Bambu Lab Authorization Control System: Difference between revisions

added comment
m Removed red links; misc.
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{IncidentCargo
{{IncidentCargo
|Company=Bambu Lab
|Company=Bambu Lab
|StartDate=2025-01-16
|StartDate=16 January 2025
|EndDate=
|Status=Active
|Status=Active
|Type=Post-purchase terms change
|Type=Post-purchase terms change
|Description=January 2025 firmware change restricted third-party slicers; April 2026 private cease-and-desist against AGPL fork maintainer Pawel Jarczak.
|Description=January 2025 firmware change restricted third-party slicers and gated printer control behind Bambu-issued authentication.
}}
}}


On January 16, 2025, the 3D-printer manufacturer '''[[Bambu Lab]]''' announced that future firmwares for its 3D printers would introduce an authorization and authentication mechanism for printer connection and control, [[Deceptive language frequently used against consumers|in the name of security]].<ref name="firmware-update-introducing-new-authorization-control-system-2">{{Cite web |last=Bambu Kidd |date=2025-01-16 |title=Firmware Update Introducing New Authorization Control System |url=https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/ |url-status=live |archive-url=https://ghostarchive.org/archive/qwL63 |archive-date=2026-03-07 |website=[[Bambu Lab]] Blog}}</ref> The change restricted the use of third-party accessories and slicers such as Panda Touch and OrcaSlicer, and it gated print initiation, motion control, fan and hotend control, AMS configuration, calibrations, remote video, and firmware upgrade behind a Bambu-issued authentication path.<ref name="firmware-update-introducing-new-authorization-control-system-2" /> Bambu Lab also publishes its own slicer, [https://github.com/bambulab/BambuStudio Bambu Studio], under the [[GNU Affero General Public License|AGPL-3.0]],<ref name="bambustudio-license">{{Cite web |title=BambuStudio LICENSE (AGPL-3.0 verbatim) |url=https://github.com/bambulab/BambuStudio/blob/master/LICENSE |website=GitHub |publisher=Bambu Lab |access-date=2026-05-10 |url-status=live}}</ref> while its [[Terms of Service|Terms of Use]] § 3.4 forbid users to modify, copy, reverse engineer, or create derivatives of "the Product."<ref name=":2">{{Cite web |date=2024-04-24 |title=Terms of Use |url=https://bambulab.com/en-us/policies/terms |url-status=live |archive-url=https://ghostarchive.org/archive/vPu9I |archive-date=2026-03-09 |access-date=2025-05-01 |website=[[Bambu Lab]]}}</ref> In April 2026, Bambu Lab sent a private cease-and-desist demand to a Polish community fork maintainer, Pawel Jarczak, who had restored direct printer control on top of that AGPL source; on May 7, 2026, Bambu Lab published a blog post recharacterizing the dispute as "impersonation" through "falsified identity metadata" rather than as a question about open-source rights.<ref name="bambu-blog-record-straight">{{Cite web |title=Setting the record straight on Cloud Access and Community |url=https://blog.bambulab.com/setting-the-record-straight-on-cloud-access-and-community/ |website=Bambu Lab Blog |publisher=Bambu Lab |date=2026-05-07 |access-date=2026-05-10 |url-status=live}}</ref><ref name="jarczak-readme">{{Cite web |last=Jarczak |first=Pawel |title=OrcaSlicer-bambulab — This is the end…. |url=https://github.com/jarczakpawel/OrcaSlicer-bambulab |url-status=live |archive-url=https://web.archive.org/web/20260430001537/https://github.com/jarczakpawel/OrcaSlicer-bambulab |archive-date=2026-04-30 |access-date=2026-05-04 |website=[[GitHub]]}}</ref>
On January 16, 2025, the 3D-printer manufacturer '''[[Bambu Lab]]''' announced that future firmwares for its 3D printers would introduce an authorization and authentication mechanism for printer connection and control, [[Deceptive language frequently used against consumers|in the name of security]].<ref name="firmware-update-introducing-new-authorization-control-system-2">{{Cite web |last=Bambu Kidd |date=2025-01-16 |title=Firmware Update Introducing New Authorization Control System |url=https://blog.bambulab.com/firmware-update-introducing-new-authorization-control-system-2/ |url-status=live |archive-url=https://ghostarchive.org/archive/qwL63 |archive-date=2026-03-07 |website=[[Bambu Lab]] Blog}}</ref> The change restricted the use of third-party accessories and slicers such as Panda Touch and OrcaSlicer, and it gated print initiation, motion control, fan and hotend control, AMS configuration, calibrations, remote video, and firmware upgrade behind a Bambu-issued authentication path.<ref name="firmware-update-introducing-new-authorization-control-system-2" /> Bambu Lab also publishes its own slicer, [https://github.com/bambulab/BambuStudio Bambu Studio], under the [[GNU Affero General Public License|AGPL-3.0]],<ref name="bambustudio-license">{{Cite web |title=BambuStudio LICENSE (AGPL-3.0 verbatim) |url=https://github.com/bambulab/BambuStudio/blob/master/LICENSE |website=GitHub |publisher=Bambu Lab |access-date=2026-05-10 |url-status=live}}</ref> while its [[Terms of Service|Terms of Use]] § 3.4 forbid users to modify, copy, reverse engineer, or create derivatives of "the Product."<ref name=":2">{{Cite web |date=2024-04-24 |title=Terms of Use |url=https://bambulab.com/en-us/policies/terms |url-status=live |archive-url=https://ghostarchive.org/archive/vPu9I |archive-date=2026-03-09 |access-date=2025-05-01 |website=[[Bambu Lab]]}}</ref> In April 2026, this authorization system became the basis for a [[Bambu Lab cease and desist against OrcaSlicer fork developer|cease-and-desist demand against a Polish community fork maintainer]] who had restored direct printer control on top of the AGPL source.


==Controversy regarding firmware updates==
==Controversy regarding firmware updates==
Line 44: Line 45:
Bambu Lab has stated that the authorization system is in place in order to protect against "remote hacks," "printer exposure," and "abnormal traffic or attacks". The cited security incidents have specific context:
Bambu Lab has stated that the authorization system is in place in order to protect against "remote hacks," "printer exposure," and "abnormal traffic or attacks". The cited security incidents have specific context:


*The "remote hacks" cited as an example in the article followed a reported security vulnerability in a 3D printer product; according to Bitdefender's reporting, the researcher infected machines to display a harmless message in order to publicize the unpatched flaw.<ref>{{Cite web |last=Cluley |first=Graham |date=2024-03-01 |title=Someone is hacking 3D printers to warn owners of a security flaw |url=https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com |url-status=live |archive-url=https://web.archive.org/web/20260216002646/https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com |archive-date=2026-02-16 |access-date=2025-05-01 |website=[[Bitdefender]]}}</ref>
*The "remote hacks" cited as an example in the article followed a reported security vulnerability in a 3D printer product; according to Bitdefender's reporting, the researcher infected machines to display a harmless message in order to publicize the unpatched flaw.<ref>{{Cite web |last=Cluley |first=Graham |date=2024-03-01 |title=Someone is hacking 3D printers to warn owners of a security flaw |url=https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com |url-status=live |archive-url=https://web.archive.org/web/20260216002646/https://www.bitdefender.com/en-au/blog/hotforsecurity/someone-is-hacking-3d-printers-to-warn-owners-of-a-security-flaw?ref=blog.bambulab.com |archive-date=2026-02-16 |access-date=2025-05-01 |website=Bitdefender}}</ref>
*In the article cited about printer exposure, the hack was carried out largely because of user misconfiguration.<ref>{{Cite web |last=Ms. Smith |date=2018-09-05 |title=Over 3,700 exposed 3D printers open to remote attackers |url=https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com |url-status=live |archive-url=https://web.archive.org/web/20260216002556/https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com |archive-date=2026-02-16 |access-date=2025-05-01 |website=[[CSO]]}}</ref>
*In the article cited about printer exposure, the hack was carried out largely because of user misconfiguration.<ref>{{Cite web |last=Ms. Smith |date=2018-09-05 |title=Over 3,700 exposed 3D printers open to remote attackers |url=https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com |url-status=live |archive-url=https://web.archive.org/web/20260216002556/https://www.csoonline.com/article/566223/over-3700-exposed-3d-printers-open-to-remote-attackers.html?ref=blog.bambulab.com |archive-date=2026-02-16 |access-date=2025-05-01 |website=CSO}}</ref>
*The "abnormal traffic" can be mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>{{Cite web |title=Summary of Security Incident Responses and Abnormal Cloud Traffic |url=https://wiki.bambulab.com/en/security-incidents-cloud-traffic?ref=blog.bambulab.com |url-status=live |archive-url= |archive-date= |access-date=2025-05-01 |website=[[Bambu Lab]] Wiki}}</ref>
*The "abnormal traffic" can be mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>{{Cite web |title=Summary of Security Incident Responses and Abnormal Cloud Traffic |url=https://wiki.bambulab.com/en/security-incidents-cloud-traffic?ref=blog.bambulab.com |url-status=live |archive-url= |archive-date= |access-date=2025-05-01 |website=[[Bambu Lab]] Wiki}}</ref>
*"Other malicious devices in the LAN" can be partially mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>{{Cite web |last=@SpaghettiMonster |date=2022-11-25 |title=Answering network security concerns for our printers |url=https://blog.bambulab.com/answering-network-security-concerns/ |url-status=live |archive-url=https://ghostarchive.org/archive/CE0Ii |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Blog}}</ref>
*"Other malicious devices in the LAN" can be partially mitigated by steps Bambu has already put in place, as detailed in their own article on the matter.<ref>{{Cite web |last=@SpaghettiMonster |date=2022-11-25 |title=Answering network security concerns for our printers |url=https://blog.bambulab.com/answering-network-security-concerns/ |url-status=live |archive-url=https://ghostarchive.org/archive/CE0Ii |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Blog}}</ref>


==Issues with LAN mode requiring authorization==
==Issues with LAN mode requiring authorization==
{{outdated/section}}
[[File:Bambu Connect App - Lan Device Discovery without Bambu Login.png|thumb|Bambu Connect App - Lan Device Discovery without Bambu Login]]
[[File:Bambu Connect App - Lan Device Discovery without Bambu Login.png|thumb|Bambu Connect App - Lan Device Discovery without Bambu Login]]
Bambu Lab printers have the ability to be controlled over both cloud and LAN. This allowed users to integrate their printers into private networks and maintain full control without having to rely on the manufacturer's server while also allowing cloud access. The new authorization system mandates that even LAN-based operations must go through an authentication process using Bambu Connect to retain full control.<ref name="bambu-connect">{{Cite web |[email protected] |title=Bambu Connect (beta) |url=https://wiki.bambulab.com/en/software/bambu-connect |url-status=live |archive-url=https://ghostarchive.org/archive/CVCtK |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Wiki}}</ref> Full local access is still possible and unchanged for those not using the cloud.
Bambu Lab printers have the ability to be controlled over both cloud and LAN. This allowed users to integrate their printers into private networks and maintain full control without having to rely on the manufacturer's server while also allowing cloud access. The new authorization system mandates that even LAN-based operations must go through an authentication process using Bambu Connect to retain full control.<ref name="bambu-connect">{{Cite web |[email protected] |title=Bambu Connect (beta) |url=https://wiki.bambulab.com/en/software/bambu-connect |url-status=live |archive-url=https://ghostarchive.org/archive/CVCtK |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Wiki}}</ref> Full local access is still possible and unchanged for those not using the cloud.
Line 57: Line 59:
**Confidentiality required by US Law: this is in conflict with users that have to comply with internal U.S. government classified information handling regulations.{{CitationNeeded}}
**Confidentiality required by US Law: this is in conflict with users that have to comply with internal U.S. government classified information handling regulations.{{CitationNeeded}}
*'''Loss of offline independence while also using cloud''': Before, users could have hybrid offline setups. The requirement for authentication removes this option unless users revert to older firmware versions; Bambu Lab initially indicated rollback would not be permitted, though The Verge later reported that users could still downgrade and use LAN access keys while signed into the cloud.
*'''Loss of offline independence while also using cloud''': Before, users could have hybrid offline setups. The requirement for authentication removes this option unless users revert to older firmware versions; Bambu Lab initially indicated rollback would not be permitted, though The Verge later reported that users could still downgrade and use LAN access keys while signed into the cloud.
*'''Increased complexity''': The added authentication layer complicates workflows for users who built custom setups or relied on third-party integrations for LAN control while retaining cloud functionality.<ref name=":4">{{Cite web |last=@edlboston |date=2023-01 |title=Full Non-Cloud Based Network Option Needed |url=https://forum.bambulab.com/t/full-non-cloud-based-network-option-needed/3643 |url-status=live |archive-url=https://ghostarchive.org/archive/1ee4F |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum |quote=Yes, I know about the LAN mode. But as has been stated by many people, things like the camera will not work, nor will the Handy app. There is no technical reason that these are bound to the cloud. This is the problem and why I titled this FULL Non-Cloud Network.}}</ref>
*'''Increased complexity''': The added authentication layer complicates workflows for users who built custom setups or relied on third-party integrations for LAN control while retaining cloud functionality.<ref name=":4">{{Cite web |author=edlboston |date=Jan 2023 |title=Full Non-Cloud Based Network Option Needed |url=https://forum.bambulab.com/t/full-non-cloud-based-network-option-needed/3643 |url-status=live |archive-url=https://ghostarchive.org/archive/1ee4F |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum |quote=Yes, I know about the LAN mode. But as has been stated by many people, things like the camera will not work, nor will the Handy app. There is no technical reason that these are bound to the cloud. This is the problem and why I titled this FULL Non-Cloud Network.}}</ref>


*LAN-Only mode in Orca Slicer is implemented by passing API Calls to the installed proprietary Bambu Network Plug-In (unlike BTT and other solutions that did indeed communicate with printer directly via MQTT protocol).
*LAN-Only mode in Orca Slicer is implemented by passing API Calls to the installed proprietary Bambu Network Plug-In (unlike BTT and other solutions that did indeed communicate with printer directly via MQTT protocol).
Line 68: Line 70:


===X1E firmware 01.01.02.00 LAN-mode connection failure===
===X1E firmware 01.01.02.00 LAN-mode connection failure===
Newly received X1E printers with firmware 01.01.02.00 will not connect to the Bambu Studio using the Lan only method password. Bambu Studio identifies the un-logged printer but will not allow a connection to the printer. Only after connection / account pairing is done over the Bambu Handy app by giving internet access to the PC and Printer then using the cloud service connection will Lan only communication and login work.<ref>{{Cite web |last= |date=2024-09 |title=Connect X1E to stand-alone computer |url=https://forum.bambulab.com/t/connect-x1e-to-stand-alone-computer/101474 |url-status=live |archive-url=https://web.archive.org/web/20260223033045/https://forum.bambulab.com/t/connect-x1e-to-stand-alone-computer/101474 |archive-date=2026-02-23 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum}}</ref>
Newly received X1E printers with firmware 01.01.02.00 will not connect to the Bambu Studio using the Lan only method password. Bambu Studio identifies the un-logged printer but will not allow a connection to the printer. Only after connection / account pairing is done over the Bambu Handy app by giving internet access to the PC and Printer then using the cloud service connection will Lan only communication and login work.<ref>{{Cite web |last= |date=Sep 2024 |title=Connect X1E to stand-alone computer |url=https://forum.bambulab.com/t/connect-x1e-to-stand-alone-computer/101474 |url-status=live |archive-url=https://web.archive.org/web/20260223033045/https://forum.bambulab.com/t/connect-x1e-to-stand-alone-computer/101474 |archive-date=2026-02-23 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum}}</ref>


==Implementation timeline and requirements==
==Implementation timeline and requirements==
<!-- this section seems out of date -->
{{outdated/section}}
The authorization system will be rolled out in phases, starting with the X1 series printers. A beta firmware (version 01.08.03.00) was released on January 17, 2025, with the full release scheduled for late January 2025.<ref name="firmware-update-introducing-new-authorization-control-system-2" /> The P and A series printers will get similar updates at an unspecified future date.
The authorization system will be rolled out in phases, starting with the X1 series printers. A beta firmware (version 01.08.03.00) was released on January 17, 2025, with the full release scheduled for late January 2025.<ref name="firmware-update-introducing-new-authorization-control-system-2" /> The P and A series printers will get similar updates at an unspecified future date.


Line 114: Line 116:
-->
-->
==Impact on functionality==
==Impact on functionality==
{{outdated/section}}
While some functionality remains unauthenticated like in previous firmware versions (sending status information from the printer over the network, starting a print job using SD cards), the most important features now require authentication through a closed-source client called Bambu Connect<ref name="bambu-connect" />. These restricted features include:
While some functionality remains unauthenticated like in previous firmware versions (sending status information from the printer over the network, starting a print job using SD cards), the most important features now require authentication through a closed-source client called Bambu Connect<ref name="bambu-connect" />. These restricted features include:


Line 146: Line 149:
*'''Lack of transparency''': SoftFever reported that the limited warning given to OrcaSlicer developers preceded community engagement with existing customers.<ref name="orca-slicer-issue8063" /> Point to the contrary: the new firmware is in beta and Bambu Connect middleware contains temporary compromises to allow third-party slicers to work as before.
*'''Lack of transparency''': SoftFever reported that the limited warning given to OrcaSlicer developers preceded community engagement with existing customers.<ref name="orca-slicer-issue8063" /> Point to the contrary: the new firmware is in beta and Bambu Connect middleware contains temporary compromises to allow third-party slicers to work as before.
*'''Lack of follow-through:''' As of January 2025, SoftFever, OrcaSlicer's lead developer, did not have API keys for Bambu Connect, a necessary layer of Bambu software that would need to be integrated into OrcaSlicer. Some community members questioned whether Bambu Lab's outreach to OrcaSlicer was a substantive collaboration effort.<ref name=":1">{{Cite web |last=@fever_soft |date=2025-01-18 |title=This is definitely a bummer. I was negotiating for an authorization key to allow OrcaSlicer to communicate with their device like BambuStudio does, but today I was told they won't support this. Only their slicer can send prints directly; others must use their Bambu Connect application |url=https://x.com/fever_soft/status/1880630570809795034?t=qJyh4SGFZFllcYrqexGW-Q |url-status=live |access-date=2025-05-01 |website=[[X]] |archive-url=http://web.archive.org/web/20251004104021/https://x.com/fever_soft/status/1880630570809795034?t=qJyh4SGFZFllcYrqexGW-Q |archive-date=2025-10-04}}</ref>
*'''Lack of follow-through:''' As of January 2025, SoftFever, OrcaSlicer's lead developer, did not have API keys for Bambu Connect, a necessary layer of Bambu software that would need to be integrated into OrcaSlicer. Some community members questioned whether Bambu Lab's outreach to OrcaSlicer was a substantive collaboration effort.<ref name=":1">{{Cite web |last=@fever_soft |date=2025-01-18 |title=This is definitely a bummer. I was negotiating for an authorization key to allow OrcaSlicer to communicate with their device like BambuStudio does, but today I was told they won't support this. Only their slicer can send prints directly; others must use their Bambu Connect application |url=https://x.com/fever_soft/status/1880630570809795034?t=qJyh4SGFZFllcYrqexGW-Q |url-status=live |access-date=2025-05-01 |website=[[X]] |archive-url=http://web.archive.org/web/20251004104021/https://x.com/fever_soft/status/1880630570809795034?t=qJyh4SGFZFllcYrqexGW-Q |archive-date=2025-10-04}}</ref>
*'''Disregard for open-source collaboration''': OrcaSlicer is open-source software developed under the AGPL-3.0 license.<ref name="softfever-orcaslicer-license" /> The decision to restrict network APIs in favor of proprietary systems such as Bambu Connect removes customer choice in how the printer is operated.
*'''Disregard for open-source collaboration''': OrcaSlicer is open-source software developed under the AGPL-3.0 license.<ref name="softfever-orcaslicer-license">{{Cite web |title=OrcaSlicer LICENSE.txt (AGPL-3.0) |url=https://github.com/SoftFever/OrcaSlicer/blob/main/LICENSE.txt |website=GitHub |publisher=SoftFever |access-date=2026-05-10 |url-status=live}}</ref> The decision to restrict network APIs in favor of proprietary systems such as Bambu Connect removes customer choice in how the printer is operated.
*'''Token support for third-party tools''': While Bambu Connect provides a workaround for third-party slicer use, it restricts functionality and complicates workflows, leading many to question the sincerity of Bambu's stated support for open-source tools<ref name="bambu-connect" />.
*'''Token support for third-party tools''': While Bambu Connect provides a workaround for third-party slicer use, it restricts functionality and complicates workflows, leading many to question the sincerity of Bambu's stated support for open-source tools<ref name="bambu-connect" />.
*'''Power imbalance''': As the hardware manufacturer, Bambu Lab has the ability to dictate how its products can be used; often to the detriment of third-party developers and users.
*'''Power imbalance''': As the hardware manufacturer, Bambu Lab has the ability to dictate how its products can be used; often to the detriment of third-party developers and users.


==Community-driven workarounds and technical alternatives==
==Community-driven workarounds and technical alternatives==
 
{{outdated/section}}
Community members have published workarounds for the firmware restrictions.
Community members have published workarounds for the firmware restrictions.


Line 195: Line 198:
*The Bambu Labs website offers consumers the ability to request a rootable firmware to be sent to their printers. As of January 26, 2025, the feature (in the EU at least) is broken such that you cannot finalize the process of requesting such a firmware.<ref name="bambu-third-party-firmware-plan">{{Cite web |title=Third Party Firmware Plan |url=https://bambulab.com/en-eu/third-party-firmware/plan |website=Bambu Lab |access-date=2025-01-26 |url-status=live}}</ref>
*The Bambu Labs website offers consumers the ability to request a rootable firmware to be sent to their printers. As of January 26, 2025, the feature (in the EU at least) is broken such that you cannot finalize the process of requesting such a firmware.<ref name="bambu-third-party-firmware-plan">{{Cite web |title=Third Party Firmware Plan |url=https://bambulab.com/en-eu/third-party-firmware/plan |website=Bambu Lab |access-date=2025-01-26 |url-status=live}}</ref>
**The result of accepting the terms of the page titled "Third Party Firmware Plan Guideline" and clicking "Next" takes you to a page titled "Important Notice and Risk Warning" which, when accepting the terms leaves you with an "I got it" button that takes you back to the previous page.
**The result of accepting the terms of the page titled "Third Party Firmware Plan Guideline" and clicking "Next" takes you to a page titled "Important Notice and Risk Warning" which, when accepting the terms leaves you with an "I got it" button that takes you back to the previous page.
==Cease and desist against the OrcaSlicer-bambulab re-enablement project==
In April 2026, Bambu Lab sent a cease-and-desist communication to the developer of a third-party OrcaSlicer fork that had restored direct printer control after the Authorization Control System rollout. The project was wiped from public view the same day the threat was delivered, and the developer published a summary of Bambu Lab's allegations but not the letter itself, citing Bambu Lab's refusal to authorize publication.<ref name="jarczak-readme" />{{CitationNeeded}} The full public-record account includes a parallel May 7, 2026 Bambu Lab blog post and three same-day public Reddit replies from the maintainer.
The Reddit communications between Bambu Lab and the developer have been saved on the wiki at [[File:Bambu_communications_with_developer.pdf|page=1|400px]].<!-- this can be replaced with a proper citation once Louis uploads it to his website or something-->
===OrcaSlicer===
OrcaSlicer is a free, open-source slicer: a program that converts a 3D model file into the layer-by-layer instructions (G-code) a 3D printer needs to produce the physical object. It is maintained by the developer SoftFever and draws from Bambu Lab's Bambu Studio, which is itself a fork of Prusa Research's PrusaSlicer.<ref name="softfever-orcaslicer">{{Cite web |last=SoftFever |title=OrcaSlicer |url=https://github.com/SoftFever/OrcaSlicer |url-status=live |access-date=2026-05-04 |website=[[GitHub]]}}</ref> Bambu Studio in turn descends from Slic3r, the upstream project Prusa Research forked.<ref name="slic3r-repo">{{Cite web |title=Slic3r |url=https://github.com/slic3r/Slic3r |website=GitHub |access-date=2026-05-10 |url-status=live}}</ref><ref name="prusaslicer-license">{{Cite web |title=PrusaSlicer LICENSE (AGPL-3.0) |url=https://github.com/prusa3d/PrusaSlicer/blob/master/LICENSE |website=GitHub |publisher=Prusa Research |access-date=2026-05-10 |url-status=live}}</ref> OrcaSlicer is widely used by owners of Bambu Lab printers as an alternative to Bambu Studio, and it ships under the AGPL-3.0 license.<ref name="softfever-orcaslicer" /><ref name="softfever-orcaslicer-license">{{Cite web |title=OrcaSlicer LICENSE.txt (AGPL-3.0) |url=https://github.com/SoftFever/OrcaSlicer/blob/main/LICENSE.txt |website=GitHub |publisher=SoftFever |access-date=2026-05-10 |url-status=live}}</ref><ref name="xda-jarczak">{{Cite web |last=Batt |first=Simon |date=2026-04-23 |title=A developer restored OrcaSlicer's features that Bambu Lab killed — then the legal threats arrived |url=https://www.xda-developers.com/developer-restored-orcaslicers-features-bambu-lab-killed-legal-threats-arrived/ |url-status=live |archive-url=https://web.archive.org/web/20260427233833/https://www.xda-developers.com/developer-restored-orcaslicers-features-bambu-lab-killed-legal-threats-arrived/ |archive-date=2026-04-27 |access-date=2026-05-04 |website=XDA Developers}}</ref>
===Restrictions introduced by the Authorization Control System===
The Authorization Control System announced on January 16, 2025 gated print initiation, motion control, fan and hotend temperature control, AMS configuration, calibrations, remote video, and firmware upgrade behind a Bambu-issued authentication path. Owners who installed the new firmware could no longer send print jobs from third-party slicers directly over the local network; they had to route those jobs through a new closed-source middleware, Bambu Connect.<ref name="firmware-update-introducing-new-authorization-control-system-2" /> SoftFever was not given API keys for Bambu Connect and stated publicly that direct print sending from OrcaSlicer would not be supported going forward.<ref name=":1" />
=== OrcaSlicer-bambulab fork===
On April 23, 2026, the developer Pawel Jarczak (GitHub user <code>jarczakpawel</code>) made a public fork named OrcaSlicer-bambulab at <code>github.com/jarczakpawel/OrcaSlicer-bambulab</code>. The fork restored the ability to send print jobs from OrcaSlicer directly to Bambu Lab printers without routing through Bambu Connect.<ref name="xda-jarczak" /> According to Jarczak's own description, the fork worked by reaching the printer through a Linux-side workflow Bambu Lab had not yet disabled, and was built on publicly available Bambu Studio source code combined with the developer's own integration layer; it did not redistribute Bambu Lab's proprietary networking plugin binaries.<ref name="jarczak-readme" /><ref name="3druck-jarczak">{{Cite web |date=2026-04-30 |title=Developer ends OrcaSlicer fork after Bambu Lab threatens legal action |url=https://3druck.com/en/programs/developer-terminates-orcaslicer-fork-after-bambu-lab-threatens-to-sue-32156744/ |url-status=live |access-date=2026-05-04 |website=3Druck.com}}</ref> Jarczak also maintained a sibling fork at <code>github.com/jarczakpawel/BambuStudio-BMCU</code> that added support for a third-party multi-color unit (BMCU); that repository remained live as of May 9, 2026.<ref name="jarczak-bmcu">{{Cite web |last=Jarczak |first=Pawel |title=BambuStudio-BMCU |url=https://github.com/jarczakpawel/BambuStudio-BMCU |website=GitHub |access-date=2026-05-10 |url-status=live}}</ref>
===Cease and desist===
Bambu Lab contacted Jarczak directly and demanded removal of the fork. According to Jarczak's own first-person account in his public archive README, Bambu Lab "referred to legal materials and stated that a cease and desist letter had been prepared," and alleged that the implementation:
<blockquote>''impersonated Bambu Studio, bypassed their authorization controls, violated their Terms of Use, involved "reverse engineering", and could allow modified forks to send arbitrary commands to printers.''</blockquote><ref name="jarczak-readme" /> Jarczak rejected the reverse-engineering characterization, stating that his work was based on publicly available Bambu Studio source code, which Bambu Lab releases under the AGPL-3.0 license.<ref name="jarczak-readme" /><ref name="3druck-jarczak" /> Jarczak disputed the broader characterization and asked for specifics: the exact files or commits at issue, and the exact legal or contractual basis. He reports receiving "further broad accusations" instead of that specificity.<ref name="jarczak-readme" /> Bambu Lab refused consent for publication of the correspondence itself, and Jarczak elected to honor that refusal while retaining the letter.<ref name="jarczak-readme" /> The repository was wiped the same day the threat was delivered.<ref name="jarczak-readme" /><ref name="xda-jarczak" /> Jarczak removed the contents voluntarily and stated this was a practical decision, not an admission that the legal or technical allegations were correct; in his own words from the public archive notice:
<blockquote>''I removed the repository voluntarily. That removal should not be interpreted as an admission that all legal or technical allegations made against the project were correct.''</blockquote><ref name="jarczak-readme" />
XDA Developers reported that Bambu Lab had not responded to its request for comment as of publication.<ref name="xda-jarczak" /> 3Druck independently confirmed the same set of allegations, citing Jarczak's GitHub statement.<ref name="3druck-jarczak" /> Tom's Hardware also covered the takedown on April 29, 2026.<ref name="tomshardware-jarczak">{{Cite web |title=Developer re-enables 3D printer features that Bambu Lab disabled, firm promptly threatens legal action — OrcaSlicer-BambuLab project now shuttered |url=https://www.tomshardware.com/3d-printing/developer-re-enables-3d-printer-features-that-bambu-lab-disabled-firm-promptly-threatens-legal-action-orcaslicer-bambulab-project-now-shuttered |website=Tom's Hardware |date=2026-04-29 |access-date=2026-05-10 |url-status=live}}</ref> The trade outlet Manufactur3D added context on May 1, 2026, including that the dispute had become a flashpoint in the wider 3D-printing community.<ref name="manufactur3d-controversy">{{Cite web |title=Bambu Lab OrcaSlicer Controversy Ignites After Legal Threats |url=https://manufactur3dmag.com/bambu-lab-orcaslicer-controversy-escalates/ |website=Manufactur3D |date=2026-05-01 |access-date=2026-05-10 |url-status=live}}</ref>
The publicly documented allegations track Bambu Lab's [[Terms of Service]] and an "authorization bypass" framing.<ref name=":2" /><ref name="jarczak-readme" /> Because the letter itself was not made public, no primary source confirms which specific statute, if any, Bambu Lab invoked; neither Jarczak's account nor the secondary reporting names a specific statute, including the [[DMCA Section 1201|DMCA §1201]] anti-circumvention provision, as part of Bambu Lab's claim. The upstream OrcaSlicer maintainer SoftFever was not named in the cease-and-desist, has issued no public statement on the fork or the letter, and the upstream repository remains active.<ref name="softfever-orcaslicer" />
===Public timeline===
*'''January 16, 2025.''' Bambu Lab announced "Firmware Update: Introducing the New Authorization Control System," describing the firmware-gated authorization model.<ref name="firmware-update-introducing-new-authorization-control-system-2" />
*'''Spring 2026.''' Pawel Jarczak published <code>OrcaSlicer-bambulab</code> and a sibling repository <code>BambuStudio-BMCU</code> on GitHub.<ref name="jarczak-readme" /><ref name="jarczak-bmcu" />
*'''Late April 2026.''' Bambu Lab contacted Jarczak privately on Reddit and demanded removal of the OrcaSlicer fork. Per Jarczak's public README, Bambu Lab's allegations were impersonation of Bambu Studio, bypass of authorization controls, ToS violation, reverse engineering, and the potential for modified forks to send arbitrary commands to printers.<ref name="jarczak-readme" />
*'''Around April 23, 2026.''' Jarczak removed the <code>OrcaSlicer-bambulab</code> repository voluntarily, and replaced its contents with a public archive notice; <code>jarczakpawel/BambuStudio-BMCU</code> remained live as of May 9, 2026.<ref name="jarczak-readme" /><ref name="jarczak-bmcu" />
*'''May 7, 2026.''' Bambu Lab published "Setting the record straight on Cloud Access and Community" on its blog and posted a parallel announcement on r/BambuLab the same day.<ref name="bambu-blog-record-straight" /><ref name="bambu-reddit-record-straight">{{Cite web |last=BambuLab |title=Setting the record straight on Cloud Access and Community |url=https://www.reddit.com/r/BambuLab/comments/1t66ru1/setting_the_record_straight_on_cloud_access_and/ |website=Reddit |date=2026-05-07 |access-date=2026-05-10 |url-status=live}}</ref>
*'''May 7, 2026 (same day).''' A Reddit user posting as <code>Low-Anything6975</code> replied publicly under three top-level comments on the r/BambuLab thread. The first reply pinpointed the file path and code line in Bambu's own AGPL source where the User-Agent string is generated.<ref name="pawel-reddit-okg9iih">{{Cite web |last=Low-Anything6975 |title=Reply on User-Agent attribution in Bambu Studio AGPL source code |url=https://www.reddit.com/r/BambuLab/comments/1t66ru1/comment/okg9iih/ |website=Reddit |date=2026-05-07 |access-date=2026-05-10 |url-status=live}}</ref> The second reply addressed the cloud Terms of Service and AGPL rights to use, modify, and redistribute.<ref name="pawel-reddit-okguwzs">{{Cite web |last=Low-Anything6975 |title=Reply on cloud Terms of Service and AGPL rights to use, modify and redistribute |url=https://www.reddit.com/r/BambuLab/comments/1t66ru1/comment/okguwzs/ |website=Reddit |date=2026-05-07 |access-date=2026-05-10 |url-status=live}}</ref> The third reply articulated the plugin-severability symmetry argument.<ref name="pawel-reddit-okiacag">{{Cite web |last=Low-Anything6975 |title=Reply on plugin severability symmetry between AGPL forks and Bambu Lab cloud |url=https://www.reddit.com/r/BambuLab/comments/1t66ru1/comment/okiacag/ |website=Reddit |date=2026-05-07 |access-date=2026-05-10 |url-status=live}}</ref>
*'''May 9, 2026.''' Jarczak's public archive README was last updated; <code>BambuStudio-BMCU</code> remained live.<ref name="jarczak-readme" /><ref name="jarczak-bmcu" />
*'''May 9, 2026.''' Right-to-repair advocate Louis Rossmann publicly pledged $10,000 toward Jarczak's legal defense if Bambu Lab proceeded with the threatened lawsuit in a YouTube video titled "I'll put up $10,000 to teach bambu labs a lesson."<ref name="rossmann-youtube-pledge">{{Cite web |last=Rossmann |first=Louis |title=I'll put up $10,000 to teach bambu labs a lesson |url=https://www.youtube.com/watch?v=qLLVn6XT7v0 |website=YouTube |date=2026-05-09 |access-date=2026-05-10 |url-status=live}}</ref>
*'''May 10, 2026.''' Tom's Hardware reported Rossmann's pledge and accompanying public statement directed at Bambu Lab.<ref name="tomshardware-rossmann-pledge">{{Cite web |title=Louis Rossmann tells 3D printer maker Bambu Lab to 'Go (Bleep) yourself' over its threatened lawsuit against enthusiast — Right to Repair advocate offers to pay the legal fees for a threatened OrcaSlicer developer |url=https://www.tomshardware.com/3d-printing/louis-rossmann-tells-3d-printer-maker-bambu-lab-to-go-bleep-yourself-over-its-lawsuit-against-enthusiast-right-to-repair-advocate-offers-to-pay-the-legal-fees-for-a-threatened-orcaslicer-developer |website=Tom's Hardware |date=2026-05-10 |access-date=2026-05-10 |url-status=live}}</ref>
===Bambu Lab's public response===
Bambu Lab's May 7, 2026 blog post conceded that AGPL forks of Bambu Studio are permitted, recast the dispute as one about cloud access and "impersonation" rather than open source, and declined any responsibility under AGPL for the cloud back-end. Bambu Lab characterized the AGPL question:
<blockquote>''Bambu Studio is an open-source project under the AGPL-3.0 license. Anyone can take its code, modify it, and distribute it. This is not a matter of our "permission" - it is simply how the license and open source work.''</blockquote><ref name="bambu-blog-record-straight" />
The same post bifurcated AGPL code from cloud infrastructure:
<blockquote>''Our cloud is a private service. Access to it is governed by a user agreement, not the AGPL license.''</blockquote><ref name="bambu-blog-record-straight" />
Bambu Lab's only concrete technical allegation against the OrcaSlicer-bambulab fork in the post was that the modification "worked by injecting falsified identity metadata into network communication." The post identified the metadata as the HTTP User-Agent string the fork emitted to Bambu Cloud:
<blockquote>''When this particular OrcaSlicer fork communicates with our cloud services, it quietly introduces itself as official Bambu Studio - with a hardcoded version number and all... that's precisely the point where code modification crosses into impersonation.''</blockquote><ref name="bambu-blog-record-straight" />
Bambu Lab restated the bifurcation in summary form:
<blockquote>''Modifying and distributing AGPL code - absolutely. But impersonating official clients in communication with our cloud infrastructure is not allowed.''</blockquote><ref name="bambu-blog-record-straight" />
The trade outlet 3Druck published an analysis of the post on May 7, 2026, headlined that the dispute was about cloud access rather than open-source customization.<ref name="3druck-bambu-cloud-not-opensource">{{Cite web |title=Dispute over OrcaSlicer fork: Bambu Lab is about cloud access, not open-source customization |url=https://3druck.com/en/programs/dispute-over-orcaslicer-fork-bambu-lab-is-about-cloud-access-not-open-source-customization-16157098/ |website=3Druck.com |date=2026-05-07 |access-date=2026-05-10 |url-status=live}}</ref>
===Consumer-rights significance===
Bambu Lab printer owners had paid for hardware that, at the time of purchase, allowed third-party slicers to send print jobs directly over their own local network. The January 2025 firmware update removed that capability for owners who installed the update.<ref name="firmware-update-introducing-new-authorization-control-system-2" /> When an independent developer rebuilt the lost capability on top of source code Bambu Lab itself publishes, Bambu Lab contacted him privately on Reddit and stated that a cease and desist letter had been prepared.<ref name="jarczak-readme" /> The developer took the project down and stated he had "no interest in maintaining a prolonged dispute."<ref name="jarczak-readme" />
==Open-source licensing dispute==
Since Bambu Studio is licensed under the AGPL-3.0 license, the attempts by Bambu Lab to exert control over the software's editing and use have been described as being in conflict with the license.{{CitationNeeded}}
===Bambu Studio AGPL-3.0 licensing===
Bambu Lab elected to release Bambu Studio under the [[GNU Affero General Public License|GNU Affero General Public License version 3]] (AGPL-3.0). The LICENSE file in the upstream Bambu Studio repository is the verbatim AGPL-3.0 text.<ref name="bambustudio-license" /><ref name="agpl3-license">{{Cite web |title=GNU Affero General Public License Version 3 |url=https://www.gnu.org/licenses/agpl-3.0.html |website=GNU Project |publisher=Free Software Foundation |date=2007-11-19 |access-date=2026-05-10 |url-status=live}}</ref> The AGPL is a copyleft license: anyone who receives the code can use, modify and redistribute it, on the condition that they pass the same rights to everyone they distribute to, and that they make their modifications available as source code.<ref name="agpl3-license" /> The final paragraph of Section 10 (titled "Automatic Licensing of Downstream Recipients") begins:
<blockquote>''You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License.''</blockquote><ref name="agpl3-section10">{{Cite web |title=GNU Affero General Public License Version 3, Section 10 (Automatic Licensing of Downstream Recipients) |url=https://www.gnu.org/licenses/agpl-3.0.html#section10 |website=GNU Project |publisher=Free Software Foundation |date=2007-11-19 |access-date=2026-05-10 |url-status=live}}</ref> The paragraph continues with examples of prohibited restrictions, including imposing license fees or royalties for exercise of the granted rights and initiating patent litigation against users of the program.<ref name="agpl3-section10" />
Section 7, paragraph 4, lists the only kinds of additional terms a licensor may attach to AGPL-licensed code and states that downstream recipients may strip out anything outside that list:
<blockquote>''All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term.''</blockquote><ref name="agpl3-section7">{{Cite web |title=GNU Affero General Public License Version 3, Section 7 (Additional Terms) |url=https://www.gnu.org/licenses/agpl-3.0.html#section7 |website=GNU Project |publisher=Free Software Foundation |date=2007-11-19 |access-date=2026-05-10 |url-status=live}}</ref>
Bambu Lab's May 7, 2026 blog post acknowledges the licensing posture.<ref name="bambu-blog-record-straight" />
===Terms of Use conflict with AGPL===
Bambu Lab's Terms of Use § 3.4, preserving a typo in the source text:
<blockquote>''Except as otherwise expressly permitted, you shall not, nor allow any other person to misappropriate, intrude or make other inappropriate use of the Product, including, but not limited to modify, discoder, copy, reverse engineer, publish, publicly disseminate, decompile, export codes, disassemble or create derivatives of the Product in any way.''</blockquote><ref name=":2" />
Two further clauses in § 3.5 reinforce the same prohibitions. § 3.5(2) states:
<blockquote>''(2) provide to third parties, or allow third parties to use the whole or part of the Software without obtaining Bambu Lab's written consent (including but not limited to apps, services, code, and source code)''</blockquote><ref name=":2" />
§ 3.5(5) states:
<blockquote>''(5) attempt to destroy, bypass, change, invalidate or escape from the Product and/or any digital rights management system that is part of the organic composition of the Product''</blockquote><ref name=":2" />
Bambu Lab's Terms define "Product" to include Bambu Lab devices and the software contained therein.<ref name=":2" /> Bambu Lab's own May 7, 2026 blog post confirms that Bambu Studio is "the software" in question.<ref name="bambu-blog-record-straight" />
Commentators have noted{{CitationNeeded}} that AGPL § 7 ¶ 4 & § 10 forbid the licensor from imposing additional restrictions on AGPL-granted rights, and TOS § 3.4 / § 3.5 forbid the modification, copying, reverse engineering, decompilation, and redistribution that AGPL-3.0 explicitly grants, resulting in conflict between the AGPL license and Bambu Lab's terms. Both documents exist on Bambu Lab's servers; the FSF's published GPL FAQ classifies a network of dynamically linked components and function calls as "a single combined program" for license-obligation purposes,<ref name="fsf-gpl-faq-plugins">{{Cite web |title=Frequently Asked Questions about the GNU Licenses (GPLPlugins anchor) |url=https://www.gnu.org/licenses/gpl-faq.html#GPLPlugins |website=GNU Project |publisher=Free Software Foundation |access-date=2026-05-10 |url-status=live}}</ref>.
The same Reddit user addressed this directly on May 7, 2026:
<blockquote>''Cloud ToS also cannot erase AGPL rights to use, modify and redistribute that code.''</blockquote><ref name="pawel-reddit-okguwzs" />
===User-Agent identity metadata===
The "falsified identity metadata" Bambu Lab describes as "impersonation" is the HTTP User-Agent string the fork emits when contacting Bambu Cloud. That string is generated by Bambu Lab's own AGPL-licensed source code. The User-Agent setter is in <code>src/slic3r/Utils/Http.cpp</code>, and assembles its value from constants defined in <code>version.inc</code>. The relevant line in <code>Http.cpp</code> reads:
<blockquote>''::curl_easy_setopt(curl, CURLOPT_USERAGENT, SLIC3R_APP_NAME "/" SLIC3R_VERSION);''</blockquote><ref name="bambustudio-http-cpp">{{Cite web |title=Http.cpp source file (User-Agent setter at line 175) |url=https://github.com/bambulab/BambuStudio/blob/master/src/slic3r/Utils/Http.cpp |website=GitHub |publisher=Bambu Lab |access-date=2026-05-11 |url-status=live}}</ref>
The constants in <code>version.inc</code> set the application name and version directly:
<blockquote>''set(SLIC3R_APP_NAME "BambuStudio")''
''set(SLIC3R_VERSION "02.06.01.55")''</blockquote><ref name="bambustudio-version-inc">{{Cite web |title=version.inc (SLIC3R_APP_NAME and SLIC3R_VERSION constants) |url=https://github.com/bambulab/BambuStudio/blob/master/version.inc |website=GitHub |publisher=Bambu Lab |access-date=2026-05-10 |url-status=live}}</ref>
Both files are governed by the BambuStudio LICENSE, which is AGPL-3.0.<ref name="bambustudio-license" /> A clean compile of unmodified upstream Bambu Studio emits a <code>User-Agent: BambuStudio/02.06.01.55</code> header on every HTTP request by default, because that is the value Bambu Lab itself wrote into its own published source. The same Reddit user made this point:
<blockquote>''User-Agent is not authentication. It is just self-declared client metadata. Any program can set any User-Agent. And the most important part: this comes directly from your own AGPL code.''</blockquote><ref name="pawel-reddit-okg9iih" />
Whichever branch of the severability dilemma Bambu Lab takes in the previous subsection, the impersonation framing relies on Bambu Lab's own AGPL-licensed code generating the very header Bambu Lab calls falsified.
===Who can enforce AGPL against Bambu Lab===
Pawel Jarczak personally cannot bring a direct AGPL enforcement action against Bambu Lab. The right to sue for AGPL violations belongs to the original authors whose code Bambu Lab built on top of: the [https://github.com/slic3r/Slic3r Slic3r contributors],<ref name="slic3r-repo" /> Prusa Research and the [https://github.com/prusa3d/PrusaSlicer/blob/master/LICENSE PrusaSlicer contributors],<ref name="prusaslicer-license" /> and the [https://github.com/SoftFever/OrcaSlicer/blob/main/LICENSE.txt SoftFever / OrcaSlicer maintainers].<ref name="softfever-orcaslicer-license" /> Jarczak's role in any formal complaint is reporter and witness, not plaintiff.
The institutional capacity for AGPL enforcement on these facts sits with several organizations:
*'''[[Software Freedom Conservancy]] (SFC).''' SFC operates the only U.S.-based copyleft enforcement program currently litigating consumer-purchaser claims against a hardware manufacturer (the Vizio matter). Its [https://sfconservancy.org/copyleft-compliance/ copyleft-compliance program] handles strategic enforcement; Bradley M. Kuhn's AGPL § 7 expert report from <code>Neo4j v. PureThink</code> remains the strongest published doctrinal anchor for the Bambu Lab TOS-versus-AGPL argument.<ref name="sfc-copyleft-compliance">{{Cite web |title=Copyleft Compliance Projects |url=https://sfconservancy.org/copyleft-compliance/ |website=Software Freedom Conservancy |access-date=2026-05-10 |url-status=live}}</ref><ref name="sfc-kuhn-neo4j-2023">{{Cite web |title=SFC's Policy Fellow Files Expert Report in Neo4j v. PureThink |url=https://sfconservancy.org/news/2023/feb/09/kuhn-neo4j-purethink-expert-report/ |website=Software Freedom Conservancy |date=2023-02-09 |access-date=2026-05-10 |url-status=live}}</ref>
*'''Free Software Foundation (FSF).''' FSF drafted the AGPL and operates the [https://www.fsf.org/licensing/ Licensing and Compliance Lab]. FSF will not be the lead enforcement vehicle here because FSF does not hold copyright in BambuStudio; it can supply doctrinal authority, amicus filings, and public statements. FSF filed an amicus brief in <code>Neo4j v. Suhy</code> on March 3, 2025.<ref name="fsf-licensing">{{Cite web |title=Licensing and Compliance Lab |url=https://www.fsf.org/licensing/ |website=Free Software Foundation |access-date=2026-05-10 |url-status=live}}</ref><ref name="fsf-amicus-neo4j-2025">{{Cite web |title=FSF submits amicus brief in Neo4j v. Suhy |url=https://www.fsf.org/news/fsf-submits-amicus-brief-in-neo4j-v-suhy |website=Free Software Foundation |date=2025-03-03 |access-date=2026-05-10 |url-status=live}}</ref>
*'''Free Software Foundation Europe (FSFE).''' FSFE convenes the [https://fsfe.org/activities/ln/ln.en.html European Legal Network] of free-software lawyers and is geographically appropriate to a Polish maintainer.<ref name="fsfe-legal-network">{{Cite web |title=Legal Network |url=https://fsfe.org/activities/ln/ln.en.html |website=Free Software Foundation Europe |access-date=2026-05-10 |url-status=live}}</ref>
*'''Electronic Frontier Foundation (EFF).''' Not for AGPL enforcement, but for the maintainer's defensive posture. The [https://www.eff.org/issues/coders Coders' Rights Project] works on the legal issues developers face under DMCA, CFAA, and similar computer-crime laws and provides public guidance for reverse engineering and vulnerability disclosure.<ref name="eff-coders-rights">{{Cite web |title=Coders' Rights Project |url=https://www.eff.org/issues/coders |website=Electronic Frontier Foundation |access-date=2026-05-10 |url-status=live}}</ref>
*'''iFixit and The Repair Association.''' Press reach and [[right to repair]] coalition framing. Neither litigates AGPL; both have established media reach and legislative relationships and have publicly tracked the Bambu Lab takedown in their channels.
===Consequences for FOSS forks of corporate-sponsored AGPL projects===
Louis Rossmann publicly pledged $10,000 toward Jarczak's legal defense if Bambu Lab proceeded with a lawsuit in a May 9, 2026 YouTube video,<ref name="rossmann-youtube-pledge" /> and directed an explicit public statement at the company's leadership; Tom's Hardware reported the pledge on May 10, 2026.<ref name="tomshardware-rossmann-pledge" /> The 3D-printing trade press (3Druck, XDA, Tom's Hardware, Manufactur3D) covered the dispute as the immediate flashpoint. Enforcement organizations including the Free Software Foundation, Software Freedom Conservancy, FSFE, and Electronic Frontier Foundation have jurisdiction to bring AGPL claims, but no enforcement action involving Bambu Lab had been announced as of publication. The same question reaches every IoT-device vendor who ships AGPL or GPLv3 components with companion mobile apps and cloud back-ends, and every consumer-electronics company publishing open-source slicers, control panels, or firmware while routing user functionality through proprietary remote services.


==Impact on professional users and privacy concerns==
==Impact on professional users and privacy concerns==
Line 323: Line 227:
==Customer reactions==
==Customer reactions==


Customer reactions on community forums and Reddit were negative.<ref>{{Cite web |last=@hho |date=2025-01-15 |title=Bambu Studio 1.10.2 Public Beta |url=https://forum.bambulab.com/t/bambu-studio-1-10-2-public-beta/134549/4 |url-status=live |archive-url=https://ghostarchive.org/archive/ahrz6 |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum |quote=Improvements Introduce authorization and authentication protection mechanism: Bambu Studio now supports signing and encrypting control commands sent to printers when the printer supports authorization and authentication protection. The printer will determine whether the commands can be executed. Hmmm. This reads suspiciously vague. It could mean that Bambu printers get an onboard permission handling, so that you can "lock down" your printer and set what commands can be run. But it could also mean that Bambu printers in (or of?) the future will only run Gcode encrypted and signed by Bambu Studio…}}</ref><ref>{{Cite web |last=@iranintoavan |title=Firmware Update Introducing New Authorization Control System |url=https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/ |url-status=live |archive-url=http://web.archive.org/web/20250403012526/https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/ |archive-date=2025-04-03 |access-date=2025-05-01 |website=Old [[Reddit]]}}</ref> Bambu Lab has historically pushed cloud-based printer interaction while offering limited LAN mode functionality<ref name=":4" />. Many customers argue that the security issues this locked-down firmware claims to address are actually consequences of the company's cloud-based design choices rather than inherent risks of local network control.<ref name="bambulab-forum-134549/12" /> After the announcement, Bambu Lab's Trustpilot page recorded a wave of one-star reviews citing the firmware restrictions as the reason for the rating.<ref>{{Cite web |title=Bambu Lab |url=https://www.trustpilot.com/review/bambulab.com?sort=recency |archive-url=https://web.archive.org/web/20250119162028/https://www.trustpilot.com/review/bambulab.com?sort=recency |archive-date=2025-01-19 |website=[[Trustpilot]]}}</ref>
Customer reactions on community forums and Reddit were negative.<ref>{{Cite web |last=@hho |date=2025-01-15 |title=Bambu Studio 1.10.2 Public Beta |url=https://forum.bambulab.com/t/bambu-studio-1-10-2-public-beta/134549/4 |url-status=live |archive-url=https://ghostarchive.org/archive/ahrz6 |archive-date=2026-03-30 |access-date=2025-05-01 |website=[[Bambu Lab]] Community Forum |quote=Improvements Introduce authorization and authentication protection mechanism: Bambu Studio now supports signing and encrypting control commands sent to printers when the printer supports authorization and authentication protection. The printer will determine whether the commands can be executed. Hmmm. This reads suspiciously vague. It could mean that Bambu printers get an onboard permission handling, so that you can "lock down" your printer and set what commands can be run. But it could also mean that Bambu printers in (or of?) the future will only run Gcode encrypted and signed by Bambu Studio…}}</ref><ref>{{Cite web |last=@iranintoavan |title=Firmware Update Introducing New Authorization Control System |url=https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/ |url-status=live |archive-url=http://web.archive.org/web/20250403012526/https://old.reddit.com/r/BambuLab/comments/1i2psvz/firmware_update_introducing_new_authorization/ |archive-date=2025-04-03 |access-date=2025-05-01 |website=Old [[Reddit]]}}</ref> Bambu Lab has historically pushed cloud-based printer interaction while offering limited LAN mode functionality<ref name=":4" />. Many customers argue that the security issues this locked-down firmware claims to address are actually consequences of the company's cloud-based design choices rather than inherent risks of local network control.<ref name="bambulab-forum-134549/12" /> After the announcement, Bambu Lab's Trustpilot page recorded a wave of one-star reviews citing the firmware restrictions as the reason for the rating.<ref>{{Cite web |title=Bambu Lab |url=https://www.trustpilot.com/review/bambulab.com?sort=recency |archive-url=https://web.archive.org/web/20250119162028/https://www.trustpilot.com/review/bambulab.com?sort=recency |archive-date=2025-01-19 |website=TrustPilot}}</ref>


As of publication, '''no changes have been announced for owners who never sign their printers into the Bambu cloud service'''. Past firmware updates allowed pairing the slicer via IP address and access key and performing offline firmware updates without ever signing the printer into the cloud, keeping local functionality unchanged.<ref name="firmware-update-introducing-new-authorization-control-system-2" />
As of publication, '''no changes have been announced for owners who never sign their printers into the Bambu cloud service'''. Past firmware updates allowed pairing the slicer via IP address and access key and performing offline firmware updates without ever signing the printer into the cloud, keeping local functionality unchanged.<ref name="firmware-update-introducing-new-authorization-control-system-2" />


==Comparisons to similar practices by other companies==
==Comparisons to similar practices by other companies==
Bambu Lab's new authorization and authentication requirements have been compared to a number of practices by traditional printer manufacturers, such as [[HP]] and [[Epson]], who have faced backlash and litigation over [[digital rights management]] (DRM) practices in 2D printers.{{CitationNeeded}}  
Bambu Lab's new authorization and authentication requirements have been compared to a number of practices by traditional printer manufacturers, such as [[HP]] and [[Epson]], who have faced backlash and litigation over [[digital rights management]] (DRM) practices in 2D printers.{{CitationNeeded}}  


A parallel from the 3D-printing industry is the 3D-printer manufacturer [[MakerBot]], whose 2012 shift from open-source, DIY-focused machines to closed-source, proprietary machines drove customers to less-expensive open-source competitors, as documented by Hackaday's 2016 obituary of the company.<ref>{{Cite web |last=Benchoff |first=Brian |date=2016-04-28 |title=The MakerBot Obituary |url=https://hackaday.com/2016/04/28/the-makerbot-obituary/ |url-status=live |archive-url=http://web.archive.org/web/20251208222057/https://hackaday.com/2016/04/28/the-makerbot-obituary/ |archive-date=2025-12-08 |access-date=2025-05-01 |website=[[Hackaday]]}}</ref> MakerBot was also accused of asserting ownership over publicly available, open-source designs uploaded to its 3D print repository, Thingiverse.<ref>{{Cite web |last=Biggs |first=John |date=2014-05-28 |title=MakerBot Responds To Critics Who Claim It Is Stealing Community IP |url=https://techcrunch.com/2014/05/28/makerbot-responds-to-critics-who-claim-it-is-stealing-community-ip/ |url-status=live |archive-url=http://web.archive.org/web/20251111041317/https://techcrunch.com/2014/05/28/makerbot-responds-to-critics-who-claim-it-is-stealing-community-ip/ |archive-date=2025-11-11 |access-date=2025-05-01 |website=[[TechCrunch]]}}</ref>
A parallel from the 3D-printing industry is the 3D-printer manufacturer [[MakerBot]], whose 2012 shift from open-source, DIY-focused machines to closed-source, proprietary machines drove customers to less-expensive open-source competitors, as documented by Hackaday's 2016 obituary of the company.<ref>{{Cite web |last=Benchoff |first=Brian |date=2016-04-28 |title=The MakerBot Obituary |url=https://hackaday.com/2016/04/28/the-makerbot-obituary/ |url-status=live |archive-url=http://web.archive.org/web/20251208222057/https://hackaday.com/2016/04/28/the-makerbot-obituary/ |archive-date=2025-12-08 |access-date=2025-05-01 |website=Hackaday}}</ref> MakerBot was also accused of asserting ownership over publicly available, open-source designs uploaded to its 3D print repository, Thingiverse.<ref>{{Cite web |last=Biggs |first=John |date=2014-05-28 |title=MakerBot Responds To Critics Who Claim It Is Stealing Community IP |url=https://techcrunch.com/2014/05/28/makerbot-responds-to-critics-who-claim-it-is-stealing-community-ip/ |url-status=live |archive-url=http://web.archive.org/web/20251111041317/https://techcrunch.com/2014/05/28/makerbot-responds-to-critics-who-claim-it-is-stealing-community-ip/ |archive-date=2025-11-11 |access-date=2025-05-01 |website=TechCrunch}}</ref>


==TOS restricting development of third party devices and accessories==
==TOS restricting development of third party devices and accessories==
Archived discussion threads from January 2024 confirm that a clause restricting the development of third party devices and accessories - § 3.1 - has been part of the Bambu Lab Terms of Use at least since then.<ref>{{Cite web |last=@X1Plus |title=X1plus community Bambu Lab firmware - A win for everyone? |url=https://www.reddit.com/r/3Dprinting/comments/18zaay0/x1plus_community_bambu_lab_firmware_a_win_for/kggqg4n/ |url-status=live |archive-url=https://web.archive.org/web/20260222212657/https://old.reddit.com/r/3Dprinting/comments/18zaay0/x1plus_community_bambu_lab_firmware_a_win_for/kggqg4n/ |archive-date=2026-02-22 |access-date=2025-05-01 |website=[[Reddit]]}}</ref> Community reaction was split: some readers argued the clause is intended to restrict third-party development, while others characterized it as standard boilerplate in vendor terms.<ref>{{Cite web |last=@mflexx |title=Not updated. And this part is shared by pretty much every company that has ever existed on this planet. That's just blatant karma farming at this point. |url=https://www.reddit.com/r/BambuLab/comments/1ibhhg7/updated_tos_shots_fired/m9i78kj/ |url-status=live |archive-url=https://web.archive.org/web/20260222212738/https://old.reddit.com/r/BambuLab/comments/1ibhhg7/updated_tos_shots_fired/m9i78kj/ |archive-date=2026-02-22 |access-date=2025-05-01 |website=[[Reddit]]}}</ref>
Archived discussion threads from January 2024 confirm that a clause restricting the development of third party devices and accessories - § 3.1 - has been part of the Bambu Lab Terms of Use at least since then.<ref>{{Cite web |last=@X1Plus |title=X1plus community Bambu Lab firmware - A win for everyone? |url=https://www.reddit.com/r/3Dprinting/comments/18zaay0/x1plus_community_bambu_lab_firmware_a_win_for/kggqg4n/ |url-status=live |archive-url=https://web.archive.org/web/20260222212657/https://old.reddit.com/r/3Dprinting/comments/18zaay0/x1plus_community_bambu_lab_firmware_a_win_for/kggqg4n/ |archive-date=2026-02-22 |access-date=2025-05-01 |website=[[Reddit]]}}</ref> Community reaction was split: some readers argued the clause is intended to restrict third-party development, while others characterized it as standard boilerplate in vendor terms.<ref>{{Cite web |last=@mflexx |title=Not updated. And this part is shared by pretty much every company that has ever existed on this planet. That's just blatant karma farming at this point. |url=https://www.reddit.com/r/BambuLab/comments/1ibhhg7/updated_tos_shots_fired/m9i78kj/ |url-status=live |archive-url=https://web.archive.org/web/20260222212738/https://old.reddit.com/r/BambuLab/comments/1ibhhg7/updated_tos_shots_fired/m9i78kj/ |archive-date=2026-02-22 |access-date=2025-05-01 |website=[[Reddit]]}}</ref>


Line 342: Line 244:
==See also==
==See also==


*[[Bambu Lab cease and desist against OrcaSlicer fork developer]]
*[[Forced account]]
*[[Forced account]]
*[[Right to repair]]
*[[Right to repair]]