5 Software Supply Chain Security Best Practices for Development Teams
#Docker #Products #Concepts #DockerHardenedImages #Security #Softwaresupplychainsecurity

https://www.docker.com/blog/software-supply-chain-security-best-practices/

THE CLOSED-SOURCE SHACKLE: Analyzing Bambu Lab’s Approach to AGPL Compliance

2,695 words, 14 minutes read time.

Bambu Lab took the open-source guts of 3D printing, forked the hell out of it under AGPLv3, built a slick empire on top, and then slapped a closed-source shackle around the whole damn thing. This isn’t some gray-area technicality. It’s a straight-up betrayal of the license that gave them their unfair head start. They ship printers that print like a dream while quietly locking down the machine’s soul behind proprietary walls. The RepRap boys built this industry on dirt, sweat, and full ownership. Bambu turned it into a corporate cage.

The Core Violation

The smoking gun sits right in Bambu Studio — their slicer, forked straight from PrusaSlicer under the AGPLv3. That license is brutal for a reason: modify it, distribute it, especially over a network, and you release the full source. No hiding pieces. No “optional” bullshit.

Bambu loads a closed-source bambu_networking plugin that handles cloud auth, remote control, and core features. It auto-downloads, dynamically links, and becomes part of the program. The Software Freedom Conservancy already called it what it is: a clear AGPL violation. You can’t carve out the heart of the software, close it off, and still claim you’re playing by the rules. This is license laundering, plain and simple.

They reaped the open-source commons like bandits, then built their castle walls with the stolen stones.

The 2025-2026 Escalation

When a developer named Paweł Jarczak did what real men in this space do — forked the code and restored direct functionality — Bambu didn’t compete. They lawyered up. Cease-and-desist letters, accusations of impersonation, reverse engineering, the whole corporate playbook. The fork came down fast.

That move lit the fuse. It dragged the whole mess into the open. The SFC launched a formal compliance review. Josef Prusa himself called out the unauditable black box. Suddenly the world saw what Bambu was really protecting: not innovation, but control. Their new Bambu Connect middleware pushed even more traffic through their servers, tightening the leash.

This wasn’t defense. It was panic dressed up as professionalism.

Bambu’s Defense and Why It Stinks

Bambu’s line is the usual slick corporate speak: the networking plugin is “optional,” their cloud is private infrastructure, and they love open source — just not when it steps on their turf.

The plugin isn’t optional when the slicer leans on it for basic modern functions.

AGPL doesn’t care about your marketing slides or how you label components. If it forms one integrated product — and it does — the whole thing must ship with source.

They want the credibility of the open-source roots without the obligations. Classic embrace, extend, extinguish.

No amount of smooth PR changes the fact they’re treating the community that built this industry like unpaid interns who should be grateful for the privilege of buying their locked-down gear.

The Brutal Reality

This is bigger than one company. It’s the old fight between men who want to own their machines down to the last bolt and corporations that see full ownership as a bug, not a feature.

Bambu makes hardware that performs, no denying that. But performance bought with closed-source shackles comes at a price: you paid for the printer, yet they still own part of its soul.

The RepRap era was ugly, dirty, and free. Bambu’s era is clean, fast, and leased. They didn’t invent the tech — they commodified it and put a fence around it. The AGPL drama proves they know exactly what they’re doing.

In the end, the closed-source shackle isn’t an accident. It’s the business model. And the industry that started with hackers in garages is learning the hard way what happens when the suits move in and start changing the locks.

Call to Action

So what are you going to do about it, brother?

Stand with the Software Freedom Conservancy — the crew already hauling Bambu’s AGPL violations into the daylight — alongside real right-to-repair warriors like Louis Rossmann, Kyle Wiens at iFixit, and the lawmakers grinding through repair legislation in Europe and the States. These men aren’t asking permission; they’re exposing how companies twist DRM laws — originally built to stop movie piracy — into weapons for permanent digital lock-in.

Bambu’s closed-source networking shackle and cloud middleware are textbook abuse: they take hardware you paid hard cash for, wrap it in proprietary chains, and then hide behind “security” and “user agreements” while daring you to touch what’s yours. Rossmann has spent years ripping the mask off this exact corporate game. It’s the same play — control the software, control the machine, control the man who bought it.

Ditch the cage. Support Prusa, run a Voron, back true open forks, and fund the SFC’s compliance fight. Demand full source code. Call out every violation publicly. Build loud, repair louder, and make it painful for any company that tries to lease the soul of your gear.

The RepRap spirit was born in garages by men who refused to kneel to suits. That fire doesn’t have to die just because the hardware got slick. Own your machines — every bolt, every line of code, every function — or keep paying rent on your own property.

The choice is still yours. For now. Make it count.

D. Bryan King

Sources

• GNU Affero General Public License, Version 3 (Free Software Foundation)
• Comprehensive Response to Bambu’s AGPLv3 Violations (Software Freedom Conservancy)
• The Battle Over 3D Printer Software Licensing Matters For Everyone (Aftermath)
• Bambu Lab Now Under Formal Investigation for AGPLv3 Violations (3D Printing Industry)
• Setting the record straight on Cloud Access and Community (Bambu Lab Blog)
• The Bambu Lab / Open Source Dispute Is Not What You Think It Is (Fabbaloo)
• GNU Affero General Public License v3.0 or later (SPDX)
• Why the Affero GPL? (Free Software Foundation)
• Frequently Asked Questions about the GNU Licenses (GNU Project)
• What is Free Software? (Free Software Foundation)
• Selling Free Software (Free Software Foundation)
• The Open Source Definition (Open Source Initiative)
• Open Source Initiative: Frequently Asked Questions (Proprietary Licensing)
• Securing the Software Supply Chain (CISA)
• NIST’s Approach to Software Supply Chain Security
• Software Licensing (MITRE Corporation)
• Why the AGPLv3 is a critical license (Free Software Foundation)
• NIST Cybersecurity Framework
• The GPL is a License, not a Contract (Free Software Foundation)
• Technical Challenges in Software Assurance (MITRE)
• Copyleft Compliance Principles (Software Freedom Conservancy)
• Right to Repair (Electronic Frontier Foundation)
• Words to Avoid (GNU Project)
• Fighting Your Own License Violations (GNU Project)
• Free Software Licensing Compliance (Free Software Foundation)

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

What is Software Supply Chain Security?
#Docker #Products #Concepts #Security #Softwaresupplychainsecurity

https://www.docker.com/blog/what-is-software-supply-chain-security/

Hardened Images Explained: Fewer CVEs, Smaller Attack Surface
#Docker #Products #Concepts #DockerHardenedImages #Security #Softwaresupplychainsecurity

https://www.docker.com/blog/what-are-hardened-images/

🚨 New Blog Post🚨

I've compiled what we've learned about Gradle's dependency verification feature at the GradleX project into a best practices guide! If you use dependency verification or are planning to adopt it, this one is for you!

👉 https://britter.dev/blog/2026/06/01/gradle-dependency-verification-best-practices/

#Gradle #DependencyManagement #SoftwareSupplyChainSecurity

A new article is live on Cyfinoid Research:

AppSec in the New Security Cost Model

https://cyfinoid.com/appsec-in-the-new-security-cost-model/

The core argument is simple. AppSec is still reacting to AI by improving the vulnerability queue. Better reachability, exploitability scoring, CVE enrichment, and prioritization help, but they were designed around an older cost model.

AI changes attacker iteration cost. The defender bottleneck is increasingly verification capacity.

Can we safely validate, fix, test, deploy, and monitor changes at the required pace?

That changes how we should think about AppSec programs. Smaller stacks matter. Attack surface reduction matters. Bug-class elimination matters. Compensating controls need expiry and replacement plans. Test coverage becomes a security capability. Safe remediation throughput becomes a useful metric.

I also connect this to Goldratt’s Theory of Constraints and the SaaS vs in-house ownership tradeoff, especially for SMBs.

The question is no longer only which vulnerability should be fixed first. The question is how much verified remediation an organization can safely produce.

#AI #appsec #softwaresupplychainsecurity

#Checkmarx is breached again via its Jenkins plugin GitHub repo compromised in a software suply chain hack:
#SoftwareSupplyChainSecurity
👇

https://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/

#npm: TanStack npm packages (84 in total) compromised in a supply chain hack utilising a malicious payload designed to destroy files on developer machines if a stolen GitHub token is revoked ("dead-man's swithch"):
#SoftwareSupplyChainSecurity
👇

https://snyk.io/blog/tanstack-npm-packages-compromised/

Precision Container Security with Docker and Black Duck
#Docker #Partnerships #Products #DockerHardenedImages #Scanner #Softwaresupplychainsecurity #VEX

https://www.docker.com/blog/precision-container-security-with-docker-and-black-duck/