Bambu Lab makes the best, most accessible 3D printers yet, but that reputation is suddenly under siege. It all started when Paweł Jarczak received a private message from the company on Reddit asking him to delete his code. Now the 3D printing community is lining up behind Jarczak to fund a war against Bambu — and the future of 3D printers could be at stake.
Jarczak is a developer who shared a way to let people remote control their Bambu printers without using Bambu software. But Bambu wanted to lock down its system, despite relying on open-source code. That provoked a furious coalition of open-source advocates and YouTubers to respond.
“I’ll put up $10,000 to teach bambu labs a lesson,” declared consumer rights advocate Louis Rossmann, pledging to help defend Jarczak in court.
“I’m never buying a Bambu Lab 3D printer again,” stated maker Jeff Geerling, adding that he’d gladly chip in too. (He’s changed the YouTube title since.)
“Go fuck yourself, Bambu,” wrote GamersNexus, pledging to commit $10,000 as well. (It’s also halting previously unannounced plans to buy $150,000 of Bambu hardware for a 3D printing project, editor-in-chief Steve Burke tells The Verge.)
If that wasn’t enough, Rossmann, Burke, and thousands of other open-source advocates are daring Bambu to take legal action — they’re each forking the code Bambu was hoping to suppress. As of Monday, so is the Software Freedom Conservancy, which is now hosting an entire project to reverse engineer Bambu’s code and says it will serve as a Bambu watchdog.
“They’re bad actors, straight-up, and the community should do whatever we can,” Bradley Kühn, father of the AGPL open-source license and policy fellow at the Software Freedom Conservancy, tells The Verge.
But why is everyone so mad that Bambu’s printers don’t work perfectly with third-party apps? Are Bambu’s actions really that egregious, or is it just trying to protect its ecosystem? I spoke to Bambu, Jarczak, lawyers, and others to understand. Both Bambu and Jarczak shared copies of their private communications for this story with The Verge, each eager to set the record straight on what actually happened.
This is the story of how everything went wrong, and how it could become right again.
What is actually going on with Bambu and Paweł Jarczak?
On April 22nd, when Bambu first reached out to Jarczak in a Reddit private message, its tone seemed polite. Bambu suggested it was warning Jarczak of upcoming changes that could prevent his code from working. The first DM concludes: “we kindly ask you to consider removing the current connection approach, as it mimics official Bambu Lab software.”
Jarczak replied that he was ready to remove his entire project from GitHub and thanked the company for noticing his work. But he wanted to be “properly acknowledged” for possibly revealing “a significant security gap.” He offered further help for a fix while requesting some gear — specifically the flagship H2D printer.
But Bambu was not ready to reward or recognize him for promoting ways to use unauthorized third-party software and hardware that competes with its own. (Jarczak’s previous project was supporting a cheaper way to print in multiple colors than buying Bambu’s $279 AMS Lite, a project he’s since suggested Bambu should also recognize him for.)
Ominously, Bambu started talking to Jarczak like a mobster: “We wanted to speak with you first and handle this in a constructive way. That said, we can’t allow this approach to continue.”
Jarczak bristled. He had publicly voiced some suspicion that what he’d done had crossed a line. But he also knew that Bambu’s code was open-source under AGPL, a license so permissive that Google famously banned its engineers from using it at all.
The developer wanted to know: What, specifically, had he done wrong if the code was open-source?
Above: The actual communications between Bambu and Paweł Jarczak.
Instead of explaining, Bambu ramped up its threat. It told Jarczak that a cease and desist letter had already been prepared, and “invited” him to look at section 1201 of the Digital Millennium Copyright Act, implying it could legally punish him for breaking digital locks.
But Bambu didn’t sue. It didn’t send a cease and desist letter. It didn’t even send a DMCA takedown to remove his files from GitHub. Jarczak voluntarily took his code down. But in that code’s place, Jarczak left a note suggesting that Bambu treated him like a criminal.
That’s when the internet pounced.
Why is the open-source 3D printing community so upset?
Because Bambu’s software is not just Bambu’s software. “Bambu Studio is based on PrusaSlicer by Prusa Research, which is from Slic3r by Alessandro Ranellucci and the RepRap community,” Bambu freely admits on its websites.
“Based on” doesn’t just mean Bambu took inspiration from those programs. Bambu Studio is similar to PrusaSlicer because it’s a fork of PrusaSlicer. It’s built atop the same code.
Every modern 3D printer uses a piece of software called a slicer, which “slices” 3D objects into layers, then turns those layers into instructions that a 3D printer can follow. Over time, they’ve become the way to remote control every other part of a 3D printer as well.
Almost every slicer is built atop the slicers that came before, going back nearly 15 years to when Alessandro Ranellucci first released Slic3r to the world under the AGPL license. That license guarantees no one has to reinvent the wheel so long as they contribute their own improvements. Bambu gets enormous value from this license, but it’s beginning to crack down on users enjoying the same benefits.
Bambu freely forked PrusaSlicer, and it doesn’t contest that anyone else can fork Bambu Studio as well. But Bambu cut off the ability for forks — including the most popular fork, OrcaSlicer — to send prints, remote control the print head, monitor the printer’s camera, change filament colors, and more, until or unless their developers integrated a new proprietary authentication mechanism. (The lead developer of OrcaSlicer declined.)
Jarczak had created his own fork of OrcaSlicer to work around Bambu’s proprietary requirement, and that’s the code Bambu wanted taken down.
Last January, Bambu said its motive was security. But many suspected a profit motive too: that Bambu might use its software to lock its printers to its own filament and accessories and start charging for subscription services, the way today’s inkjet printer companies do. Bambu did not deny those possibilities when we asked, and the open-source community has been preparing to fight possible enshittification ever since.
All Jarczak was originally trying to do was keep Bambu’s software from breaking compatibility with the Biqu BCMU third-party multicolor system (that undercuts Bambu’s own $279 accessory), after some users noticed the BCMU stopped working following a Bambu firmware update.
But when he built a copy of OrcaSlicer using code from the Linux version of Bambu Studio instead of the Windows or Mac versions, Bambu’s cloud services no longer stopped him from remote controlling his own printer at all. He’d inadvertently found a way to pick Bambu’s lock using Bambu’s own open-source code. When Bambu threatened him into submission for undoing its lock, he became an unwitting martyr for a bigger cause.
“People are trying to make me into some kind of hero here, but I am not that,” Jarczak tells The Verge.
Here’s where it gets really messy.
A lot of this will come down to how the open-source license used by Bambu is interpreted both by the public and potentially by courts. Bradley Kühn, who helped put the “A” into AGPL, says it’s a slam dunk: Bambu has violated its AGPL license.
In a blog post for the Software Freedom Conservancy, he identifies two specific violations. First, Bambu’s proprietary networking plug-in itself.
The actual text of the AGPL states that anyone who copies a program must license the source code for the entire program — including any “Corresponding Source” for other bits that are needed to generate, install, run, or modify the work.
It also has explicit examples of what should count as Corresponding Source, including “shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.”
Guess what Bambu’s proprietary networking plug-in is made of? Shared libraries and dynamically linked libraries, ones that Bambu’s open-source portions automatically try to install when you first run the application, and ones that — Kühn and Jarczak both say — have intimate communication with Bambu’s open-source code.
Jarczak has now published a 30-point analysis at his GitHub page that runs down just how intimate that communication could be:
The second violation, Kühn writes, is how Bambu allegedly pressured Jarczak to remove his code from GitHub while falsely claiming its terms of service trump his rights under the AGPL license.
But neither Kühn nor Jarczak is a lawyer. Bambu has lawyers, and two lawyers who specialize in open-source tech tell The Verge that the AGPL is difficult to rely on.
What do Bambu and the lawyers say?
Bambu answered almost every question we sent over the course of a full week. Head of PR Nadia Yaakoubi told us that the company isn’t concerned about “open-source development or legitimate code forks.” (Bambu is implying Jarczak’s fork is illegitimate.)
The company argues that some of its code is “separately delivered” and therefore isn’t covered by the AGPLv3 license where “Corresponding Sources” are concerned. Here’s what it told us:
We do not agree that the networking plugin is properly characterized as part of Bambu Studio’s “Corresponding Source” for purposes of AGPLv3, such that AGPLv3 source-availability obligations would be triggered. It is a separately delivered, optional networking component that provides additional functionality. The fact that software may load a separate component at runtime does not establish that the component is part of the covered work or that it is source code; the work is “specifically designed to require” under Section 1, which defines the scope of “Corresponding Source.” And as you mentioned, AGPL also does not authorize any access violating the rules and protocols for communication across the network.
Kyle Mitchell, an independent tech lawyer who’s studied the AGPL, tells The Verge it’s quite possible that Bambu doesn’t need to share everything that touches its open-source code, particularly when we’re talking about cloud services.
“The AGPL, because of the problem it was written to solve, and because of the way it was written, doesn’t clearly say that if you change a program that you share to work with a web or cloud service, that you have to share all of that web and cloud service alike too,” he tells me over the phone.
Even with a plug-in, there is some degree of technical separation, he says — though Heather Meeker, a prominent open-source licensing expert and attorney, says a plug-in would at least “generally be part of Corresponding Source.”
Mitchell says Bambu’s statement to The Verge “goes right at the uncertainty,” the parts of the law that aren’t automatically clear and would have to be clarified by the courts — and for better or worse, the courts have not meaningfully weighed in on the text of the AGPL. “How broad the source code sharing requirement goes — there’s very little law to answer these questions,” Meeker confirms.
Says Mitchell: “There are no definitive answers to be found, just positions to take, which are just predictions about what courts would do.”
And — generally speaking — Meeker says not just anyone can meaningfully go after a company for an AGPL violation.
The Software Freedom Conservancy is attempting to disprove that in court as we speak, helping a single smart TV buyer sue TV maker Vizio for breach of contract to release its source code under GPLv2. But generally, Meeker says the entities that wrote the code are the ones who have the right to file a claim. Multiple licensors might have to band together, depending on how much code each contributed, and it could get complicated if some licensors additionally sold their software under different licensing terms instead of just AGPL.
Kühn says he’s “very confident” that the Vizio suit will succeed, but admits it’s the first such case he’s aware of in the US. Vizio is scheduled to go to trial in August.
Does Bambu have a point about security?
Bambu’s printers are remote controlled with MQTT commands, and after some of the things I’ve seen hackers do with unprotected MQTT recently, I’d have to say yes.
And the AGPL license does let Bambu deny access to a network “when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network,” Kühn freely admits. Bambu says it’s experienced this kind of disruption, with millions of “abnormal requests” including DDoS attacks.
But is it fair to suggest Jarczak is jeopardizing Bambu’s security with his fork? As he, Kühn, Mitchell, and others point out, Bambu has any number of ways to properly protect its cloud from hackers and DDoS attacks other than the one that can be defeated by using Bambu’s own open-source code.
Bambu claimed on May 7th and continues to claim that Jarczak “impersonated” its systems to fool them into giving him “unauthorized” access. It shared this as proof:
But the level of “impersonation” you see is simply Jarczak’s copy of OrcaSlicer saying “I am Bambu Studio,” something you can also find in Bambu Studio’s own open-source code.
“If Bambu’s infrastructure treats that as dangerous, that is a server-side authorization and architecture problem, not proof that I attacked their infrastructure,” Jarczak tells The Verge. “A cloud service should enforce authorization on the server side with proper account/device authorization, token scopes, quotas, per-account limits, per-device limits, rate limiting, abuse detection, and clear API rules.”
In the May 7th blog, Bambu claimed there was nothing it can do about people using OrcaSlicer to “impersonate” Bambu Studio: “Our systems would have no way to distinguish traffic, because the requests would look identical.”
But in its initial communications with Jarczak, Bambu already told him it intended to close this hole, and he’s not sure why it didn’t just do so. “[I]f they truly believed this was a live vulnerability, they should have fixed or disabled it on their side instead of threatening one developer and asking me to remove a repository while leaving the underlying behavior available,” responds Jarczak.
Bambu tells The Verge that that it does indeed plan to close the hole, but it isn’t saying when:
“We have been working on enhanced authentication measures. The reason the current pathway still functions is simply that we have not yet pushed a mandatory update. Forcing a disruptive rollout to address one isolated issue is not how we operate. Our security updates will be deployed steadily, at the right time, and with our users’ experience in mind,” Yaakoubi writes.
Bambu also told The Verge that Jarczak “ran repeated unauthorized workaround tests on our live infrastructure and left activity logs.” But if there’s evidence, Bambu isn’t sharing it with us.
“I did not attack their infrastructure. I did not do penetration testing. I did not scan their servers. I did not try to find hidden endpoints. I did not create a new printer command system. I did not introduce new printer-side command classes,” Jarczak tells us. “If Bambu has logs, then those logs would simply show normal client traffic from testing a slicer against their normal cloud service path, using my own normal workflow.”
Bambu declined to share its logs with The Verge.
Legal threats are easy to make and costly to defend against. Nothing’s been filed yet, so we remain in the court of public opinion. Kühn says that court is the one that should hopefully pressure Bambu “to act correctly,” like when the community first successfully pushed Bambu to open-source its PrusaSlicer fork.
In the meantime, thousands of open-source advocates are now in a standoff with Bambu, figuring out how to loosen its control over the hardware they bought and paid for and actively organizing alongside the father of AGPL. The Software Freedom Conservancy is hoping to raise just over $250,000 to hire more staff to “liberate AGPLv3-violating 3D printers,” and Louis Rossmann says his group will donate $15,000.
“Our intention from the start was to reach out and find a path forward together. We regret that our communication did not land that way. That was not the outcome we wanted, and we are committed to doing better on that front,” Bambu tells The Verge. While the company told us on May 13th that it would “hold a firm line on how our cloud service is accessed by third-parties,” that firm line softened a day later: “Rather than escalating conflict, we are focusing on strengthening our own infrastructure and protection measures moving forward.”
If Bambu wants to defuse the situation, Kühn says the solution is simple: “They should release all the code, even if the AGP doesn’t require it, because their business is selling hardware anyway!” Alternatively, Bambu can always throw away all the AGPL code and rewrite its software from scratch. “Nobody requires you to use AGPL code,” he says. Jarczak doesn’t want to see Bambu take its ball and go home, though. “I do not think ‘fully closed’ would be better for users. It would just be more honest,” he tells me.
It’s hard not to root for open-source advocates to triumph, considering how much of a debt every 3D printer company owes to those who came before. I’m not ready to switch printers myself, but I will if the open-source community’s worst fears come true.
