“Fuck you, Bambu” sparks AGPL fight over 3D control

A private Reddit message from Bambu Lab asking developer Paweł Jarczak to delete code has ignited a backlash across the open-source 3D printing world. Backers are funding a legal and technical response to what they see as AGPL violations, while Bambu says it’s

When a Reddit private message landed in Paweł Jarczak’s inbox, it didn’t read like a normal request between developers. Bambu Lab’s note suggested upcoming changes could break his code—and then moved quickly into a demand to remove an “approach” that mimicked Bambu’s official software.

By the time the broader 3D printing community caught wind of the exchange. the tone had escalated from technical dispute to something sharper. Consumer rights advocate Louis Rossmann promised to put up $10. 000 to “teach bambu labs a lesson. ” maker Jeff Geerling said he was never buying a Bambu Lab 3D printer again. and GamersNexus wrote. “Go fuck yourself. Bambu. ” also pledging $10. 000. GamersNexus said it was halting previously unannounced plans to buy $150,000 of Bambu hardware for a 3D printing project.

The fight isn’t only emotional. It’s also legal and technical—centered on whether Bambu’s treatment of third-party printer control software violates the AGPL license Bambu relies on in the first place, and whether Bambu’s security concerns are valid.

The timeline begins on April 22, when Bambu messaged Jarczak through a Reddit private message. Bambu’s first note described the situation as a warning. asking Jarczak to consider removing “the current connection approach” because it “mimics official Bambu Lab software.” Jarczak responded by saying he was ready to remove his entire project from GitHub and thanked the company for noticing his work. He also asked to be “properly acknowledged” for possibly revealing “a significant security gap. ” and offered additional help—while requesting some gear. specifically the flagship H2D printer.

But Bambu wasn’t offering recognition. The company framed Jarczak’s work as unauthorized third-party software and hardware that competes with Bambu’s own offerings. Jarczak’s earlier project had supported a cheaper way to print in multiple colors without buying Bambu’s $279 AMS Lite. and he said Bambu should recognize him for that too.

Then the messaging shifted. Bambu told Jarczak, “We wanted to speak with you first and handle this in a constructive way. That said. we can’t allow this approach to continue.” Bambu also told him a cease and desist letter had already been prepared. and “invited” him to look at section 1201 of the Digital Millennium Copyright Act—an implication that legal punishment could follow if Jarczak broke “digital locks.”.

Despite the threats, Bambu did not sue, did not send a cease and desist letter, and did not issue a DMCA takedown requesting removal of files from GitHub. Jarczak voluntarily took his code down. In its place, he left a note suggesting Bambu treated him like a criminal.

That’s when the internet pounced.

The open-source anger is tied to how Bambu Studio fits into a long chain of slicing software that most printers depend on. Bambu says on its websites that “Bambu Studio is based on PrusaSlicer by Prusa Research. ” and that PrusaSlicer itself comes from Slic3r by Alessandro Ranellucci and the RepRap community. In practice. the “based on” relationship matters because Bambu Studio is described as a fork of PrusaSlicer—and Bambu’s own software sits on top of code that has been shared for years under licenses including the AGPL.

The slicing layer is also more than a file converter. The software “slices” 3D objects into layers, then turns those layers into printer instructions. Over time, slicers became a control interface as well—remote control, print head commands, camera monitoring, and filament-color changes.

Bambu’s community dispute sharpened around forks like OrcaSlicer. Bambu did not contest that others can fork Bambu Studio. including OrcaSlicer as the “most popular fork.” But Bambu cut off the ability for forks to send prints. remote control the print head. monitor the printer’s camera. change filament colors. and more—until their developers integrated a proprietary authentication mechanism. The lead developer of OrcaSlicer declined to be interviewed.

Jarczak’s role came from building a fork of OrcaSlicer to get around Bambu’s proprietary requirement. The code he created worked around Bambu’s lock because. after he built a copy of OrcaSlicer using code from the Linux version of Bambu Studio instead of the Windows or Mac versions. Bambu’s cloud services no longer stopped him from remote controlling his own printer.

In other words, he said he had inadvertently found a way to pick Bambu’s lock using Bambu’s own open-source code. When Bambu threatened him into submission for undoing its lock, he became a symbol for something larger.

“I’ll put up $10,000…,” Rossmann said, and it wasn’t the only public pledge. Geerling said he was done with Bambu. GamersNexus said it would commit $10,000 as well and taunted Bambu to “Sue us.” GamersNexus also began investigating scattered reports of a Bambu printer catching fire.

At the same time, Jarczak and open-source advocates made their own move that goes beyond posts and pledges. Rossmann, Burke, and thousands of other open-source advocates started forking the code Bambu was hoping to suppress. As of Monday. the Software Freedom Conservancy was hosting a project to reverse engineer Bambu’s code and described itself as a “watchdog.” Bradley Kühn. father of the AGPL open-source license and policy fellow at the Software Freedom Conservancy. said. “They’re bad actors. straight-up. and the community should do whatever we can.”.

The core legal question is how AGPLv3 applies once a proprietary component plugs into an open-source program. Kühn said the situation is a “slam dunk” and pointed to two specific AGPL violations in a Software Freedom Conservancy blog post.

First was Bambu’s proprietary networking plug-in. Kühn’s blog post cites AGPL language that requires anyone who copies a program to license source code for the entire program. including “Corresponding Source. ” and it includes examples like “shared libraries and dynamically linked subprograms” designed to work through “intimate data communication or control flow” between parts.

Kühn and Jarczak both argue that Bambu’s proprietary networking plug-in is made up of shared libraries and dynamically linked libraries—ones the open-source portions automatically try to install when an application runs, and ones they say communicate intimately with Bambu’s open-source code.

The second alleged violation, according to Kühn, concerns how Bambu pressured Jarczak to remove his code from GitHub while falsely claiming terms of service outweighed Jarczak’s rights under the AGPL.

Both Kühn and Jarczak are not lawyers. Bambu has lawyers, and two open-source tech attorneys told the outlet that AGPL enforcement is difficult.

Bambu. through head of PR Nadia Yaakoubi. told the outlet it isn’t concerned about “open-source development or legitimate code forks. ” while implying Jarczak’s fork is illegitimate. Bambu argued that some of its code is “separately delivered,” and therefore not covered by AGPLv3 “Corresponding Sources” obligations. In Bambu’s words: “We do not agree that the networking plugin is properly characterized as part of Bambu Studio’s ‘Corresponding Source’ for purposes of AGPLv3. such that AGPLv3 source-availability obligations would be triggered.” Bambu added that it views the networking component as “separately delivered” and optional. and said software loading a separate component at runtime does not prove the component is part of the covered work. Bambu also argued that AGPL does not authorize access that violates rules and protocols across the network.

Independent tech lawyer Kyle Mitchell said it’s possible Bambu doesn’t have to share everything that touches its open-source code. particularly where cloud services are involved. He said AGPLv3 does not clearly spell out whether changing a program to work with web or cloud services forces disclosure of all related cloud service code. and he emphasized there’s little law in place to resolve that uncertainty. Heather Meeker. an attorney and open-source licensing expert. said that a plug-in would at least “generally be part of Corresponding Source. ” but she also confirmed that courts have not meaningfully weighed in on AGPL text like this.

This is where the debate turns sharply practical: what counts as “Corresponding Source,” and what counts as acceptable technical separation.

There’s a second, parallel dispute running alongside the license arguments: security.

Bambu’s printers are remote controlled with MQTT commands. Kühn said the AGPL license does allow Bambu to deny access to a network “when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.” Bambu says it’s experienced “millions of ‘abnormal requests. ’” including DDoS attacks.

But Jarczak argues the security frame doesn’t match his actions. Bambu’s May 7 claim was that Jarczak “impersonated” Bambu’s systems to obtain “unauthorized” access. and Bambu presented proof: Jarczak’s code shows his fork of OrcaSlicer identifies itself as “BambuStudio. ” mostly by stating it plainly. something that Jarczak said also exists in Bambu Studio’s own open-source code.

Jarczak said if Bambu’s infrastructure treats that as dangerous. the issue is server-side authorization and architecture. not proof of an attack. He said a cloud service should enforce authorization on the server side with proper account/device authorization. token scopes. quotas. per-account limits. per-device limits. rate limiting. abuse detection. and clear API rules.

Bambu also claimed in its May 7 blog that its systems would have no way to distinguish traffic because the requests would look identical. Jarczak responded that if Bambu believed it was a live vulnerability. it should have fixed or disabled it on its side instead of threatening one developer and asking for a repository removal while leaving the underlying behavior available.

Bambu told the outlet it plans to close the hole but declined to give a timing commitment. Yaakoubi wrote that Bambu had been working on enhanced authentication measures. that the current pathway still worked only because a mandatory update had not been pushed. and that forcing a disruptive rollout for one issue wasn’t how it operates. “Our security updates will be deployed steadily, at the right time, and with our users’ experience in mind,” she wrote.

Bambu also told the outlet that Jarczak “ran repeated unauthorized workaround tests” on live infrastructure and left activity logs, but Bambu declined to share the logs.

Jarczak denied wrongdoing. He told the outlet: “I did not attack their infrastructure. I did not do penetration testing. I did not scan their servers. I did not try to find hidden endpoints. I did not create a new printer command system. I did not introduce new printer-side command classes.” He added that if Bambu has logs. they should show normal client traffic from testing a slicer against Bambu’s normal cloud service path using his usual workflow.

At this point, the dispute is still in public—no legal filings have been made yet. Kühn said the community’s pressure should hopefully push Bambu “to act correctly,” referencing how the community previously pushed Bambu to open-source its PrusaSlicer fork.

In the meantime, the standoff has taken on an organized shape. The Software Freedom Conservancy said it hopes to raise just over $250,000 to hire more staff to “liberate AGPLv3-violating 3D printers,” and Louis Rossmann said his group will donate $15,000.

Bambu, for its part, said it wants a better outcome. In a statement. the company told the outlet: “Our intention from the start was to reach out and find a path forward together. We regret that our communication did not land that way. That was not the outcome we wanted. and we are committed to doing better on that front.” It also told the outlet on May 13 that it would “hold a firm line on how our cloud service is accessed by third-parties.” A day later. the company softened the language: “Rather than escalating conflict. we are focusing on strengthening our own infrastructure and protection measures moving forward.”.

Kühn argues there’s a simple fix. “They should release all the code. even if the AGP doesn’t require it. because their business is selling hardware anyway!” He also offered a second option: Bambu could throw away all AGPL code and rewrite its software from scratch. saying. “Nobody requires you to use AGPL code.”.

Jarczak, meanwhile, said he doesn’t want to see Bambu shut everything down completely. “I do not think ‘fully closed’ would be better for users. It would just be more honest,” he said.

The conflict carries a high-stakes irony for a device industry built on prior open designs. Every modern 3D printer, in one way or another, depends on what came before. If the open-source community’s worst fears come true—about lock-in. suppression. and the practical value of permissive licensing—then the argument over one private message could end up changing how buyers and developers treat 3D printing itself.

Bambu Lab Paweł Jarczak AGPL 3D printing OrcaSlicer Bambu Studio open source Software Freedom Conservancy MQTT cybersecurity cloud access