Blog / Open Source

Bambu Lab Is Abusing the Open Source Social Contract: Full Controversy Guide

Published: 2026-05-13 • Category: Open Source / 3D Printing / Legal

Overview

In May 2026, Bambu Lab, the prominent 3D printer manufacturer, sent a cease-and-desist notice to the developer of a community-maintained fork of OrcaSlicer called OrcaSlicer-bambulab. The fork was a minimal modification of Bambu Studio's own AGPLv3-licensed code that allowed users to use OrcaSlicer without routing every print through Bambu's cloud servers. The incident quickly became the top story on Hacker News with 884 points, drawing sharp criticism from prominent voices in the open source and 3D printing communities including Jeff Geerling and Louis Rossmann.

The Background: How We Got Here

Last year, Jeff Geerling famously announced he would "probably never recommend another Bambu Lab printer again" after Bambu Lab started pushing their always-connected cloud solution as the new default. He responded by:

OrcaSlicer itself sits at the end of a long chain of open source forks: it is a fork of Bambu Studio, which is a fork of PrusaSlicer, which is a fork of Slic3r. All are licensed under the AGPLv3 open source license. Every fork in this chain exercised the exact rights granted by the AGPLv3 — the right to view, modify, and redistribute the source code.

What Happened This Time

A developer named jarczakpawel created a fork called OrcaSlicer-bambulab. The fork's key modification was simple: it allowed users to use OrcaSlicer with Bambu Lab printers without routing every print through Bambu's servers. Bambu Lab's default setup already routes every file you print through its cloud via Bambu Connect, giving the company visibility into everything users print. Developer mode exists as an alternative, but requires users to block internet access on old firmware — a step most users don't take.

The fork used Bambu Studio's upstream AGPL-licensed code verbatim for the network communication layer. In response, Bambu Lab threatened legal action, making serious public accusations:

Bambu Lab's Blog Post

Bambu Lab published a blog post titled "Setting the Record Straight on Cloud Access and Community", where they stated:

"The modification in question worked by injecting falsified identity metadata into network communication. In simple terms: it pretended to be the official Bambu Studio client when communicating with our servers."

Jeff Geerling responded: "I don't think they understand open source culture. Security either, if a public user agent string is their only protection against DDoS attacks..."

The developer was using the same AGPL-licensed code that Bambu's own Linux app uses — specifically, the HTTP client code from src/slic3r/Utils/Http.cpp. This is standard open source practice: when you use AGPL code, you inherit its capabilities. The fork did nothing that upstream code didn't already do.

Why This Matters: The Open Source Social Contract

The AGPLv3 license is designed specifically to prevent companies from using open source code in services without contributing back. It requires that any modified version distributed publicly must release its source code. Bambu Lab chose AGPLv3 for Bambu Studio, which means they explicitly gave permission for what the fork did. Threatening a developer for exercising those rights undermines the entire open source ecosystem.

Jeff Geerling highlighted the irony: when Bambu Lab's fork caused Bambu users' telemetry to hit Prusa's servers back in 2022, Prusa didn't issue a C&D. They understood the give-and-take of open source.

The Developer's Response

In his commit message responding to the legal threats, the fork's developer wrote:

"Bambu Lab did not write to me with these specific public claims first. They also refused my request to publish the full correspondence. Instead, they published a one-sided public statement where I cannot reply directly. In practice, this presents me to the public as someone bypassing security, impersonating their client, and creating a risk to their infrastructure. I reject that characterization."

He also noted: "I previously helped Bambu Studio users with Linux and Wayland issues, including on Bambu Lab's own GitHub. That makes it especially absurd to me that I am now being publicly presented as someone dangerous to their infrastructure."

Community Reaction: Louis Rossmann Pledges $10,000

Louis Rossmann posted a video saying he'd pledge $10,000 to help the open source developer fight Bambu's legal threats. Jeff Geerling said he'd happily chip in too, but noted that's only useful if the developer wants to put himself back in Bambu's crosshairs.

Rossmann's intervention signals how seriously the hardware and open source communities take this issue. The core question is: if a company releases software under AGPLv3, can they later attack someone who uses that same code in a fork?

Bambu Lab's Structural Vulnerability Argument

Bambu Lab's blog post raised a security concern:

"It creates structural vulnerability. If this method were widely adopted or incorrectly configured, thousands of clients could simultaneously hit our servers while impersonating the official client. Our systems would have no way to distinguish traffic, because the requests would look identical."

Geerling's response was sharp: "I love how they frame this as a developer trying to impersonate their app, when he's literally using the same AGPL-licensed code their Linux app uses." He also pointed out that if Bambu's only protection against DDoS attacks is a public user agent string, they have deeper problems with their infrastructure security.

The Practical Impact

The fork in question had very little uptake outside a tiny subset of power users before Bambu Lab's cease-and-desist. As Geerling noted: "Maybe ask for the fork to not include 'bambulabs' in the name, since that could be a reasonable trademark-related demand." The confrontation escalated the situation far beyond what a simple communication could have resolved.

What This Means for 3D Printing and Open Source

The broader issue here isn't just about one company and one fork. It's about the fundamental expectations of open source licensing:

Geerling sums it up: "It seems dumb to me, because it would've been easier (and more profitable) to do nothing at all. Instead, they wrote a blog post blaming an individual open source developer for their own infrastructure and security problems."

How to Protect Your Rights as a 3D Printer Owner

If you own a Bambu Lab printer and want to maintain control over it:

Conclusion

The OrcaSlicer-bambulab controversy is a case study in how not to handle community open source contributions. Bambu Lab had multiple paths that could have resolved the situation without escalation: a friendly conversation about trademark concerns, a dialogue about infrastructure security, or simply doing nothing (the most profitable option). Instead, they chose to threaten a developer who was using their own AGPL-licensed code in exactly the way the license intended.

The community's response — 884 Hacker News points, a $10,000 pledge from Louis Rossmann, and widespread condemnation — sends a clear message: the open source social contract matters, and companies that abuse it will face consequences.