BambuStudio has been violating PrusaSlicer AGPL license since their fork

查看原文 / View Original 编辑 / Edit

BambuStudio has been violating PrusaSlicer AGPL license since their fork

自从分叉以来,BambuStudio 一直在违反 PrusaSlicer 的 AGPL 许可协议

Josef Prusa @josefprusa May 13 BambuStudio has been violating PrusaSlicer AGPL license since their fork, with the same networking binary black box in question today. Why are they willing to burn the goodwill over it? There’s something most have sensed but never seen it all in one place, the five-law framework China built between 2017 and 2023 ⤵️ So maybe their hand is forced as their “network” is too valuable already? Each law on its own, interesting, okay… Read them together, and add any Chinese company with big reach to the mix you get the complete picture.

Josef Prusa @josefprusa 5月13日 自从分叉以来,BambuStudio 一直在违反 PrusaSlicer 的 AGPL 许可协议,且至今仍在使用那个存在问题的网络二进制黑盒。他们为什么愿意为此消耗掉业界的善意?大多数人都有所察觉,但从未将其全貌整合在一起——即中国在 2017 年至 2023 年间构建的“五法框架”⤵️ 也许他们是身不由己,因为他们的“网络”已经太有价值了?单看每一部法律,或许觉得很有趣……但如果将它们放在一起,再结合任何具有广泛影响力的中国公司来看,你就会得到完整的图景。

  1. National Intelligence Law (2017) All organizations and citizens must “support, assist, and cooperate” with intelligence work. The same law makes it illegal to disclose that cooperation happened. Cooperation is mandatory, and silence about it is mandatory too.

  2. 《国家情报法》(2017年):所有组织和公民都必须“支持、协助和配合”情报工作。该法同时规定,披露此类合作属于违法行为。合作是强制性的,对此保持沉默也是强制性的。

  3. Cryptography Law (2020) Commercial encryption must be state-approved and state-reviewed. When authorities request it, companies must provide decryption keys or plaintext. The state on both sides of that equation is the same one.

  4. 《密码法》(2020年):商用密码必须经过国家批准和审查。当有关部门提出要求时,公司必须提供解密密钥或明文。在这个等式的两端,面对的都是同一个国家。

  5. Data Security Law (2021) Article 2 gives the state extraterritorial reach over data that touches Chinese national security or public interests. So EU/US data hosting does nothing to make it safe, because jurisdiction follows the company, not the server location.

  6. 《数据安全法》(2021年):第二条赋予了国家对涉及中国国家安全或公共利益的数据的域外管辖权。因此,将数据托管在欧盟或美国并不能确保安全,因为管辖权跟随的是公司主体,而非服务器所在地。

  7. Counter-Espionage Law revision (2023) The general definition of espionage was expanded to cover “documents, data, materials, or items related to national security and interests.” Industrial data is one of the intended targets since the revision.

  8. 《反间谍法》修订版(2023年):间谍活动的通用定义被扩大,涵盖了“与国家安全和利益相关的文件、数据、资料或物品”。自修订以来,工业数据已成为其目标之一。

  9. Network Product Security Vulnerability regulation (2021) Any company or researcher that discovers a software vulnerability must report it to MIIT within 48 hours. From there it flows to CNNVD (China National Vulnerability Database of Information Security), operated by the 13th Bureau of the Ministry of State Security. Microsoft’s threat intelligence team documented Chinese state-hacker zero-day usage rising after this took effect. Shows the willingness to use the “tools” China built.

  10. 《网络产品安全漏洞管理规定》(2021年):任何发现软件漏洞的公司或研究人员必须在 48 小时内向工信部报告。随后,这些信息会流入由国家安全部第十三局运营的中国国家信息安全漏洞库(CNNVD)。微软威胁情报团队记录显示,该规定生效后,中国国家背景黑客对零日漏洞的使用有所增加。这表明了他们使用中国所构建“工具”的意愿。

Together they describe a system with no neutral exits. Cooperation is required, encryption is real but the spare keys live at the ministry, jurisdiction follows the company across borders, industrial data is in scope, and discovered vulnerabilities flow to an intelligence agency 😬 3D printing became strategic for China in 2020 and joined the “Made in China 2025” plan soon after. Why does 3D printing matter so much? 1/x 这些法律共同构成了一个没有“中立出口”的系统。合作是必须的,加密虽然真实存在,但备用密钥掌握在政府部门手中;管辖权跨越国界跟随公司;工业数据被纳入监管范围;发现的漏洞会流入情报机构 😬 3D 打印在 2020 年成为中国的战略产业,并很快被纳入“中国制造 2025”计划。为什么 3D 打印如此重要?1/x

Jeff Geerling @geerlingguy May 12 Bambu Lab 3D printers: never again. They’re breaking the open source social contract (for the nth time…), and I’m past hoping they’ll amend their ways. Jeff Geerling @geerlingguy 5月12日 Bambu Lab 3D 打印机:再也不会买了。他们正在破坏开源的社会契约(这已经是第 N 次了……),我已经不再指望他们会改过自新了。

Josef Prusa @josefprusa May 13 Two reasons this is especially dangerous in 3D printing: First, Made in China 2025 designates essentially every advanced technology as strategic, so industrial data broadly fits the “national security and interests” definition. Second, 3D printers concentrate at the places where new IP is created. R&D departments, prototype shops, defense suppliers, university labs, hardware startups. The machine sits next to the thing being invented. And the slicer sits on your computer with the same data and access you have. Josef Prusa @josefprusa 5月13日 在 3D 打印领域,这种情况之所以特别危险,有两个原因:首先,“中国制造 2025”将几乎所有先进技术都指定为战略性技术,因此工业数据在广义上符合“国家安全和利益”的定义。其次,3D 打印机集中在产生新知识产权的地方,如研发部门、原型设计车间、国防供应商、大学实验室和硬件初创公司。机器就放在发明创造的旁边,而切片软件则运行在你的电脑上,拥有和你一样的数据访问权限。

I’m not claiming I know what’s happening inside Bambu. This is relevant to every Chinese manufacturer, not just 3D printing. It’s cameras, it’s cars, it’s the free AI models in your coding tools collecting your data. Six years after China’s wildly successful subsidies for 3D printing began, we are the only desktop Western manufacturer remaining. Let that sink in. My personal guess is that the subsidies are not designed for the benefit of Western consumers. What do you think? 2/x 我并不是说我知道 Bambu 内部发生了什么。这与每一家中国制造商都有关,不仅仅是 3D 打印。无论是摄像头、汽车,还是你编程工具中收集数据的免费 AI 模型,都是如此。在中国对 3D 打印行业进行极其成功的补贴六年之后,我们成了仅存的西方桌面级制造商。请仔细想想这一点。我个人的猜测是,这些补贴并非为了西方消费者的利益而设计。你怎么看?2/x

Josef Prusa @josefprusa May 13 What does the PrusaSlicer AGPL violation actually look like? PS is licensed under AGPL-3.0. That’s the strongest copyleft license there is. It’s simple: you can fork it, you can build a business on it, you can ship it commercially. But any derivative work has to stay open source too. You take from the community, you give back to the community. That’s the social contract. PS is a fork of Slic3r and even though 90+% of the codebase is now written by us, we are proud about the heritage. Josef Prusa @josefprusa 5月13日 PrusaSlicer 的 AGPL 违规行为到底是什么样的?PS 采用 AGPL-3.0 许可协议,这是最强有力的“著佐权”(copyleft)协议。很简单:你可以分叉它,可以在此基础上建立业务,可以进行商业发布。但任何衍生作品也必须保持开源。你从社区获取,就必须回馈社区。这就是社会契约。PS 是 Slic3r 的一个分叉,尽管现在 90% 以上的代码库都是我们编写的,但我们依然为这段传承感到自豪。

BambuStudio (BS) is a fork of PrusaSlicer (PS). They published the slicer parts, that’s fine. The networking plugin, the part that actually talks to their cloud, is closed-source. Just a binary black-box. The standard defense for something like this is “the plugin is a separate work, so it’s not subject to copyleft.” That argument falls apart on contact with the actual software. BS cannot do its primary job without the plugin. The plugin cannot do anything without BS. They are not two products that happen to talk to each other, they are one product split across two files for PR license-laundering convenience 😒 BambuStudio (BS) 是 PrusaSlicer (PS) 的分叉。他们发布了切片部分,这没问题。但网络插件——即真正与他们的云端通信的部分——却是闭源的,仅仅是一个二进制黑盒。对此类行为的标准辩护是“插件是一个独立的作品,因此不受著佐权约束”。但这种论点在实际软件面前根本站不住脚。没有插件,BS 无法完成其主要工作;没有 BS,插件也无法发挥作用。它们不是恰好能互相通信的两个产品,而是为了公关和“洗白”许可协议的便利,被拆分成两个文件的同一个产品 😒

Under AGPL, that’s still a violation. You don’t get to keep the copyleft piece closed by moving it across a function call boundary and calling it a separate work. The license they inherited from us doesn’t allow that. The OrcaSlicer inherited the same license by forking BS and follows the rules. Most people miss that the networking blob isn’t even bundled inside BS. It downloads itself at runtime. So you can audit BambuStudio’s open source code all you want. You cannot meaningfully audit the part that actually talks to the cloud. It lives outside the published software supply chain, arrives from a CDN you don’t control, and can be replaced from one launch to the next without anyone outside Bambu having a chance to look at it first 😬 根据 AGPL,这仍然是违规行为。你不能通过跨越函数调用边界并将其称为“独立作品”来规避著佐权。他们从我们这里继承的许可协议不允许这样做。OrcaSlicer 通过分叉 BS 继承了同样的许可协议,并且遵守了规则。大多数人忽略了一点:网络二进制文件甚至没有打包在 BS 内部,而是在运行时自动下载的。所以,你可以随意审计 BambuStudio 的开源代码,但你无法有效地审计真正与云端通信的那部分。它存在于已发布的软件供应链之外,通过你无法控制的 CDN 传输,并且可以在每次启动时被替换,而 Bambu 之外的任何人都没有机会预先查看它 😬

I flagged this exact architecture publicly in March 2023. The same architecture is in place today. 我在 2023 年 3 月就公开指出了这种架构。而同样的架构至今依然存在。

← 返回新闻列表 / Back to news list