BambuStudio has been violating PrusaSlicer AGPL license since their fork
Josef Prusa publicly accuses Bambu Lab's BambuStudio of violating the AGPL license by distributing a closed-source networking component integral to its operation. He posits this isn't just a simple license breach, but potentially a consequence of China's extensive national security laws, which mandate data cooperation and intelligence assistance from companies. This situation highlights critical concerns about open-source ethics, data sovereignty, and the geopolitical implications of technology manufactured in China, especially in strategic sectors like 3D printing.
The Lowdown
Josef Prusa, founder of Prusa Research, has publicly accused Bambu Lab's BambuStudio software of violating the AGPL license of PrusaSlicer, from which it was forked. Prusa suggests this violation is not merely an oversight but potentially influenced by a framework of five Chinese national security laws that mandate data cooperation and intelligence assistance from companies operating within China.
- AGPL Violation Details: BambuStudio, a derivative work of AGPL-3.0 licensed PrusaSlicer, includes a closed-source networking binary. This component, which communicates with Bambu Lab's cloud services, is argued to be integral to BambuStudio's functionality, making its closed-source nature a direct violation of the copyleft license. Adding to the concern, this networking piece is downloaded at runtime from a CDN, making it un-auditable by users or the open-source community.
- Enforcement Challenges: Despite early knowledge and considering legal action, Prusa notes the practical impossibility of enforcing the AGPL against a Chinese company in a Chinese court under Chinese law, effectively rendering the license a mere suggestion in this context.
- Chinese Legal Framework: Prusa details five key Chinese laws: the National Intelligence Law (2017), Cryptography Law (2020), Data Security Law (2021), Counter-Espionage Law (2023), and Network Product Security Vulnerability regulation (2021). Collectively, these laws mandate corporate cooperation with state intelligence, provide state access to commercial encryption keys, assert extraterritorial data jurisdiction, broaden espionage definitions to include industrial data, and require reporting software vulnerabilities to state intelligence agencies.
- Strategic Importance of 3D Printing: 3D printing was designated strategic in China's "Made in China 2025" plan. This makes industrial data from 3D printers, particularly those used in R&D, prototype shops, and defense, highly relevant under the broad "national security and interests" definitions in Chinese law, raising concerns about potential data exfiltration where new intellectual property is created.
- Accidental Telemetry & Prior Awareness: Prusa shares an anecdote where early BambuStudio internal builds accidentally sent telemetry to Prusa's servers, revealing the fork's existence before its public launch and confirming Prusa's long-standing awareness of Bambu Lab's practices.
Prusa concludes by emphasizing that this issue extends beyond Bambu Lab and 3D printing, applying to any Chinese manufacturer with significant market reach and data-collecting products. He highlights the creation of a system with "no neutral exits," where mandatory cooperation with intelligence agencies, un-auditable software, and state-controlled data access erode trust and open-source principles, while Western manufacturers struggle to compete against state-subsidized entities operating under such a framework.