A weekend mix of existential licensing debates, infrastructure strain, and milestone releases. Here’s what matters today.
Cal.com goes closed source, blames AI-powered threats
After five years as one of the most visible open-source scheduling platforms, Cal.com announced on April 14 that it’s going proprietary. Co-founder Peer Richelsen cited the speed at which AI tools can now scan and weaponize publicly available source code: “Open source security always relied on people to find and fix any problems. Now AI attackers are exploiting that transparency.” The company is releasing a stripped-down fork called Cal.diy under MIT for hobbyists, but the production codebase — with its rewritten auth and data-handling layers — goes behind a wall. The timing is notable: this lands the same week as the Black Duck OSSRA report showing vulnerability counts doubling across open-source codebases. Whether you see Cal.com’s move as a pragmatic security decision or a convenient excuse to recapture commercial value, the community reaction has been split. Expect this to become a case study cited by both sides of the “does open source make you less secure?” argument for years.
GitHub is buckling under AI agent traffic: 275 million commits per week and counting
The numbers are staggering. GitHub is processing 275 million commits per week as of April 2026, putting it on track for 14 billion this year — a 14x year-over-year explosion driven almost entirely by AI coding agents. Pull requests opened by agents surged from 4 million in September 2025 to 17 million in March 2026. The platform has visibly struggled: five incidents in the first two days of April, with an April 9 degradation seeing 84% of Copilot agent session requests fail and wait times peak at 54 minutes. GitHub Actions usage hit 2.1 billion minutes per week — quadrupled from 2023. The uncomfortable tension: most of these commits come from unpaid agents consuming compute on free tiers. “Open and free” and “14 billion commits a year” are rapidly becoming incompatible, and GitHub’s Azure migration (targeting 50% of traffic by July) is compounding the strain. This isn’t just a GitHub problem — it’s an open-source infrastructure sustainability question.
Vim splits in two over LLM-generated code contributions
Two independent forks of Vim have emerged in response to the upstream project accepting AI-assisted code contributions. Drew DeVault announced Vim Classic, forked from Vim 8.2.0148, focused on legacy compatibility and honoring the pre-Vim9 codebase — he’s already backported CVE fixes and build toolchain updates. Meanwhile, a developer called NerdNextDoor published EVi on Codeberg, forked from v9.1.2073 with a permanent-ban enforcement clause for AI-generated contributions. The forks are philosophically distinct — Vim Classic is a conservative maintenance branch, EVi is a modernization effort with a strict no-AI policy — but both signal genuine community anxiety about provenance and trust in foundational developer tools. Whether either fork sustains a contributor base remains to be seen, but the LWN coverage generated hundreds of comments and real engagement. This isn’t just a niche concern anymore.
Black Duck OSSRA 2026: open source vulnerabilities doubled, license conflicts at all-time high
The 2026 Open Source Security and Risk Analysis report, based on audits of over 900 commercial codebases across 17 industries, paints a grim picture. The mean number of open source vulnerabilities per codebase surged 107% to 581. 87% of codebases contained at least one vulnerability, 78% contained high-risk ones, and 44% had critical-risk issues. But the licensing data is arguably more alarming: 68% of codebases now have license conflicts — the largest single-year jump in OSSRA history — driven in significant part by what Black Duck calls “license laundering,” where AI code generation tools produce GPL-derived code without preserving original license metadata. The mean number of files per codebase grew 74% year-over-year, average open source components increased 30%, and only 24% of organizations perform comprehensive IP, license, security, and quality evaluations for AI-generated code. If you’re shipping software with AI-assisted development and don’t have a license compliance workflow, this report is your wake-up call.
OpenSSL 4.0 ships with Encrypted Client Hello and post-quantum cryptography
Released April 14, OpenSSL 4.0.0 is the most significant OpenSSL release in years. The headline features: Encrypted Client Hello (ECH) support that encrypts the initial TLS handshake to hide the Server Name Indication, post-quantum cryptography support including ML-DSA-MU and hybrid SM2-MLKEM groups, and RFC 8998 compliance. On the cleanup side, SSLv3 support is fully removed (deprecated since 2015), the legacy ENGINE API is gone entirely, and the SSLv2 Client Hello format is dead. For anyone maintaining TLS-dependent infrastructure — which is effectively everyone — this is a mandatory evaluation. The API changes mean applications built against older versions will need updates, making this a non-trivial migration. Support runs through May 2027.
MiniMax open-sources M2.7, a self-evolving 230B-parameter agent model
Released April 12 on Hugging Face and GitHub, MiniMax M2.7 is a 230-billion-parameter mixture-of-experts model (10B active per token, 256 experts, 200K context) that MiniMax claims is the first model to “deeply participate in its own development cycle.” The self-evolution claim is the interesting part: M2.7 was used to write significant portions of its own training and evaluation infrastructure. On benchmarks, it scored 56.22% on SWE-Pro and 57.0% on Terminal Bench 2, with a GDPval-AA ELO of 1495 — the highest among open-source models. The weights are fully open, and the release includes OpenRoom, an interactive agent demo mostly written by the model itself. In a month where Meta is pulling back from open-weight releases, a Chinese lab shipping a frontier-competitive model with open weights is a meaningful counterpoint.
Fedora 44 delayed again — now targeting April 28
Fedora 44 has hit its second release delay, pushed from the original April 14 target to April 21, and now to April 28. The blockers span KDE setup issues, NVIDIA driver problems, GRUB bugs, and systemd regressions — a reminder that shipping a modern Linux distribution means coordinating an enormous dependency surface. Community go/no-go meetings on April 22-23 will determine whether the latest target holds. With Ubuntu 26.04 LTS arriving April 23, Fedora’s delay means two of the most-watched distro releases of the year land in the same week — assuming Fedora’s blockers get resolved. Given Fedora’s track record of not shipping until quality gates pass, the delay is arguably a feature, not a bug.
Anthropic’s Claude Code source accidentally ships to npm — community forks it within hours
In what might be the most consequential packaging mishap in recent memory, Anthropic inadvertently published Claude Code’s entire unobfuscated TypeScript source via a misconfigured debug file in version 2.1.88 on npm. The leak exposed nearly 2,000 internal files and over 512,000 lines of code. Within hours, the repo hit 25,000+ GitHub stars, and someone had rewritten the entire thing in Python using OpenAI’s Codex. The community reaction ranged from genuine architectural analysis to conspiracy theories about it being an intentional open-sourcing move. Regardless of intent, the incident demonstrated how quickly AI-assisted development can clone and reimplement a complex codebase — an ironic echo of the Cal.com argument about AI making source code exposure more dangerous.
Google celebrates A2April — the Agent-to-Agent protocol turns one under the Linux Foundation
Google’s Agent-to-Agent (A2A) protocol, originally announced April 9, 2025, and donated to the Linux Foundation in June 2025, is marking its first anniversary with a month of community events and content. The milestone is worth noting not for the celebration itself but for what it represents: A2A and MCP are now the two dominant open standards for agent interoperability, both governed by the Linux Foundation, both with multi-vendor backing. A year ago, the agent protocol space was fragmented and vendor-locked. Today it’s converging around open specifications — a trajectory that mirrors how HTTP, OAuth, and container standards evolved, and one that suggests the “which agent framework?” question will increasingly be answered by “whichever one speaks A2A and MCP.”