Bambu Lab Sent a Cease-and-Desist. The AGPL Might Send One Back.

本站添加: 2026-05-13

[00:00:00]You spend $1,500 on a top-of-the-line 3D printer, you set it up in your workshop, you connect it to your local network, it works perfectly.

[00:00:12]And then a few months later, the manufacturer pushes a mandatory firmware update, and suddenly you are receiving a legal threat. Not for piracy, not for theft, but for using a piece of independent open-source software to send a command to a machine sitting on your own desk.

[00:00:29]That sounds like a dystopian science fiction story, but it's not. It is the situation we're going to walk through today, and what looks like at first glance a niche dispute over a single 3D printing project hosted on GitHub turns out to expose something a lot bigger, a fault line running through open-source licensing, the limits of anti-circumvention law, and the increasingly unsettled question of whether you actually own the devices you have already paid for.

[00:01:00]Bambu Lab's is, by any measure, a juggernaut in consumer 3D printing.

[00:01:06]Founded in Shenzhen in 2020, privately held but doing north of $700 million a year. They make a printer called the X1 Carbon that essentially won the consumer market. And in a January 2024 blog post titled Rooted, the company wrote, and I'm quoting, "We debated whether to follow a Raspberry Pi model or adopt an approach like Apple."

[00:01:30]"In the end, we chose to build a closed and proprietary system."

[00:01:36]That's unusual candor. Hold on to it. It is the thesis statement for everything that follows.

[00:01:42]In January of 2025, Bambu pushed a firmware update they called authorization control. What it did mechanically was sever a direct local network pathway that third-party community-built software had been using to talk to the printers. The community software in question is called Orca Slicer, a brand-agnostic slicer that for many users had become the gold standard.

[00:02:07]Now, to be fair, Bambu did not just cut the cord and walk away. They released a separate middleware app called Bambu Connect that was supposed to bridge the gap.

[00:02:18]The independent developer community was not having it. Within 10 days, Orca Slicer's lead developer, who goes by the handle Soft Fever, formally rejected Bambu's olive branch. He stated on the record that simply launching a separate standalone application falls short of true integration, and that the Orca Slicer would not be supporting Bambu Connect. That created a stalemate, hundreds of thousands of users with two pieces of software that would no longer talk to each other.

[00:02:49]The stalemate held until April of 2026, when an independent developer in Poland named Paweł Kuczyński decided to act. He published a project on GitHub he called Orca Slicer Bambu Lab, and by modifying the open-source code, he restored the direct local printing pathway that the firmware update had broken, entirely bypassing Bambu Connect. Bambu's response was immediate. They contacted Kuczyński privately and informed him that a formal cease and desist letter had been prepared. According to Kuczyński's verbatim account of the correspondence, Bambu accused him of five things. They said his repository impersonated their official software, that it bypassed their authorization controls, that it violated their terms of use, that it engaged in reverse engineering, and that it could allow modified forks to send arbitrary commands to printers.

[00:03:46]That's the entire legal kitchen sink.

[00:03:49]Kuczyński's response was methodical. He denied the allegations. He asked Bambu to do something very simple, identify the specific files, the specific lines of code, and the specific legal or contractual basis they were relying on for each of these claims. He wrote to them on the record, "I do not accept those allegations as established facts."

[00:04:10]Bambu refused. They reiterated the broad accusations and declined to provide specifics. Kuczyński voluntarily took the repository down anyway. He was very clear that this was not an admission. He simply recognized the reality of the situation. A solo developer in Poland does not have the resources to litigate against a multinational hardware company. The cost of defending yourself in court forces compliance long before any judge ever evaluates whether the threat had merit. So, that's where the public record stops, but that's also where the doctrinal analysis starts to get genuinely interesting. Because when you actually unpack what Kuczyński did, the foundation of Bambu's threat looks a lot less stable than the kitchen sink would suggest.

[00:04:58]Start with the strongest claim Bambu actually has, the accusation that Kuczyński bypassed their authorization controls in violation of section 1201 of the Digital Millennium Copyright Act.

[00:05:08]This is the US federal anti-circumvention statute. On its face, that sounds like a textbook violation.

[00:05:15]Bambu put up a digital wall, Kuczyński's code climbed over it, case closed.

[00:05:20]Except, section 1201 has an explicit carve-out that protects reverse engineering when the sole purpose is to achieve interoperability between independently created computer programs. That's precisely what Kuczyński was doing. He was not cracking a video game to pirate it. He was writing code so an independent slicer could communicate with a printer the consumer had legally purchased. The Ninth Circuit has been protecting that conduct since Sega v. Accolade in 1992.

[00:05:49]That's the first wall the DMCA claim runs into. The second is more damaging.

[00:05:54]You cannot sue someone for circumventing a technological protection measure that effectively controls access to a copyrighted work if the measure does not actually effectively control access. And in January of 2025, within 48 hours of the authorization control app going live, reverse engineers extracted the RSA private key embedded in the Bambu Connect application and posted it online. The master key to the lock was sitting on the public internet. Hackaday wrote it up, The Rossmann Group archived it. There is heavy circuit precedent for what that means. Lexmark International v. Static Control Components decided by the Sixth Circuit in 2004, the court held that if a security mechanism is widely known or if there is a pre-existing open pathway around it, the manufacturer cannot claim that they have an effective access control in place.

[00:06:47]You cannot sue someone for picking the lock when you'd left the back door wide open and printed the combination in the newspaper.

[00:06:55]And according to Kuczyński's account, Bambu's own engineers admitted that the only reason the local network pathway still worked was that they had not yet gotten around to closing it on the Linux side. That is not the language of an effective access control. That is the language of a back door someone forgot to lock. So, Bambu's strongest legal theory has a 1201f interoperability problem and a Lexmark effectiveness problem, which effectively explains why when Kuczyński asked them to specify the legal basis, they declined.

[00:07:26]But here is where the irony gets thicker, because while Bambu was aggressively policing an independent developer over alleged circumvention, Bambu itself may be sitting in a very fragile glass house. You have to look at the DNA of the software. There is a family tree here, and it matters. In the beginning, there was Slic3r, a community 3D printing slicer released over a decade ago. Slic3r was forked into PrusaSlicer by the Czech printer manufacturer Prusa Research. Prusa was forked into Bambu Studio. Bambu Studio was forked into Orca Slicer. Every layer of that tree is licensed under the GNU Affero General Public License version 3, the AGPL. The AGPL is what is known as a strong copyleft license. It is designed to be viral. The core rule is simple. If you take this open-source code, modify it, and either distribute the result or offer it as a network service, you are legally required to make the corresponding source code for your modifications available. You cannot take community code, build a closed wall around it, and call it proprietary.

[00:08:33]In December of 2022, Bambu published an official blog post titled AGPL Compliance of Bambu Studio. They claimed full compliance. Their argument was that their closed networking plugin, the binary that talks to their cloud and now to their printers, is distributed independently and remains totally separate from the open-source slicer.

[00:08:55]The community did not just take their word for it. In May of 2024, a Norwegian developer named Roy Sigurd Karlsbakk published a technical analysis of how the plugin actually loads. The slicer pulls the plugin in at runtime through a specific function called dlopen, and the mechanical function of dlopen is where Bambu's argument runs into a wall, because dlopen is not two separate programs waving at each other from a distance. It loads the closed-source plugin directly into the open-source application's memory space. They share control flow, they execute each other's functions. The closed plugin in operational reality is plugged directly into the open-source code's central nervous system.

[00:09:39]The AGPL's text contemplates exactly this. The license's definition of corresponding source expressly includes, and I'm quoting, "Shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow.

[00:09:58]Intimate data communication. That language was not in the license by accident and by Carl's Box reading, Bambu's networking plugin sits exactly inside it.

[00:10:08]It gets worse. In February 2025, GitHub issue number 6307 was filed against the Bambu Studio repository.

[00:10:17]The user pointed out that the change log for Bambu Studio version 1.10.0276 referenced a new authorization and authorization protection mechanism that very lock Bambu had used to shut OrcaSlicer out, but the corresponding source code for that mechanism appeared to be missing from the public repository. That is not a section 13 network service question. That is a section 5 modified work question. And withholding the source for modifications to AGPL code is a textbook violation.

[00:10:50]Now, the standard response of all of this is yes, but who can actually sue?

[00:10:55]Historically, only the original copyright holders have standing to enforce an open source license. The original slicer authors do not have the war chest to drag a multinational corporation into federal court.

[00:11:09]>> [snorts] >> That is what makes the December 2025 ruling out of California state court so important. The case is Software Freedom Conservancy versus Vizio. SFC sued Vizio not as a copyright holder, but as a purchaser of a Vizio television arguing that the GPL operates as a contract between Vizio and the upstream developers.

[00:11:32]And the consumer who buys the TV is the contract's intended third-party beneficiary.

[00:11:38]On December 4th, 2025, Judge Sandy Liel issued a tentative ruling in SFC's favor. The court found that a direct contract was formed the moment the purchaser requested the source code from Vizio. That decoupling, separating enforcement from upstream copyright holders, and routing it through anyone who bought the product is a doctrinal bomb. And Bambu Lab USA is headquartered in California, the exact jurisdiction where this precedent is being forged.

[00:12:08]The picture then looks like this. Bambu sends a cease and desist letter to a developer over an open source project while a legal mechanism is quietly taking shape that would allow any of Bambu's own customers to walk into California state court and demand the corresponding source code for their entire closed networking ecosystem.

[00:12:29]But you have to zoom out because the conflict between Bambu and OrcaSlicer is not an isolated event. It is a textbook manifestation of what right to repair advocates have started calling progressive enclosure, the strategy by which manufacturers across every sector use software locks to convert one-time hardware sales into ongoing monetizable services. Bambu's enclosure timeline tracks the pattern almost perfectly.

[00:12:55]January 2024, the one-way ticket warranty policy, install third-party firmware and your warranty is permanently void. Late 2022 and onward, the closed networking plugin loaded via dlopen. January 2025, authorization control. And running underneath all of it, this revealing exchange in January 2025, Shawn Hollister at The Verge asked a Bambu spokesperson directly whether the company would commit to never requiring a paid subscription to control its printers over a local network.

[00:13:27]The spokesman agreed for the current product line. They explicitly refused to commit to future hardware.

[00:13:34]They left the door open to charge users a recurring fee to operate hardware sitting in the user's own home.

[00:13:43]This is the playbook that triggered the right to repair movement in the first place.

[00:13:48]The most famous parallel, of course, is John Deere. For years, John Deere told the Copyright Office that farmers had only an implied license to the software running their tractors. They used encrypted software locks to prevent farmers from reading diagnostic codes or replacing parts independently, forcing reliance on authorized dealerships. The strategy has finally hit a wall. The FTC sued Deere in January of 2025 and on April 7th last month, Deere announced a preliminary $99 million settlement in a related class action, paired with a 10-year commitment to provide farmers with the digital diagnostic tools and remove software locks.

[00:14:28]We've seen the same pattern with HP.

[00:14:31]When HP pushed firmware updates that disabled their printers the moment a user installed a third-party ink, the FTC stepped in under the Magnuson-Moss Warranty Act, which structurally prohibits manufacturers from conditioning a product's warranty or functionality on the consumer purchasing only the manufacturer's branded replacement parts.

[00:14:51]It is worth pausing on what this means at the practical level. Imagine you bought a brand new car, paid it off in full, parked it in your own garage, and then the dealership informed you that actually you only licensed the steering column and they will need to remotely disable the engine via cellular connection if they detect you use an unauthorized brand of windshield wiper fluid. In the physical world, that is absurd. In the digital one, it is standard operating procedure.

[00:15:19]And the regulatory landscape is not just unsettled. In Europe, it is actively colliding with itself. On one side, the EU right to repair directive, directive 2024/1799, which took effect in July of 2024.

[00:15:34]Article 5 paragraph 6 states verbatim, "Manufacturers shall not use any contractual clauses, hardware, or software techniques that impede the repair of goods unless justified by legitimate and objective factors, including the protection of intellectual property rights."

[00:15:51]That is a direct textual ban on using software locks to block repair and interoperability.

[00:15:57]On the other side, the EU Cyber Resilience Act, regulation 2024/2847, which followed 5 months later, mandating that manufacturers of products with digital elements maintain strict cybersecurity protocols and rapidly patch vulnerabilities. The penalty under Article 64 reached 15 million euros or 2.5% of global turnover, whichever is higher.

[00:16:24]It is a perfect legislative paradox. The Cyber Resilience Act gives hardware manufacturers a powerful, legally mandated reason to lock devices down tighter than ever under the guise of mandated security. The right to repair directive prohibits exactly those same software techniques when they impede hardware functionality and repair.

[00:16:43]And Bambu's authorization control update, which the company justified as a security measure and which conveniently severed third-party slicer access, is sitting directly on the seam between those two regimes.

[00:16:57]So, what is actually happening here? A company that built itself on community open source software has decided, by its own admission, to be Apple.

[00:17:06]That is a legitimate business choice, but Apple builds Apple software. Bambu builds Bambu Studio on top of someone else's.

[00:17:15]The license they inherited is not a courtesy. It is a contract. And when they send legal threats to developers who are exercising rights that the license grants them while simultaneously failing to honor the obligations that license imposes on Bambu, they have stepped onto ground that has not yet been fully tested in court, but is testable.

[00:17:37]The precedents being forged in these niche hardware communities are not staying in those communities. They are the precedents that will dictate how your refrigerator, your car, and your home security system operate 10 years from now. As more and more of the hardware in our lives becomes dependent on cloud-tethered authorization keys to execute basic functions on a local network, the question worth sitting with is this: Do we actually own the smart devices we have spent our money on, or are we slowly, quietly transitioning into a world where we are merely permanently leasing the right to turn them on?

[00:18:12]Pav Yu Yarchik chose not to test it, but the next developer might.

[00:18:17]Thanks for watching. I'm Leonard French, your favorite copyright attorney, and I want to hear what you think. Please share your thoughts in the comments. How do you feel about manufacturers trying to retain control of their products after the sale? Should such restrictions be allowed so long as they are fully disclosed to the consumer? And what happens when they aren't?

[00:18:37]When the printer you bought becomes, to use the technical term, a 32-kg brick.

[00:18:43]Lawful Masses runs on community support and I'm grateful for every one of you who makes that possible. Special thanks to EV, Ugly Grill, TechTechPotato, The Blood Soaked Survivors, and Kyle C Fring for their top-tier support. If you'd like to join them, head to patreon.com/ljfrench.

[00:18:59]But supporting the channel isn't the only thing you can do here. What can you do about unfair software restrictions?

[00:19:05]Contact your congresspersons, of course.

[00:19:07]I've been building a web app that makes it easy to send a quick message to your representatives via postcards. Postcards are faster than letters. Emails are easy to ignore, but postcards, postcards get read. If you think Congress needs to hear from you, this is a great way to do it. Version 2 now supports state representatives and Americans abroad.

[00:19:27]Check it out at postcardstocongress.org.

[00:19:30]Use coupon code just $5 to send postcards to all three of your congresscritters for just $5.

[00:19:37]Until next time, I love you all. Take care. Bye.