BambuStudio's AGPL Violation: A Long-Standing Open Source Breach

Josef Prusa, founder of Prusa Research, has publicly accused Bambu Lab of violating the AGPL-3.0 license since their fork of PrusaSlicer. The core issue: BambuStudio (BS) ships a closed-source networking plugin that communicates with Bambu's cloud, while the rest of the slicer is open source. Under AGPL, derivative works must remain open source. Prusa argues that the plugin is not a separate work but an integral part of the same product, split only for "license-laundering."

"BS cannot do its primary job without the plugin. The plugin cannot do anything without BS," Prusa wrote on X. He notes that OrcaSlicer, another fork of BS, complies with the AGPL by keeping all code open.

The Runtime Binary Black Box

The networking plugin isn't bundled inside BambuStudio. It downloads itself from a CDN at runtime. This means users can audit the open source code of BS, but cannot inspect the part that actually talks to the cloud. The binary can be swapped between launches without external scrutiny. Prusa flagged this architecture publicly in March 2023, and it remains unchanged today.

"You can audit BambuStudio's open source code all you want. You cannot meaningfully audit the part that actually talks to the cloud," Prusa stated.

Discovery: Accidental Telemetry

Prusa revealed that they first discovered the fork before its public launch. Shortly after PrusaSlicer 2.4 introduced opt-in anonymous telemetry, their servers received entries labeled "BambuSlicer." Bambu's internal builds were accidentally sending telemetry to Prusa's servers instead of their own. The community later had to pressure Bambu Lab to release the source code in compliance with the AGPL.

Enforcement Challenges Under Chinese Law

Prusa explained why legal action was considered but abandoned: the AGPL is a license, and enforcement requires a viable legal path. Bambu Lab is a Chinese company, and the case would land in a Chinese court applying Chinese law. Prusa cited a five-law framework China built between 2017 and 2023 that could force compliance with state intelligence:

  1. National Intelligence Law (2017): All organizations must cooperate with intelligence work and cannot disclose such cooperation.
  2. Cryptography Law (2020): Commercial encryption must be state-approved, and decryption keys must be provided upon request.
  3. Data Security Law (2021): Extraterritorial reach over data touching national security, regardless of server location.
  4. Counter-Espionage Law revision (2023): Expanded definition of espionage to include industrial data.
  5. Network Product Security Vulnerability regulation (2021): Vulnerabilities must be reported to MIIT within 48 hours, flowing to a vulnerability database operated by the Ministry of State Security.

Prusa emphasized that 3D printing is designated as strategic under "Made in China 2025," making industrial data a national security concern. This context raises questions about whether Bambu Lab's hand is forced by these laws.

Technical Details: The AGPL Violation Pattern

To understand the violation, consider the AGPL-3.0 requirement: any derivative work must be distributed under the same license. BambuStudio is a fork of PrusaSlicer, which is AGPL-3.0. The networking plugin, even if distributed separately, is a derivative work because it is designed to function only with BS and BS depends on it. The runtime download mechanism does not exempt it from copyleft obligations.

A typical AGPL-compliant approach would be to use a plugin interface that communicates over a standard protocol (e.g., HTTP REST API) with a separate service that can be licensed independently. However, the tight coupling here suggests the plugin is not a separate program but a module of BS.

Why This Matters Now

Prusa's thread comes amid ongoing community concerns about Bambu Lab's closed ecosystem. The company has previously issued apologies for other controversies, including legal threats against a developer who opened a "small black box." The AGPL violation undermines trust in open source collaboration, especially as PrusaSlicer remains one of the most popular slicers in the 3D printing community.

Developer Insights

  • If you fork an AGPL project, ensure all derivative components (including plugins) are also AGPL-compliant. Use a separate process with a well-defined API if you need to keep proprietary code.
  • Runtime-downloaded binaries that are essential to functionality are likely derivative works under AGPL. Courts have not definitively ruled, but the licensing risk is high.
  • When choosing a 3D printing ecosystem, consider the openness of the software stack. Bambu's closed networking plugin limits auditability and may expose user data to legal risks in certain jurisdictions.