Why should I buy a plugin if I can’t see what it does though? I find this idea really sketchy and there’s no way I’m installing any plugins without being able to check what it does first especially when I’m paying money for it.
To elaborate a bit more now that I’ve got a few minutes, I have previously run into problems with plugins. Everyone I know who’s used studio and installs plugins regularly has installed some kind of malicious code. Putting a paywall behind that has these issues:
Common users cannot verify claims that code is malicious and claims made by owners will reduce the likelyhood of people actually purchasing the plugin to figure it out.
Not many people will be able to report it thus essentially putting it lower on the priority list for Roblox moderators.
If you get scammed I can only assume this works exactly the same as all other content on the Roblox platform. You’re simply not allowed a refund and that’s that.
Now reuploaded backdoored plugins will be taking your money too.
I can’t trust my plugins to be paid at all due to the inevitable amount of backdoors that will abuse this. There will be too much competition and the competition is not afraid to break Roblox guidelines.
There is absolutely no way for me to inspect a plugin that is payed before I install/purchase it. I almost always directly download plugins before installing so I can inspect them beforehand. There have been a lot of backdoors which can hide themselves from the explorer despite a lot of the things they abused being patched.
This is an awesome development. As a company it is assuring that I can purchase software ie plugins from reliable sources. I have personally avoided most plugins due to reviews and potential security threats, this absolutely makes it to where most developers selling plugins will keep to the Roblox policies and put out good content that can be trusted. Great job Roblox team!
Then you find the entire software industry sketchy.
How do you counter this? Only buy from reputable sources. You can’t and won’t ever know what a piece of software does until you have it in your hands. (And even then you might not know what it does since software not geared to have its code interacted with by a user might be closed source)
Every digital purchase you make in your life will have risk. This is why they must be smart and educated purchases.
This is a fundamental software problem. Along with all of your other points. You are blaming Roblox for things that are basically prevalent in software in general but somehow now and only now its a problem.
Yes in most marketplaces its a sales are final deal. Even Unity makes you go to the asset publisher to request refunds.
I do have something to say to people who are upset about a lot of plugins now being paid.
If you put yourself in these creators shoes, then you’re going to want to make money off your hard work. It’s like saying you shouldn’t monetise your game by making people buy coins because people have to buy them.
Tdlr if I’ve spent months on a plugin I deserve to make good money from it.
Although, like others have said, there has to be a way for me to somehow check and audit the plugin before purchasing, either that or a refund system similar to steam.
What if someone with a premium membership decides to upload a plugin with a virus, that costs 1000 robux? If they get caught, will the people who have bought the plug-in be refunded?
Private modules worked much the same way prior to their removal. People would purchase services without knowing whether it worked or not, and the sellers only agreed to put it on the marketplace because they knew that their code would be protected from prying eyes.
If common users are looking to verify a plugin, they would usually want to buy it more, unless if my marketing mindset is not working right. If someone wants to test a computer out at a store without any computer samples nearby, you really can’t just open up the computer box and make sure the computer is working. You have to buy the actual computer, bring it home, and test things out. If users don’t want to test it out, then it’s on the seller to create more enticing features to make the plugin more marketable.
The DevForums do exist after all, it doesn’t have to be moderators who look at the reports. In fact, I’d be surprised if even the moderators would come up with the energy to try and understand the code that goes on inside each plugin. Instead, DevRelations would be more qualified to deal with bad plugins (or even another branch of Roblox that has people who have a higher understanding of Lua).
And this is also a fat assumption. Not only has this never been tested prior, it is also only a theory. We never know, Roblox might be more strict in this area than in other areas.
Pray tell what “backdoored plugins” have to do with the marketplace? I do believe that if someone wanted to create “backdoor plugins” they would absolutely not want to make the plugin have a price because they are targeting the younger developers who do not know the safe and the unsafe plugins, so they will want to make it for free because newer developers will not typically have the money to get the higher end plugins. This is more of an issue for plugins in general (especially the free ones, not the ones that are being presented on the marketplace) and is not really related to this thread.
I quite frankly do not understand what backdoors have to do with this. Backdoors allow expoiters to run code inside of your game due to security flaws. Not only do plugins not run during game instances, backdoors also do not have any access to the plugins.
If you are too scared for competition, then this world might not be for you. People on Roblox are always in constant competition, for a bigger audience, for reputation, for money. More competition sparks more innovation. That’s the only way that one can survive, especially under Charle Dawin’s theory of natural selection. Only those who can adapt to the ever-changing world will be able to survive.
If you are able to get the source code of a plugin before you pay for it, doesn’t that destroy the entire purpose of having the plugins sold? If anyone can just get the source code, why wouldn’t they just take that source code and reupload it to Roblox and make it free? If plugin developers really want to make money off of the hard work that they put into a plugin, then they deserve the right to have their plugins protected from being copied.
And for the last time, backdoors have the grand total of 0.0000000 things to do with getting the source of plugins.
A plugin “with a backdoor” doesn’t create a backdoor by virtue of being installed, it inserts the backdoor in a script (or modifies existing scripts) in hidden locations. These scripts do run during game instances, and the fact the payload can’t access the plugin is irrelevant.
Currently, you can check if a plugin inserts any backdoors into your game before you run it, since the source is available to anyone and you can read through it to find anything suspicious. If you find it doing anything malicious, you don’t run the plugin, report it and go on with your day.
This is currently the only (practical) way for developers to deal with infected plugins, and this will continue to be the case unless roblox staff personally check every plugin that’s uploaded to the site (which obviously isn’t happening).
Marketplace Plugins present a problem with this approach:
If you are able to get the source code of a plugin before you pay for it, doesn’t that destroy the entire purpose of having the plugins sold? If anyone can just get the source code, why wouldn’t they just take that source code and reupload it to Roblox and make it free?
The plugin source obviously has to be closed. However, now it’s impossible for developers to check for themselves if the plugin they installed inserts a backdoor into their game. This makes marketplace plugins much less appealing to serious developers - they’re not going to put their game at the mercy of a program they can’t see.
And we can’t just say “Plugins made by bigger developers will always be trustworthy”, because back when we had closed source modules, there were plenty of cases where it was discovered that popular, well made modules secretly ran code that was effectively a backdoor for the plugin developer.
If people can’t get caught doing bad things, plenty give into the temptation. Serious developers just won’t risk it.
Honestly based on the economy of this platform such as the inability to have refunds is probably one of the core issues. Yes you can say “but devforum moderation request” but you do realize this platform is NOT at all regulated when upload new products right? The sheer amount of potential stolen uploads and giving paid plugin away free), backdoor plugins, and poor quality and unmaintained plugins, will even up packing up to where human moderation is in no condition to take care of a poor marketplace environment that was NOT MADE for this kind of product from the ground up.
Closed source is a bad thing for some, but preferred for others yes, really I think it should remain open source - however the plugin platform for paid plugins should be regulated and verified by a moderation team so that stolen copies are not uploaded. It can’t be that difficult to even automate comparing a uploaded plugins code to another.
Again, Roblox simply from the core of it’s monetization system, isn’t good for this kind of product marketplace.
I’m not too sure how I feel about this. On one hand its great as developers can now make money from their plugins.
On the other hand though, well I always thought of Roblox as a game where it’s easy and free to create a game to publish to the masses. I think Studio now loses what it had against Unity and other game making studios.
I myself, like others often use plugins to assist in development and speed things up, but now the fact you have to purchase them, its a bit of a turn off and I doubt I’ll be purchasing some, even if they will help me speed things up.
I won’t go into the other issues with this as it seems everyone else has already stated some of them.
If you’ve installed a plugin before and then it gets a price, you can still install it. This is because all plugins you install automatically goes into your account’s inventory. Go check your inventory’s plugins section!
(Also this is sort of directed at others who have been replying to me as well since this is relevant information)
I’m simply not purchasing a plugin for 1k Robux if it’s supposedly a scam. If it’s cheap maybe, but if a developer is promising a good plugin for a relatively large amount of money and I’m hearing its probably a scam its more unlikely I’ll be willing to pay for that plugin to verify this.
This is honestly a good point.
Unless Roblox makes an exception in the TOS it is definitely 100% not possible to get a refund. They make this very clear.
You’re misinterpreting what I mean by backdoor. I am referring to malicious code which plugins add to the game. They often hide this code in obscure or hard to reach places. This is an ongoing problem that I know Roblox wishes to solve and its completely relevant to my points.
This isn’t a backdoor. A backdoor isn’t an exploit, a backdoor is malicious code which gives access to a malicious user to do stuff to the game. For example, code execution. (Note this can be done entirely without loadstring!) There are many posts on the devforum talking about backdoors and how to find them. I’ve even written code to parse and look for suspicious code. It’s not about competition on its own. It’s about competition against bots and people who are willing to break Roblox TOS. Think about the state of the catalog right now. Try typing in some word, any word (e.g. red, green, tuxedo, jeans, etc) into the catalog and select some form of UGC such as shirts or pants. There are tens of hundreds of pages of reuploaded content one after the other uploaded by bots which abuse Roblox’s relevancy search system by including the same keyword repeatedly which bumps it higher on the list. These copies have been reuploaded hundreds of times per day sometimes.
That’s exactly my point. The issue is open source doesn’t work and closed source causes the problem. There are other solutions such as processing this code but this would be up to Roblox and I don’t like the idea of trusting Roblox’s checks since it will be targeted and bypassed by exploiters whereas I can more easily rely on my own checks or someone else’s checks because I know it’s much less of a target and isn’t an obstacle to them.
I’d also like to clarify about my statement about not being able to access plugins I’m not referring to free plugins becoming paid. I have absolutely no problem with this. My problem is that trying to find free and reliable plugins will become much harder with botted content mixed in.
I am also very suspicious about some backdoors on the Roblox marketplace as well. It appears stolen accounts are being used (I’ve seen several accounts from around 2012 with lots of stuff that have seemingly been completely inactive besides these plugins) to upload this code and it appears at least partially automated.
I emphasize that yes, I acknowledge that plugins have the full ability of inserting backdoors into games, but the point was not made about how plugins are inserted. If you refer to the original quote, it said “I can’t trust my plugins to be paid at all due to the inevitable amount of backdoors that will abuse this.” If you dissect it, the poster said that they cannot trust plugins because of the “amount of backdoors that will abuse this [the plugins].” Unless I’ve somehow failed English, I do not believe that there is another subject in that sentence that isn’t “plugins” or “backdoors”, hence why “this” was interpreted as the plugins.
If you don’t want to purchase it, that’s your choice. I will refer back to here again:
Scams happen every single day on the platform. Group owners are scammed around the clock. Do they still do it? Of course. It’s a financial chance for them, a chance to become successful. If you don’t want the chance for your Studio experience to become easier, then there’s no need to take the risk. However, other people might feel otherwise.
I quote from your original post:
“Backdoored” here is used as an adjective, describing the plugins. Plugins themselves cannot be backdoored, they can only insert backdoors into the game. Note the difference between backdoor as an adjective and as a noun.
So the ultimate solution, according to this, is to remove plugins as a whole or somehow get Roblox to hire human verifiers who are solely dedicated to checking the validity of each plugin. That also means that you are proposing an all or nothing solution, with neither being quite as feasible as having free and/or paid plugins available to developers to use.
Now that, right there, is the main issue behind everything. Can we fix the issue? Of course not, we can only adapt to living with it. Security experts learn the same way, it’s easier to adapt to the bad people’s new tricks instead of trying to reinforce the same defenses.
As far as pricing goes, I see this as a means of introducing competition when it comes to plugin development. At the moment, yes, some of the prices are a little bit crazy compared to the simplicity of the plugin, but I think that’s due to a current lack of competitors for that particular plugin. This will change once more people eventually enter the marketplace and create their own cheaper versions of overpriced plugins, which will force the competitors to lower their pricing or offer more features if they want their own plugin to remain relevant.
Malicious Plugins
This has been stated multiples times throughout this thread and I have even seen reference to it on older, separate threads. I’m not going to go into great detail since it has already been done, but I would like to throw in my support for some sort of “Allow Archimedes to Access” (see iPhone App Permissions) interface for plugins.
iPhone Permissions Example
This obviously won’t solve everything but it’s a start.
Donation Model
My own personal preference would be to keep the plugins that I create free, but allow my users to throw in a little “thank you,” if they want. I would love to have a setting that would allow developers to donate any amount of Robux that they choose. That way they can use my plugin first and decide whether or not they like it, then give a little donation gift if they were satisfied. I wouldn’t expect to make much money at all this way, but I still think it’d be nice to have.
What I meant by backdoored is that they have had backdoors inserted into them. Hence, they have been backdoored. The plugin essentially runs inside of the game so I think it makes sense to think of the plugin as part of the game. In my head, if your game is backdoored by a plugin, the plugin is also backdoored because it contains this backdoor. Usually these plugins are also reuploads of original content with a backdoor included so I think in this “backdoored plugin” mindset even more. It’s also just easier for me to say “backdoored plugin” than “plugin which contains a backdoor”.
The idea that you need to take chances is always going to be an issue. I never said there’s a perfect fix, I’m simply saying that there is absolutely no noticeable infrastructure up and running to solve these (and currently ongoing) issues. Referring back to my claim I think it’s genuinely impossible for Roblox to reliably support this marketplace. I’m not saying that this is a bad idea or something, I am completely in favor of the Plugin Marketplace. Making comparisons to other marketplaces such as the Unity asset store just doesn’t make as much sense to me because Roblox plugins and Unity assets are fundamentally different and their communities and resource incentives (especially due to virtual currency!) are also entirely different.
I never said remove plugins or anything like that I am just stating that this isn’t very feasible to support on Roblox’s end (at least as of now and probably for at least a few years assuming Roblox has been working on infrastructure). I am also referring to automated checks in that quote rather than moderators, I apologize for my wording there.
Finally, there’s always a fix! It doesn’t mean that it’s the best one, but something is better than nothing at all. I personally think that the relevancy search is the most broken feature of the catalog. I don’t mean to say Roblox has the infrastructure of Google or will anytime soon, but Google has definitely fixed this relevancy issue in their search engine. I believe this works by known to be reliable sites referencing these urls and domains.
Somewhat related I’d like to explain why virtual currency makes things a lot more difficult:
Robux doesn’t have any legal backing. You just can’t really take legal action over Robux while real currency (as used in the Unity asset store) is much much easier to support. Robux can be obtained maliciously with little to no consequences. There are laws behind real currency while there are not behind Robux.
The philosophy of virtual currency vs real currency also effects the entire dynamic.
My question is how exactly will the sellers be protected from people just sharing the plugin’s file with everyone else? I feel like tons of plugins will end up getting uploaded we all know where. Anything that gets downloaded can be decoded. Sending bytecode wouldn’t help as nobody really cares about variable names and obfuscating the code is just a short term solution.
I agree that this will let the developers make better plugins, but developers that don’t have (enough) R$ to buy plugins will have to work harder than other developers that have paid enough to buy good plugins. You could just set a limit to this feature, so developers won’t be able to sell all their plugins. Also, what will happen if some of the plugins that we already have now cost R$ to use? Willl they be deleted from our inventories, or will they be kept?
I am very interested concerning the introduction of this change. The marketplace will surely usher in a time of more diverse, advanced, and more-than-helpful plugins some might even come to say are crucial aspects to many parts of game development. There is obvious incentive in this.
Looking back on the time that some form of this idea
introduced by @ScriptOn depicting monetary gain from plugins, which didn’t receive the best feedback, shows you just how far Roblox has come, especially in terms of listening to community feedback.
Established developers are surely excited by this change due to the capabilities of tomorrow that can greatly enhance game development. I certainly am thrilled.
One of my biggest concerns is what is being sold, to me, a lot of what is being sold on the marketplace seems very unjustified. Why should I have to pay for cosmetic hats on a TC? I don’t mean any ill will towards the developers selling these, but it makes no sense.
I don’t want to be paying for plugins that cost 300 robux, not every developer is established and has a bank of thousands waiting to be used. I would much rather spend those on audio uploads.
It’s 5 dollars to buy 400 robux, while that may be cheap to some, not everyone can afford to pay that much for plugin or two. I understand that developers are trying to make livings, but if you can make a good plugin, then you could probably use your skills as a scripter towards other methods of revenue.
Please do not take this the wrong way, I don’t mean anything bad towards anyone.
