Setting the Record Straight on Cloud Access and Community

Hi everyone,

We’ve been following the recent discussion regarding the “OrcaSlicer-BambuLab” project.

As you know, we requested the removal of the repository from GitHub. And while we appreciate the community’s serious engagement with this matter, we would like to clarify several points that may have been misconstrued or caused unintended confusion.

First and foremost, we fully support the open-source community and will continue contributing through Bambu Studio. We deeply respect the AGPL license. Modifying, forking, and redistributing code, as seen with OrcaSlicer and many other projects, is fully respected. We have no issue with this.

Also to be very clear: this is not about OrcaSlicer itself or any other legitimate forks.

The concern is specifically around a separate fork that attempts to impersonate an official Bambu Studio client in order to access our cloud services.

We have observed instances of this being shared publicly. Technically, this involves injecting falsified identity metadata into network communications so that an unofficial client appears identical to an official one to our servers.

This type of method introduces serious risk. If used maliciously, it can generate DDoS-like load patterns, overwhelming our cloud infrastructure and negatively impacting service stability for all users. We learned this before.

It is important to distinguish between rights to the code and access to the service. Open-source licensing governs the code, but it does not grant unlimited or deceptive access to Bambu’s private cloud infrastructure. Our cloud is a private service. Access to it is governed by a user agreement, not the AGPL license.

We truly appreciate the passion and creativity of developers in the community, and we know the contributions come from a good place. However, these specific methods expose the platform to risk.

The measures we are taking are focused solely on preventing impersonation and protecting the integrity of our services.

We don’t prohibit modifications of the open source code, nor we want to close it. It is only about cloud service.

We would also like to remind our advanced users who want more control over their devices, that Bambu Connect, Lan Mode and Developer Mode are available, if the cloud connection is not your first choice.

If you would like to learn more, you can read our blog post here.

85 Likes
55 Likes

That’s really a moot argument and you guys know it. Your cloud services are not really required to print, and anyone who wants to rely on your cloud to print, can very well subscribe for them.

What you’re really afraid the most is not that some users might drop Studio and your Connect crapware in favor of better 3rd party apps, but rather you fear losing your control over users’ machines, control that allows you to be the sole decision-maker on how users can use their printers.

80 Likes

Re: your blog:

If this is the metadata that granted them undue access to your cloud… well, a user_agent string is not any part of a digital lock… security red flags….

Whats the top payout on the bug bounty? The site doesnt provide any numbers.

28 Likes

You can try to spin it every which way you want. We want local access first, cloud access second.

Think Sonos speaker debacle. You are going too far down the Apple path.

My printer, my control. If you gave us proper local access first, this situation would not have arisen!

sounds a bit like Tivoization - Wikipedia

I do not need you as gate keeper to my printer.

Lawful Masses with Leonard French - Bambu Lab Sent a Cease-and-Desist. The AGPL Might Send One Back. - https://youtu.be/0tdZ5Z7nRDY

Louis Rossmann - Bambu labs sends legal threat to orcaslicer dev over use of AGPL code - YouTube

55 Likes

This is another example of Bambu using corporate posturing and community-friendly language to avoid the real issue.

Disclosure: I wrote this post. I used AI to help organize and insert source links from bookmarks and articles I have been curating since 01/25. The argument, structure, and formatting choices are mine. The use of headings, underlining, links, and nested source sections comes from roughly two decades as a forum user, moderator, and administrator. Any polish in the writing is not because I am a professional writer. It is the byproduct of 40 years of technical, business, and customer-facing writing.

Bambu has the right to control access to its cloud

I will grant Bambu one point up front: Bambu has the right to control access to its own cloud infrastructure. An AGPL license does not give anyone unlimited access to Bambu’s private cloud service. If a third-party client is actually presenting itself to Bambu’s servers as official Bambu Studio, then Bambu has a legitimate basis to object to that specific cloud behavior.

But that narrow point does not resolve the larger problem

Bambu built its early success on enthusiasts and early adopters who believed they were buying products they would own, not renting permission to use those products under whatever access model Bambu might later impose.

Those early users supported Bambu when the company was still earning trust. They reasonably expected normal ownership rights over the printers they paid for, including local workflows and third-party tools without forced dependence on Bambu-controlled middleware.

The 01/16/25 Bambu Connect controversy changed the trust equation

The Bambu Connect controversy was not just a software preference dispute. It changed the after-sale conditions of product use.

Owners were effectively told to choose between firmware improvements and preserving control over their own machines. That is not an acceptable choice. A product owner should not have to freeze firmware to preserve property rights.

Bambu later walked back parts of that position after public outcry, but that does not erase the original direction of travel. The concern was not imagined. Bambu’s own communication created it.

That same pattern is showing up again here.

Related reading - 01/16/25 and Bambu Connect

If this is truly only about cloud impersonation, then prove it clearly

Bambu now says the OrcaSlicer-BambuLab issue is only about cloud impersonation.

Fine.

If that is truly the issue, then publish the technical boundary. Identify the specific behavior that crossed the line. Separate cloud access from LAN/local control. Separate actual server impersonation from restoring functionality owners previously had. Separate copyright claims from contract claims from security claims.

Instead, Bambu has again chosen opacity.

The company makes broad claims about the GitHub project, then reportedly pressures the developer not to reveal the details of Bambu’s demands. That is the heart of the distrust.

If Bambu’s case is as clean as presented, then publish a sanitized technical explanation. Show the exact network behavior being objected to. Explain the exact rule being enforced. Do not ask the community to accept a conclusion while hiding the facts needed to evaluate it.

Related reading - cloud access and the GitHub takedown

Bambu benefited from open source when it suited Bambu

This is especially hard to accept from a company that repeatedly presents itself as a supporter of open source.

Bambu benefited from open-source software, open-source culture, and early enthusiast support. Bambu Studio traces its roots through the open-source slicer ecosystem. Bambu has publicly acknowledged that its slicer side is based on Slic3r, SuperSlicer, and PrusaSlicer, while its connection utility and cloud components remain proprietary.

That is exactly why the community is skeptical.

Bambu wants the benefits of open source when it helps Bambu enter the market, but when enthusiasts extend or restore functionality in ways Bambu dislikes, the company reaches for legal pressure and calls the result a threat to the ecosystem.

Related reading - Bambu and open source

They cannot have it both ways

Open source is not “you may enhance this only when it preserves our commercial control.”

Open source has a share-and-share-alike culture. Bambu benefited from that culture when it suited them, then moved toward tighter control once the ecosystem became valuable.

The practical effect is that Bambu used legal pressure to bully an individual developer into taking down code, while also asking the community to trust Bambu’s private version of events.

That is not transparency.

That is intimidation wrapped in public-relations language.

If Bambu wants credibility, preserve real local ownership

If Bambu wants credibility, then make participation in the Bambu ecosystem free of cloud obligations.

Preserve fully functional local control for current products without forcing owners to choose between firmware updates and ownership rights. Publish clear, stable, documented local APIs. Stop using Bambu Connect as a gatekeeper. Stop treating third-party control as a tolerated exception instead of a normal ownership right.

Bambu can control its cloud. That is not the dispute.

The dispute is whether Bambu owners control their printers.

Right now, Bambu’s actions keep answering that question in the wrong direction.

__________________________________________

For those looking for the rest of the facts

Here are citations from the last year, plus earlier background from both sides of the argument. Judge for yourself:

All related links

__________________________________________

Why the Clippy avatar?

The Clippy avatar is intentional.

Clippy started as Microsoft’s much-mocked Office assistant, but it has recently become a symbol in the consumer-rights and right-to-repair movement. The point is partly ironic: Clippy was annoying, but he was local, harmless, dismissible, and not trying to harvest your data, lock you into a cloud service, disable features after purchase, or turn your own device into a permission-based appliance.

In that sense, Clippy has become a shorthand protest against modern anti-owner product design. It is a small visual signal that says: I support user ownership, repairability, local control, and products that keep working without vendor permission.

Related reading:

64 Likes

Isn’t this what LAN mode is?

Their Terms, you agreed. Like it or not when it comes to the closed source Network Plugin it doesn’t matter what you or I think. We both agreed to the Terms when we logged into our printers, installed Studio. Gatekeeping isn’t even part of this, again you can use your printer how you want all day long.
Please tell me, how is it you can’t use your printer?

35 Likes

you have the lan mode and dev mode to get full local access already, for third party slicers. it’s literally there since the verification was implemented.

And now some are crying for not being able to essentially hack into bambu’s cloud to use bambu’s cloud.

That’s totally different things. If bambu stops the dev mode then it’s totally bambu’s fault. But problem is bambu literally provides dev mode already so how on earth is this a problem that they don’t provide the free online service or limit the access of this service, which isn’t a part of the printer and doesn’t affect the functions?

People are literally ■■■■■■■■ on BBL not knowing what they are talking about.

The whole point of the cease and desist was to prevent unauthorised cloud access, and while a bunch of critics are talking about “no bambu cloud screw bambu cloud” then that’s exactly what you would want then, no bambu cloud anymore!

now, back to the AGPL thing. This is a more complex topic that can only be ruled out in court, because whether or not a plugin is free from AGPL infection is very much depending on the judge’s view. I’m pretty sure FSF has already knew about this and if they’re not happy about it they can totally sue bambu and get it ruled out, so that in future there would be one less way to exploit AGPL, or AGPL would need to update itself to fight against the exploits.

30 Likes

The problem is, you have almost certainly violated the AGPL license of the slicer you modified into Bambu Studio.

You know perfectly well you can’t stuff your network access protocols into an AGPL software, so you tried to be cute with a “network plugin” that’s been demonstrated to not be a plugin in any way, but rather a superficial attempt to split the code into two packages.

The original sin was how you set up cloud access within Bambu Studio; you really don’t have a leg to stand on around any aspect of this because you’re so clearly in the wrong yourselves.

23 Likes

Be Agreeable, Even When You Disagree

You may wish to respond by disagreeing. That’s fine. But remember to criticize ideas, not people. Please avoid:

  • Name-calling
  • Ad hominem attacks
  • Responding to a post’s tone instead of its actual content
  • Knee-jerk contradiction

Instead, provide thoughtful insights that improve the conversation.

16 Likes

I would have thought that this thread would have garnered more attention. But then the more committed individuals are on the other thread, sympathizing with and hero worshipping the man who was sent the cease and desist letter. A man who was involved in illegal activity. It baffles me, that a godless hedonist like me is the one who has to explain ethics to others.

It is a repeated pattern. Some guy on YouTube makes an outlandish provocative allegation, often void of tangible facts. A certain group of people become agitated and in the following days express their outrage across the internet. Happens all the time, subject after subject, time after time. There have been numerous studies. The process and those susceptible are well known. Preachers and con-men have been perfecting the art and targeting their audience for thousands of years.

Those who attack Bambu tend to do so under the banner of open-source, even though I get the idea that most of those who do so are rather vague on what open-source is. It seems the imagined maverick persona is more to the point. On one hand they tell us that Bambu Studio was based on Prusa slicer and that ORCA is a fork from Bambu Slicer, yet for some reason they claim the source code is unavailable. Then they will go on and on about how horrible Bambu Slicer is, and how it never works, how it constantly locks up, crashes their computer, is excessively slow, and on and on and on… They will insist that Bambu Lab printers are good printers but plagued with bad software. I, and the vast majority of Bambu customers can attest to our experience that Bambu Studio works as flawlessly as any other regularly used program. In almost three years, with extensive use, I have never had a problem with Bambu Studio. Most annoying, is that repeated pattern of using narratives that don’t square with reality, to support their arguments.

Reading their posts, I often get the feeling that those who criticize Bambu the most, fail to see the forest for the trees. Bambu is built around designers. Designers are central to Bambu’s business model. Through Bambu’s lucrative incentive programs, some of the best 3D designers are active on Maker World. The selling point of a Bambu printer, is that one can print the large number of quality models available on Maker World. Good design requires skills and talents that not every one has. Yet with a Bambu printer, anyone can create the works of great designers, for themselves. A community of sorts has arisen between designers and those who print their designs. Where those who print get satisfying products while the designers are rewarded for their efforts. The Cloud is necessary to track prints being printed so that designers can be accurately credited, boosts can be distributed, and comments and ratings can be recorded.

The open-source mavericks repeatedly claim that they are just trying to help, to make things better, which comes off as a big red flag. Especially so when it seems everything they are advocating for tends to center around breaking the system. It is as if they want Bambu to be something that it is not, something less. But breaking the system doesn’t just hurt Bambu, it hurts many thousands, if not millions by now, of those who benefit and actively participate in the Bambu eco system on a regular basis. Now there is this case, where a man was engaged in illegal activity to further the ends of the open-source mavericks. Which is quite telling.

27 Likes

The TOS cannot be used to introduce extra restriction to AGPL licensed software. That’s like, one of the 4 basic freedoms of foss, the freedom to use. Nor can it be used to restrict how forks modify the software.

If Bambu wants to block access to their cloud through that specific pathway, a pathway that was published in their AGPL licensed Bambu Studio code, they can do it server side.

They CANNOT DICTATE how people fork and use AGPL licensed code.

22 Likes

We should focus on the facts - facts that even Bambu has confirmed: There was never a proper security strategy. That is the root of the problem.

Only two lines of code need to be changed - that’s all. This has been known for months, and now that Bambu has posted about it themselves, it can finally be shown. The problem has not been resolved, nor can it be resolved currently, as bambu themself admits on their blog.

This needs to be criticized; no company can afford such a flimsy security strategy, yet instead we’re being distracted by arguments from bambu about “securing our own cloud”. Yes, of course it needs to be secured - because it’s never was secure.

Literally any spammer, bot, or whatever can log in - this isn’t a problem caused by a “single open-source developer” - it’s a fundamental issue that security has never been in place.


Two lines that make the difference between the code being secure and it not being secure at all.

See also bamu’s own blog, where the image was posted

6 Likes

The problem is imitation. A C&D is completely legally protected in this case, no matter what license was being used.

A very simple case would be DDOSing a website. Even if you’re using a completely legal browser on all your completely legal slave zombies, by DDOSing a website you’re facing legal consequences.

And I agree with @RetroSharky , BBL’s so called cloud infrastructure and security is a joke. And in general that’s what we have to accept until A1s or P1s won’t connect to the cloud anymore because on these machines anything more complicated simply won’t work.

4 Likes

It is important to distinguish between rights to the code and access to the service. Open-source licensing governs the code, but it does not grant unlimited or deceptive access to Bambu’s private cloud infrastructure. Our cloud is a private service. Access to it is governed by a user agreement, not the AGPL license.

The code used by that specific fork to access the server was published in Bambu Studio, so the use of that specific code is governed by the AGPL not your tos. A tos cannot be used to introduce restrictions to AGPL licensed code.

If you want to restrict access to your cloud, you can do it server side, but you cannot dictate what people will do with AGPL licensed code.

Also we should note that even your “official way“ of accessing the cloud could very well be considered an AGPL violation, since your cute “network plugin“ is, according to various sources, is loaded into Bambu Studio on runtime through dlopen, not merely communicating with it but being fully loaded in its memory space. This surely does fall in the shared libraries and dynamically linked subprograms mentioned in the AGPL, which means the plugin is not truly independent and is subject to copyleft.

As such, the fact that the network plugin itself is closed source is in itself an AGPL violation.

So we have 3 AGPL violations from Bambu:

  • Breaching freedom to modify by shutting down a fork of Bambu Studio
  • Breaching freedom to use by trying to dictate how users should use code Bambu themselves published as open, specifically that Linux pathway the fork was using to connect.
  • Creating a plugin that works with the slicer in such a way that it could be considered a modification or derivative work, but not publishing its source code, while the licenses has copyleft.
15 Likes

The whole memory space thing is ridiculous claim. A modern web page, is often running in the same memory space of the browser workers.

You can feel it’s violating agpl, but this is not a direct, clear infringement, and it has to be ruled out in court.

11 Likes

Not really, because even “imitation” is subjective in this case. Bambu Labs published the code that allowed the fork to access their servers, and the published is as AGPL. How can it be considered imitation when they themselves authorized us to use and modify that code? It is not like he wrote some exploit or smth, the code he used is entirely licensed as AGPL in Bambu Studio itself.

If they want to stop access, they are only allowed to use it server side.

6 Likes

Where is that code? Where is that commit? :face_with_monocle:

1 Like

AGPL may give you rights to the client code, but it doesn’t give you rights to Bambu’s private cloud.

A better analogy: having a copied key design doesn’t mean you’re allowed to enter someone’s building. The code can be open, while access to the service is still controlled by the owner.

4 Likes

At the very least, the current situation is that Bambu is incredibly lucky that no spammers or scammers have taken an interest in it yet. Since anyone can log in, including bots as I mentioned, the entire cloud could be rendered unusable, meaning no one would be able to use their printer or app.

For example: A competitor could cause significant damage to Bambu by simply rendering the cloud unusable over the weekend, over and over again.


This isn’t fantasy, but the current reality - something that many people simply aren’t aware of. However, if they read Bambu’s latest blog post carefully, they will see that this is Bambu’s biggest fear.


We’re not just talking about a few hobbyists here, but entire printing farm companies that use the cloud. Anyone using LAN is in luck.

What many people don’t understand is that this isn’t the end, but it could mark the beginning of much bigger problems. Now that Bambu has admitted this themselves, we can also see that there has never been a proper security system in place.


I’m curious to see what the outcry will be like when the first botnet start targeting the cloud, now that this has become so public. However, I really hope that Bambu will finally do something to improve security.


Edit: I think most people can still remember the huge outcry when MakerWorld was overrun by bots for weeks and months; now we’re talking about the cloud.

3 Likes