/2026 at 3:36:26 AM

Discourse Is Not Going Closed Source

 https://blog.discourse.org/2026/04/discourse-is-not-going-closed-source/

by sams99

4/17/2026 at 4:35:52 AM

> Open source creates a useful urgency: when your code is public, you assume it will be examined closely, so you invest earlier and more aggressively in finding and fixing issues before attackers do.

This should be the mentality of every company doing open source.Great points made.

by dhruv3006

4/17/2026 at 4:39:47 AM

This should be a mentality of every company building products :)

by necovek

4/17/2026 at 7:20:42 AM

Indeed. All software products you can get your hands on are open source - compiled code is only little more difficult to read than source code, but not that much if you learn how.

Which is why ~all companies switches to offering software as a service, so this mindset doesn't apply :).

by TeMPOraL

4/17/2026 at 1:25:44 PM

> but not that much if you learn how.

Yesterday I threw some ghidra output into an LLM with very little context and got what seemed to be a reasonable run down of the original back. We're probably knocking on the door of being able to throw a binary into an LLM and getting the original program back unless there is active obfuscation done.

It is a very exciting time for anyone who likes playing old, abandoned and buggy games :').

by roenxi

4/17/2026 at 7:54:55 PM

I haven't played much with LLMs for decompilation, but I wonder how viable is using LLMs on binaries to port software to a different language (in combination with source code when available, but binaries might need fewer tokens).

by necovek

4/17/2026 at 3:08:30 PM

As long as obfuscated code is isomorphic to its raw form, it’s sure to be decompilable. As for how much divergence is possible (in obfuscation), my intuition that it is very finite by definition.

by finghin

4/17/2026 at 3:06:50 PM

Ghidra+LLMs really does make this a matter of time if we’re not already there yet.

by finghin

4/17/2026 at 4:51:56 AM

I guess open source makes you more accountable.

by dhruv3006

4/17/2026 at 9:09:42 AM

I sometimes explain open source to people as auditable software.

by graemep

4/17/2026 at 1:58:49 PM

That's a good way to explain it.

by tech_hutch

4/17/2026 at 11:12:32 AM

Also makes it harder to build a business around it.

With that combination no wonder most successful companies are closed source.

by somewhatgoated

4/17/2026 at 7:12:07 PM

[dead]

by Serhii-Set

4/17/2026 at 4:15:17 AM

> I want to be fair to Cal.com here, because I don’t think they’re acting in bad faith. I just think the security argument is a convenient frame for decisions that are actually about something else. […] Framing a business decision as a security imperative does a disservice to the open-source ecosystem that helped Cal.com get to where they are.

That sure sounds like bad faith to me.

by chrismorgan

4/17/2026 at 7:07:50 AM

This rest of the article contrasts the with "I don’t think they’re acting in bad faith"

This bit stands out to me:

> You can’t take five years of community contributions, close the gate, and claim you’re grateful. I don’t think it works that way.

I think it's safe to say that Sam is not impressed with the the Cal.com decision and the way they framed it.

by dirkc

4/17/2026 at 4:28:58 AM

Bad faith requires you to intend it badly, though, not just for it to be bad.

by LoganDark

4/17/2026 at 5:06:20 AM

Framing a business decision as a security imperative sure sounds like intent to mislead to me.

by chrismorgan

4/17/2026 at 5:33:32 AM

Misdirection is normal business practice. For example, Quadpay/Zipco recently made a change where instead of appraising your credit independently for each of their plans, they calculate a total amount you're allowed to have in flight at any given time, and share that across everything. In their FAQ, there is an entry for "Is my purchasing power going down?" and the answer is some bullshit like "Your purchasing power is unified for a simpler and more streamlined experience bla bla" which doesn't actually answer the question. It's meant to defuse questioners without actually revealing that yes, total purchasing power did go down when they decreased the number of buckets that multiplied their appraisal. You're no longer allowed to pay a larger sum of money over a longer period of time - you get one amount that you're allowed over any term, and that amount of lower than what you could've been approved for before. Regardless of whether that's a good or bad decision (good for people with bad impulse control, for example), they are dishonest about it through lawyerspeak, which is the most standard business practice there is. You could argue that plenty of standard business practices are bad faith but I would say the capitalist idea of private corporations in the first place is bad faith.

by LoganDark

4/17/2026 at 6:27:45 AM

How far have we fallen to call misdirection a normal business practice. I agree that it is everywhere but it isn’t or at least shouldn’t be normal.

by spockz

4/17/2026 at 9:47:27 AM

Yeah, there's a difference between normal conduct and normalized conduct. It sure is a sign of the times that people are confused by this.

by soraminazuki

4/17/2026 at 9:57:31 AM

Related: I wish there was a TV show where they would ask simple yes/no questions to politicians and business leaders, but their mic would only be unmuted after they press a "yes" or "no" button.

Answering a yes/no question with a "we're doing everything we can to ensure a smooth experience for our customers" is spindoctoring 101.

by miki123211

4/17/2026 at 10:37:46 AM

But that's not how people generally hold their opinions or even should (I'd argue). You can ask me "Yes or no, should we kill people?" and I can't really give you hard "yes" or "no", there is nuance and context to consider, and probably most beliefs I hold, have some sort of nuance.

Unless you're also asking politicians to all become 100% dogmatic, I don't think that's a realistic suggestion.

by embedding-shape

4/17/2026 at 10:38:46 AM

They’d just press whatever and then start their verbal reply with “yes and no”

by loloquwowndueo

4/17/2026 at 12:35:16 PM

“Have you stopped beating your wife?”

by blipvert

4/17/2026 at 1:08:23 PM

Could you ask misleading questions? Answer yes or no.

by actionfromafar

4/17/2026 at 10:08:11 AM

> Misdirection is normal business practice.

Being normal practice does not make something right.

by dspillett

4/17/2026 at 6:23:28 AM

Misdirection is misleading, and bad faith.

by thedevilslawyer

4/17/2026 at 4:52:36 AM

> dishonest or unacceptable behaviour:

https://dictionary.cambridge.org/dictionary/english/bad-fait...

> I just think the security argument is a convenient frame for decisions that are actually about something else.

That would mean they think it’s bad faith. Claiming to do something because of A but to really do it because of B is dishonest

by croes

4/17/2026 at 4:36:01 AM

The above statement is claiming it likely is intended as something bad though. A convenient coverup.

by Gigachad

4/17/2026 at 4:39:37 AM

Covering something up is not bad faith. PR firms do it all the time (though plenty more do things in bad faith too). If what you're covering up is an explicitly user-hostile decision then maybe that's bad faith if what you're trying to do is trick people. But if you're just lying for brownie points then that's not always bad faith, just dumb.

by LoganDark

4/17/2026 at 5:02:21 AM

Hiding something to manipulate public perception is bad faith.

by pseudalopex

4/17/2026 at 5:36:06 AM

I don't agree with your definition here. Good faith means trying to be correct but potentially not being by accident. Intentionally lying is bad faith and by definition trying to trick people; you know the truth is one thing, but you're saying something else to try to get them to believe it.

by saghm

4/17/2026 at 5:44:03 AM

What I'm saying is that even lying is only bad faith depending on the intent of the lie. That doesn't mean others can't be upset regardless of the lie's intent, but I wouldn't say all lies are bad faith.

by LoganDark

4/17/2026 at 5:57:26 AM

> I wouldn't say all lies are bad faith.

No one said this.

by pseudalopex

4/17/2026 at 3:24:28 PM

I'm saying this: I don't think a lie can be in good faith by definition. Trying to make someone believe something you know isn't the truth is fundamentally bad faith.

by saghm

4/17/2026 at 5:20:44 PM

I thought you said Intentionally lying and bad faith is by definition trying to trick people. But you said Intentionally lying is bad faith and by definition trying to trick people.

I thought your point was intent. Most people would not say to hide Jews from Nazis was bad faith I think.

by pseudalopex

4/17/2026 at 10:06:11 PM

> Most people would not say to hide Jews from Nazis was bad faith I think.

That would be perfectly bad faith to the Nazis. There's no such factor as moral good or bad here; bad faith has more to do the intent you have towards each party. If the intent is to explicitly trick someone towards something you want or away from something you don't want, that is usually in bad faith. (There are some exceptions.) If the intent is just to explain something in a way others will understand, even if your explanation turns out to be (knowingly) inaccurate, that can sometimes be in good faith, though I wouldn't call it good practice.

by LoganDark

4/18/2026 at 2:27:27 AM

I said most people. Not you.

by pseudalopex

4/17/2026 at 8:05:28 AM

> even lying is only bad faith depending on the intent of the lie

And the intent here is to intentionally mislead, so how is that not bad faith?

by swiftcoder

4/17/2026 at 3:33:41 PM

Yeah, I'm pretty confused about what point they're trying to make. Given that a lie is intentionally saying something untrue, there are three possibilities:

1. A is lying to B, and they know that B doesn't know the truth. The intent is to make them believe the lie, which is intentionally misleading them and bad faith

2. A is lying to B, and they aren't sure if B knows it's a lie. The intent is to make them believe the lie, which is intentionally misleading them and bad faith

3. A is lying to B, and they know for sure B knows it's a lie. The intent is either to provoke an emotional reaction from either B or someone observing (which is bad faith), or performative for others who will see the lie and might fall into categories 1 or 2, which is bad faith

I don't understand how anyone could plausibly argue that lying to someone intentionally isn't bad faith. Maybe I'm the one falling for category three here

by saghm

4/17/2026 at 10:15:37 PM

It mostly has to do with the potential effect of believing the lie and your reasons for telling it. If you know that believing the lie results in your advantage and/or someone else's disadvantage, then it's probably bad faith. If you don't know that however, and the intent is not necessarily to mislead, that's not always bad faith. You could argue that the very act of claiming a falsehood to someone is knowingly deceptive and therefore bad faith by definition, but I don't agree that's unconditional.

For example, if I lie to protect both myself and all other parties involved, that sometimes can be in good faith! It can be bad faith if I know that it hurts them and also know a less hurtful alternative, but if I really believe the less immediately hurtful alternative will lead to a worse overall outcome then I can still be acting in good faith. It's really a lot more nuanced than "deception bad". I have to deceive myself all the time to achieve good outcomes! now I wouldn't say my treatment of myself is good faith but I try sometimes.

by LoganDark

4/17/2026 at 1:33:14 PM

[dead]

by redsocksfan45

4/17/2026 at 7:39:49 AM

I've started to opensource my side projects (as long as the code is in a state that I'm not too ashamed of). Seeing how easily I can reverse engineer binaries, clone various applications, and just generally build stuff from scratch with AI assistance, I think there is no moat in hiding your source code. If you can use my code to build something better than me, I wish you the best of luck!

by glerk

4/17/2026 at 7:42:25 AM

[dead]

by sieabahlpark

4/17/2026 at 8:59:58 AM

Instead of Microsoft snooping my code, now everyone can!

by ramon156

4/17/2026 at 6:39:59 PM

I’d rather next models be trained on my code than all that slop that’s out there. Hell really is other people’s code.

by glerk

4/17/2026 at 5:48:43 AM

"over a decade ago, the repository has been licensed under GPLv2. And that’s not changing"

Well - people can continue the GPLv2 fork anyway. So ultimately what Cal.com would do here does not matter; that's the beauty of GPL in general. It is a strict licence. I think GPLv2 was the better decision for the Linux kernel than, say, BSD/MIT.

> That code is exposed to constant scrutiny from attackers, defenders, researchers, cloud vendors, and maintainers across the globe. It is attacked relentlessly, but it is also hardened relentlessly.

It is clear that there is a business decision with regards to Cal.com jumping away from discourse, but the claim that open source is automatically better than closed source, when it comes to security, is also strange. Remember xz utils backdoor? Now, people noticed this eventually. Ok. How many placed trojans exist that people are unaware about? Perhaps there are more sophisticated backdoors. Perhaps AI is also used to help disguise them. I don't think that merely because something is open source, means it is automatically good or better with regards to security. Can you trust software? In California there are recent censorship bills to restrict 3D printing further, allegedly to curb on plastic guns (but in reality sponsored by lobbyists from the industry). Can a 3D printer print out a 3D printer that is not restricted? Is the state sniffing after people via laws not also a restriction? I guess it is possible to ensure a clean open hardware and open software system acting in tandem. But you kind of have to show that this is the case. See this old discussion about Trust, on reddit: https://old.reddit.com/r/programming/comments/1m4mwn/a_simpl...

by shevy-java

4/17/2026 at 7:38:22 AM

> the claim that open source is automatically better than closed source, when it comes to security, is also strange. Remember xz utils backdoor?

The XZ attack is an extremely rare event coming likely from a state actor, which actually proves that FLOSS is a big target not easy to attack without huge effort. It was also caught not least thanks to the open nature of the repository. Also, AFAIK it wasn't even a change in the repo itself.

In short, using FLOSS is the way to ensure security. Whenever you touch proprietary staff, be careful and use compartmentalization.

by fsflover

4/17/2026 at 11:41:21 AM

Yeah I found this comment to be weird. At least the XZ backdoor was found before it went live anywhere. How many companies were hit by the Solarwind supply chain attacks?

by Orygin

4/17/2026 at 9:40:17 AM

> I think GPLv2 was the better decision for the Linux kernel than, say, BSD/MIT.

I differ here. The reason why the corporations run Linux Foundation which pays Linus is cos of this license. Otherwise, they would take what they want and not interfere like they do with FreeBSD and OpenBSD. BSD/MIT leads to better compliance.

The only reason it stays this way is cos Linus owns the trademark. Wait until Linus steps down. Most likely a someone who aligns more with corporates will take charge and you'll see changes then.

If interested - https://www.unsungnovelty.org/posts/05/2023/open-source-proj...

by unsungNovelty

4/17/2026 at 6:38:40 AM

That's quite the thread. It seems like a good chunk of posters didn't even begin to grasp the point.

by Chaosvex

4/17/2026 at 7:24:20 AM

We're talking about SaaS businesses anyway. Open Source doesn't really matter there - you never actually know what's running on their servers.

by TeMPOraL

4/17/2026 at 7:33:58 AM

Unless this is AGPL.

by fsflover

4/17/2026 at 9:24:30 AM

Nope. You can never verify they run the same code from their repo. You cannot physically access their system after all.

by maxloh

4/17/2026 at 10:20:42 AM

Illegal actions are often hard to prove, and yet laws somehow work in general. Same here with obeying the license.

by fsflover

4/17/2026 at 10:48:13 AM

Great piece. I thought the same of Cal's announcement; it basically boiled down to "we're willing to shift our entire business to a security-through-obscurity approach." It won't be long until systems are sophisticated enough that they can target an application over the course of a weekend, and try thousands of exploits across each possible endpoint you offer, to see what happens, regardless of whether or not your source code is public.

Anyone who's launched anything on the web -- anything at all -- and looked at the logs will see all sorts of endpoints being requested for /wp-admin/ or random WordPress plugins, even if their site has never, and will never, run WordPress. Imagine this at scale, with every possible attack method imaginable, blindly hitting everything on the web. That's where I think we're headed, and closed source won't fix that.

by cowsup

4/17/2026 at 4:28:02 AM

This article raises a lot of good points that strengthen the argument against keeping models away just because they're "too powerful". I remain disappointed to see AI corporations gloating about how powerful their private models are that they're not going to provide to anyone except a special whitelist. That's more likely to give attackers a way in without any possibility for defense, not the other way around.

by LoganDark

4/17/2026 at 4:33:54 AM

I think the "too powerful" is a convenient half-truth that also helps with marketing, and more importantly keeps the model from being distilled in the short term. They'll release it "to the masses" after KYC or after they already have the next gen for "trusted partners".

by NitpickLawyer

4/17/2026 at 4:37:14 AM

I feel bad for Anthropic because they thought Persona was an acceptable KYC provider. It probably was a genuine mistake. I might have to leave them over that, if they think it's fun to ask me to give Peter Thiel my ID to persist indefinitely on Persona's servers!!!

by LoganDark

4/17/2026 at 12:16:09 PM

> If your code is open source, your security team can scan it, your contributors can scan it, and independent researchers can scan it too.

Literally! If everyone can access the same system as Claude's Mythos, one solution is to have more people trying to identify your issue before the hackers have the chance to do it.

by eaf7e281

4/17/2026 at 9:16:09 AM

too bad. i wish they would go closedsource so that maybe everyone would stop using it. it's dogshit for countless reasons. including:

- refuses to even load on browser engines older than 2 years. for a webforum that's absolutely appaling. there's a barebones non-JS version. but it only loads for individual threads (not the forum homepage or anything else), so they must be linked to directly (e.g from a websearch engine)

- every single page navigation triggers the circle animation which blocks the view for up to 3 seconds. how is this not an obvious regression on webforum software that has existed for decades?

- various nonsensical functionality suggests an incoherent code base. like the input element for the searchbox disappearing if the browser window loses focus. if you switch tabs midway for whatever reason, you need to reopen the searchbox every time you get back. and you can't use an external editor to fill in the input. because as soon as you've focused the editor, the element that the editor hooked into no longer exists

- search results are crammed in a narrow responsive list with 5 entries. you need to press 'More' to see the rest of the results as yet another responsive list. you never know how many results there are in total. only that there are more than ones that loaded so far

- long threads are never rendered fully. only as incomplete chunks. so it doesn't work to set positional markers in the scroll buffer to jump back and forth. as soon as you scroll past the boundaries of the currently loaded chunk, the old content gets destroyed and replaced. it feels like having alzheimer's

- you can reply to any specific post in a thread and there will be a visual indicator about which post you replied to. except if you reply to the most recent post in a thread. so someones who reads a post has no way of knowing in advance whether it is being addressed to the post just above it, or to the thread as a whole

i hate discourse so much. i'll never understand why it got so much adoption by FOSS communities. it must be the virtue signalling

by negura

4/17/2026 at 12:24:05 PM

I'm not sure where this heat comes from, but what constitutes a "good" forum in your opinion? I would love to check it out.

by eaf7e281

4/17/2026 at 12:39:18 PM

while I've just been on forums that have been using xenoforo, I found it a better experience than those running Discourse

by baud147258

4/17/2026 at 1:36:13 PM

+1 for xenForo. IMO it has a much nicer UX than Discourse, if only because it uses a more traditional approach.

by LorenDB

4/17/2026 at 9:49:09 AM

These are various reasons why I also opted to not use it when it was finally time to retire vBulletin 3. We never did adopt vB 4 or 5, because while I'm sure the code was "better" from a software engineering perspective (using classes/OOP etc), it was also noticably slower, and the original developers had either been ousted or sold out.

The original vB developers built Xenforo, which is still in the spirit of vB 3 but with some modern amenities like live updates and the like.

I also found Discourse to be... challenging to self-host.

by Cthulhu_

4/17/2026 at 10:19:11 AM

> I also found Discourse to be... challenging to self-host.

Made a completely different experience. Every once in a while you have to run a command. Over the last 10-12 years there were I think 2 problems where this did not work out of the box.

by karussell

4/17/2026 at 1:37:34 PM

You forgot one of the worst parts: the Discobot that tries to make you run through a tutorial every. single. time. you sign up for a Discourse forum.

by LorenDB

4/17/2026 at 7:54:33 PM

yes! another one i forgot: all the bullshit notifications about level promotions, earning badges and "thanks for spending time with us" inbox spam.

by negura

4/17/2026 at 12:07:07 PM

> must be the virtue signalling

I wish you folks could understand how clownish you sound.

by nixosbestos

4/17/2026 at 3:14:34 PM

I do feel like this sinks a post of otherwise reasonable complaints. What "virtue signaling" is discourse even being accused of?

by thunderfork

4/17/2026 at 7:58:28 PM

i was referring to the blog post. where they pride on having courage to uphold the values of the opensource ecosystem.

by negura

4/17/2026 at 11:45:31 AM

I hate most of all the information black hole that is discord. I am member of several communities, where difficult issues are being solved using complex new software releases, but if you do not sit and watch the stream for the specific things you want, forget about finding anything useful you want.

Discord is bottomless sea of the same question being asked over and over and over, and the original question poster never seeing their replies. If there was not a notification when your own messages are replied, Discord would be 100% worthless.

by bsenftner

4/17/2026 at 4:13:19 PM

Does someone know which tools they are using for the multi day code ai code review?

by K0IN

4/17/2026 at 4:11:50 AM

> Large parts of it are delivered straight into the user’s browser on every request: JavaScript, …

Ooh, now I want to try convincing people to return from JS-heavy single-page apps to multi-page apps using normal HTML forms and minimal JS only to enhance what already works without it—in the name of security.

(C’mon, let a bloke dream.)

by chrismorgan

4/17/2026 at 4:28:54 AM

There are a lot of things to hate in the Web3 world. Lack of back button form resubmission or redirect loops is a strange thing to dislike though.

by ironmagma

4/17/2026 at 4:51:00 AM

The web has grown so hostile lately that javascript is honestly not safe or useful anymore. the only thing it's used for is serving ads and trackers and paywalls, if i can't read a website with no script enabled it's not meant for me and im just not reading it.

by kelsey98765431

4/17/2026 at 5:03:02 AM

I concur that most web sites could use less JavaScript. And a lot of (but not all) cosmetic uses for JavaScript can be done in CSS.

Of course for web apps (as distinct from web sites) most of what we do would be impossible without JavaScript. Infinite scrolling, maps (moving and zooming), field validation on entry, asynchronous page updates, web sockets, all require JavaScript.

Of course JavaScript is abused. But it's clearly safe and useful when used well.

by bruce511

4/17/2026 at 6:29:02 AM

Infinite scrolling is JavaScript abuse. Pagination is much better for letting people keep track of their progress and time.

by sebbadk

4/17/2026 at 6:30:31 PM

Infinite scrolling is just a feature. It can be used for good or evil.

by bruce511

4/17/2026 at 1:40:19 PM

> web apps

See, that's where we went wrong. IMO the web is for web sites. Co-opting the browser for full applications has led to the significant degradement of modern software. If we must have a "write once, run anywhere" approach for modern development, can we at least use WASM bytecode and build a dedicated runtime that doesn't use the browser for GUI output?

by LorenDB

4/17/2026 at 6:34:00 PM

You are of course entitled to your opinion. And you're free to code apps for any platform or language you like.

Clearly though the world is using the web platform for writing applications. And I for one like the fact I can book a car, buy a secondhand book, or leave a restaurant review from a generic place that just works on all my devices.

by bruce511

4/17/2026 at 11:05:15 AM

Their own software has become so bloated that now they're pivoting to bandwagon marketing. Soon some corporate enshittification platform will buy them.

by drambledon

4/17/2026 at 2:28:08 PM

Thanks for this great comment that adds tremendous value to the discussion.

by robinhood

4/17/2026 at 5:16:25 AM

Never used it as it asks me to burn an email address to post.

by jonahs197

4/17/2026 at 10:15:57 AM

Thanks for letting us know. We were all wondering.

by dspillett