Josef Prusa (@josefprusa)

6 min read Original article ↗

BambuStudio has been violating PrusaSlicer AGPL license since their fork, with the same networking binary black box in question today. Why are they willing to burn the goodwill over it? There's something most have sensed but never seen it all in one place, the five-law framework China built between 2017 and 2023 ⤵️ So maybe their hand is forced as their "network" is too valuable already? Each law on its own, interesting, okay... Read them together, and add any Chinese company with big reach to the mix you get the complete picture. 1) National Intelligence Law (2017) All organizations and citizens must "support, assist, and cooperate" with intelligence work. The same law makes it illegal to disclose that cooperation happened. Cooperation is mandatory, and silence about it is mandatory too. 2) Cryptography Law (2020) Commercial encryption must be state-approved and state-reviewed. When authorities request it, companies must provide decryption keys or plaintext. The state on both sides of that equation is the same one. 3) Data Security Law (2021) Article 2 gives the state extraterritorial reach over data that touches Chinese national security or public interests. So EU/US data hosting does nothing to make it safe, because jurisdiction follows the company, not the server location. 4) Counter-Espionage Law revision (2023) The general definition of espionage was expanded to cover "documents, data, materials, or items related to national security and interests." Industrial data is one of the intended targets since the revision. 5) Network Product Security Vulnerability regulation (2021) Any company or researcher that discovers a software vulnerability must report it to MIIT within 48 hours. From there it flows to CNNVD (China National Vulnerability Database of Information Security), operated by the 13th Bureau of the Ministry of State Security. Microsoft's threat intelligence team documented Chinese state-hacker zero-day usage rising after this took effect. Shows the willingness to use the “tools” China built. Together they describe a system with no neutral exits. Cooperation is required, encryption is real but the spare keys live at the ministry, jurisdiction follows the company across borders, industrial data is in scope, and discovered vulnerabilities flow to an intelligence agency 😬 3D printing became strategic for China in 2020 and joined the “Made in China 2025” plan soon after. Why does 3D printing matter so much? 1/x

Bambu Lab 3D printers: never again. They're breaking the open source social contract (for the nth time...), and I'm past hoping they'll amend their ways. youtu.be/watch?v=eb48MdtN…

May 13, 2026 · 4:39 PM UTC

61

371

2,272

188,429

Two reasons this is especially dangerous in 3D printing: First, Made in China 2025 designates essentially every advanced technology as strategic, so industrial data broadly fits the "national security and interests" definition. Second, 3D printers concentrate at the places where new IP is created. R&D departments, prototype shops, defense suppliers, university labs, hardware startups. The machine sits next to the thing being invented. And the slicer sits on your computer with the same data and access you have. I'm not claiming I know what's happening inside Bambu. This is relevant to every Chinese manufacturer, not just 3D printing. It's cameras, it's cars, it's the free AI models in your coding tools collecting your data. Six years after China's wildly successful subsidies for 3D printing began, we are the only desktop Western manufacturer remaining. Let that sink in. My personal guess is that the subsidies are not designed for the benefit of Western consumers. What do you think? 2/x

5

21

553

20,659

What does the PrusaSlicer AGPL violation actually look like? PS is licensed under AGPL-3.0. That's the strongest copyleft license there is. It's simple: you can fork it, you can build a business on it, you can ship it commercially. But any derivative work has to stay open source too. You take from the community, you give back to the community. That's the social contract. PS is a fork of Slic3r and even though 90+% of the codebase is now written by us, we are proud about the heritage. BambuStudio (BS) is a fork of PrusaSlicer (PS). They published the slicer parts, that's fine. The networking plugin, the part that actually talks to their cloud, is closed-source. Just a binary black-box. The standard defense for something like this is "the plugin is a separate work, so it's not subject to copyleft." That argument falls apart on contact with the actual software. BS cannot do its primary job without the plugin. The plugin cannot do anything without BS. They are not two products that happen to talk to each other, they are one product split across two files for PR license-laundering convenience 😒 Under AGPL, that's still a violation. You don't get to keep the copyleft piece closed by moving it across a function call boundary and calling it a separate work. The license they inherited from us doesn't allow that. The OrcaSlicer inherited the same license by forking BS and follows the rules. Most people miss that the networking blob isn't even bundled inside BS. It downloads itself at runtime. So you can audit BambuStudio's open source code all you want. You cannot meaningfully audit the part that actually talks to the cloud. It lives outside the published software supply chain, arrives from a CDN you don't control, and can be replaced from one launch to the next without anyone outside Bambu having a chance to look at it first 😬 I flagged this exact architecture publicly in March 2023. The same architecture is in place today. xcancel.com/josefprusa/status/1634… Back then we considered legal action. We seriously did. But the practical reality: PrusaSlicer is software, not hardware. There's no boxed product crossing customs to stop - only real possibility which would make them comply. And jurisdiction for the licensee lands in China, which means the case lands in a Chinese court applying Chinese law to a Chinese company. The AGPL is a license. A license without a viable enforcement path is, in practice, a suggestion. So Bambu got away with it. The networking blob kept doing whatever it does. And many “we are sorry”s later we land here today - legal threats to a small developer opening their tiny black box 🤦‍♂️ 3/x

10

41

638

27,818

A funny story from the very beginning, because I want to be clear how long this has been on our radar. PrusaSlicer 2.4 introduced opt-in anonymous telemetry. Shortly after release, we started seeing entries in our database labeled "BambuSlicer." We hadn't heard of BambuStudio yet. Their internal builds were accidentally configured to send telemetry to our servers instead of theirs 🤭 That's how we found out a fork existed, before they publicly launched. And after launch the community had to call out BambuLab to release the BambuStudio source code in accordance with the AGPL license xcancel.com/Bryan_Vines/status/154… We've known what this software is and where it came from since day one. xcancel.com/josefprusa/status/1542… 4/4

9

26

554

22,651