The AGPL is more to clear up confusion and try and limit people ripping off our software.
Open source definitely isn’t a growth strategy for us. We’re huge open source fans, and do actually believe in what it stands for. We’re open source for a number of other reasons, such as longevity, privacy and genuine passion for OSS software (I’ve wrote more about this in other comments here).
However, yes, we are a company that is VC-backed, and so we have to make some decisions that are for the business side of things, and switching to AGPL is one way of cutting down on people trying to create rip off versions of our product.
Folks can still rip off/sell your software (even as a managed service) with the AGPL, as long as they share the source code of their version of cal.com
All we need is a name and email for your guest. All data is being handled in a way that’s secure and private (we’re open source, you can check the code that touches your calendar), plus for internal security we are SOC 2 compliant and 99% of the way HIPAA compliant.
You surely could be hacked, and while it unfortunately could be said about pretty much anything, this particular case doesn't seem to justify passing PII to the second party.
I figured it out, basically, the start-time is constrained by the end-time, which is why I couldnt change the start-time until I changed the end-time first. It wasnt obvious at first, but makes sense. That said, i do wonder if a better UI control would make the operation more obvious.
First is longevity. Especially considering we’re a startup, if a huge company is evaluating using our product, they’re going to wonder if we’re going to disappear in a few years. Open source doesn’t disappear: https://cal.com/blog/longevity
Secondly is that we’re a developer focused product, and so making it open source for hobbyists to play around with is a great way to introduce people to our product with the hopes that one day they’ll build their next company using our scheduling (so it does help as a sales channel, although definitely not the primary reason)
Also transparency and privacy. Users know how their data is being handled, which for me personally is a huge plus. I want to know what the software is doing if I’m giving it access to my calendar.
There are a few other reasons too, maybe I’ll write something on the Cal.com blog
We’re experiencing our biggest spike in signups yet (see cal.com/open for the data), so our database got overwhelmed for a second. Rest assured, we’re on it :)
That’s a great question. When you connect your calendar with most scheduling apps, there’s really nothing stopping most of them from doing malicious things behind the scenes with your data. You don’t really know if they’re just querying your availability, or actually pulling specific event data.
With Cal.com, that’s different. Since day one, I built it to only check free/busy times and that hasn’t changed. Also, as it’s open source, you can literally go on GitHub and verify what I’m saying, as well as comb through every line of code that touches your calendar.
It’s the same principle that keeps something like the Linux kernel free of malicious software. There’s enough contributors from around the world that audit and review the code, that you can ultimately trust that there’s nothing malicious going on behind the scenes.
Also just to clarify, with how most major providers’ permission systems work, it’s scoped that we can only access your calendar data, and not contents of your email and such.
I'm not even so much concerned with services like yours doing something malicious behind the scenes - I'm much more concerned about them being hacked/compromised in such a way that saved tokens could be used by an attacker. Maybe I'm wrong, but I suspect that there are services that get granted calendar, email, file access that could be considered much 'squishier' targets than the underlying services they connect to.
So, if you're getting the minimum viable amount of access to someone's calendar, what's the worst that could be done by an attacker with persistent access to your backend systems, and how does it vary between different services you connect to (e.g. Google, M365, Outlook.com, Zoom, etc.)? This isn't even really about your software, more about "how restricted do the underlying services allow my access to be?"
Hey - one of the cofounders here. It’s exactly this.
I totally get the point that’s being made, but to be able to have a product which is good enough to sell, we have to be able to cater to the hundreds of features that customers tell us we need.
Everything we build is entirely community and customer demand driven, so effectively all of these features are in place to support every different use case that customers require as part of their scheduling needs.
We are looking at ways to make the app simpler, with the advanced options still readily available for those who need it. For example, some of our advanced features are hidden as apps which you install to be able to see their options. However if anyone here has further ideas, feel free to create a ticket on GitHub. We’d love your input!
FYI: On the landing page I was able to book an appointment without filling in a name or email address - at least it told me that the booking is confirmed - not sure if that is on purpose.
Open source definitely isn’t a growth strategy for us. We’re huge open source fans, and do actually believe in what it stands for. We’re open source for a number of other reasons, such as longevity, privacy and genuine passion for OSS software (I’ve wrote more about this in other comments here).
However, yes, we are a company that is VC-backed, and so we have to make some decisions that are for the business side of things, and switching to AGPL is one way of cutting down on people trying to create rip off versions of our product.