[Private modules] New way of securing code?

I don’t think people should be hiding their code

Even if it’s out of shame?

If you’re going to be releasing code for other developers to use, those developers should have the right to modify them as they see fit. Private modules/obfuscation is dumb.

Me and my team are having similar issues and I think your best option would either either be to obscure the code, or setup an external web server that holds the code? Not sure

Pretty sure that’d make your code even more insecure, if you mean what I think you mean, as you’d have to have loadstring enabled, plus anyone could just access your web server’s endpoint and pull the code…

OT: if your product is commercial, you could have data loaded from a web server, as said before, to work with the plugin. Another option is add in the ability for your product to support plugins, then offer to “commission” plugins for your customers for a certain price, which they can put into a folder or something somewhere.

The only real solutions I see here are providing a reason to the user to use a web service in some way, or to just commission plugins for your product. Obfuscation shouldn’t even be considered as it can be undone eventually and, even then, your scripts will look dodgy to the consumer if they ever open them and they might be put off.

The whole crux of the issue here is respecting intellectual property (IP) vs security. Here is a scary quote for you developers out there from the Roblox Terms of Use 6-B-3 that will give many of you nightmares:

IP Rights Encourage Innovation and Reward Entrepreneurs

IP is a MAJOR part of any thriving economy. Roblox would not survive as a platform if it did not respect game creator’s IP.

Consider a difficult task that most developers do not fully understand or requires lots of time and effort. These are stumbling blocks to the progression of the Roblox platform. Without a guarantee of the integrity of their IP, developers have no strong incentives to create solutions unless they have encountered the problem themselves (perhaps in their own game). What you get is that some of the brightest developers who are actually able to solve some of the toughest problems on the platform and games in general instead spend most of their time working on their own game(s) instead. In addition, it is counter productive to fuel their competition by sharing their solutions although some do (like me, because I owe a lot to Roblox).

Again, from a great article titled What is Intellectual Property from WIPO (World Intellectual Property Organization) says this:

I find it ironic that the platform that claims to “power imagination” is attacking its developers by undermining their IP and breaking a system which fosters creativity and innovation. Even if Roblox was to back out of this move, I’m sure relations with hundreds of developers have been damaged by this perceived breach of trust.

Roblox Internally Encourages IP

When I was an intern at Roblox, I felt safe and respected. At the front desk, where they took the picture for my badge is a display case. Karen, who works at the front desk and is the sweetest individual I’ve ever met welcomed us all showed us this display case containing patents and awards. Many of the patents were made by some of the founding fathers of Roblox themselves, David Baszucki (builderman) and Eric Cassel. I remember seeing the patent for some of Roblox’s internal architecture designed by Eric, of which Keith Lucas said this:

Karen explained to us, as well as others in the orientation meeting, that Roblox respects their employee’s IP. If we as an employee wanted to have something patented, they would work with us! At Roblox, they treat interns just like any other employee and encourage us to share our ideas. It was such a positive environment founded on trust, the pinnacle of innovation and creativity. It is probably one of the best places to work as a developer, and I’m sure attracts a lot of great talent because of that. I’m glad to see this kind of environment is fostered in the real world and that companies see the value in it.

Conclusion

Treating developers as risks, restricting, and attacking them is not in Roblox’s best interest and is damaging. Developers should be treated as the companies holiest assets, empowered, and trusted. When questions of security arise, great care should be taken to not restrict developers. The real world economy and systems should be looked to as an example to solve security issues in Roblox. Sandboxing scripts will not be sufficient if social engineering can play a role and sharing modules with a select developers is simply targeting a select group of developers with an attack. Perhaps a third party, trusted by both the private module developer and the user, could certify that the code is safe without having to place restrictions on them. This is how website security (HTTPS), application security (Apple, Microsoft, Google), and any other web of trust system works. Ultimately, this the is ONLY form of true security, just being applied statically rather than dynamically at run time.

Edit:
Some of you may be wondering how I reconcile my opinion of IP with my love for open source. If you will recall, I strongly encourage Roblox to move most of its API to Lua and make it open source, although some things will have to happen before that can be done. Dropbox has a great article titled Balancing open source and proprietary ip: they can coexist which sums up my feelings on the matter.

Some people will simply not allow other people to use their work in order to protect their IP as there’s now no way of stopping people from taking it and using it as their own work, a problem for those of us that would like other people to use our work but not copy it or see how we’ve solved specific problems, sort of like a trade secret.

This is damaging the business of groups in communities such as some in the Roblox Aviation community who write closed source modules to sell to their members who are creating Flight Simulators. For these products to continue working in places that rely on them the groups will have to open source the modules thus no longer able make Robux this way.

Ideally Roblox look into a way of allowing developers to set a Closed Source Module as public and have it go through some sort of approval process before it can be loaded by other developers or users.

I most certainly agree. Roblox should have introduced a replacement feature along with retiring private modules. Right now, I’m simply stumped.

I wouldn’t mind having a module approval system, where an actual moderator looks at your code and posting updates would cost a fee. (similar to audio tracks)
I feel like the above wouldn’t be too hard to implement, and it could work well as a temporary solution. But this is just one of the many potential solutions the devforum community members have thought of.

It’s sad to see my business go, because now I’m going to have to start doing commissions again.

Side note, I’m not ashamed of my code. It may not be the best, but I’m certainly not using private modules to hide it. I’m using private modules to protect my product from people looking for an easy bypass.

I don’t think this would make a lot of sense for scripts. There are many different circumstances where code would be considered malicious or not. A script that sets a bunch of stuff on fire might make sense for one game, but not another.

Honestly, I don’t have an issue with this. I’ve never seen an actual use case for private modules. I think open source is the future. There are so many libraries, plugins, utilities, and examples on this forum alone that people have sunk hours or days into developing and given it away to the community, and I just love that.

Yeah, this will ruin the majority of war groups on Roblox that a lot of mature age people enjoy participating in.

I had a subscription service for tech to use in the colonial era of Roblox war groups and that way every group would use the same guns, ships etc at their base.

I retired that, but someone else offers that and their system is used in more than 100 games. It’s not going to be looking good for the community.

Yes it is nice to see when people are willing to share their hard work open source. The problem here is that by removing the choice to allow people to use your work in a closed source format you are unable to stop people from just copying your work, re-releasing it and claiming to be the original creator. Plus there’s no way to monitize on your hard work which is what the OP is concerned about.

Edit:
This also means that anyone who considers certain code in their scripts to be proprietary can now no longer let anyone else use it.

Years ago, before the developer exchange, developers could not earn real world money from their games (legally, at least). Most games were made by hobbiest developers who had free time and the inclination to make games for children. Some of them were quite cool, but they didn’t compare to many of the games that we have now. Furthermore, game studios and teams were pretty rare; the introduction of the developer exchange changed Roblox drastically, greatly increasing both studio development time and game quality.

At the time, games could be copylocked but monetization was difficult.
Currently, modules can be made private but monetization is difficult.

Removing private modules greatly reduces the ability to monetize, especially without even a form of copyright enforcement found in the real world. If Roblox was to head the other direction and instead of removing the ability to make private modules embrace them and make monetizing modules convenient, they would see a huge increase in the quality of resources available to developers.

This could greatly reduce game development costs in general as resources are being more efficiently shared. A single game which uses paid modules could represent tens of thousands of man hours spread across the community, and a hour spent developing a paid module could mean hundreds of man hours progress across the hundreds of games it is used in. The effects are synergistic, and may perhaps have the same effect as the introduction of the developer exchange.

Exactly. Removing the ability for modules to act as proprietary software will greatly disincentivise individuals or teams from working on well-developed and reliable services. Instead, there’s a good chance we’ll see a rise in the proportion of knock-off models or poorly written services.

Forcing modules to be open-source will not stop malicious creators; they will simply target less-experienced users who don’t understand how to view or read the source code of these modules in the first place. This approach personally appears to damage a large number of legitimate services whilst doing little to creators with malicious intent.

I agree something needs to be done, but forcing content-creators to open-source the modules for other developers to use is not the way forward. As mentioned by various other developers, I believe a more suitable approach would be to allow developers to ‘op-in’ to using closed-source models. That way, legitimate creators can continue their services whilst less-experienced users are greatly less exposed to potentially harmful closed-source modules.

I have a had a policy for years on this platform that I will not open source my best work. I will only consider open-sourcing code which I have made obsolete by coming up with a much better or alternative solution providing it still doesn’t devalue the unique features of my current projects. This is mainly due to the lack of copyright protections as @IdiomicLanguage has stated in their post

In the real-world, you won’t find “private” code. It’s just not a thing. Perhaps some applications are completely compiled and distributed without source code, but that’s just because it’s the easiest way to distribute in some cases.

If you’re trying to create a service for other users, the code itself should not be private. Instead, your backend servers (or whatever else you are building to support the service) is what will remain private.

Code distributed to the consumers of your service should always be auditable.

For some reason, this is an unpopular opinion here. But I really ask you all to consider the way services are created and consumed outside of Roblox.

In the real world we are able to protect our IP by real world laws in both Closed Source and Open Source work.
Compiled software is done for more than just convenience of distribution.

Sure, but the TOS of items on Roblox is very clear on this matter. Check out the Intellectual Property section on the TOS.

Yes it is and by Open Sourcing our code on Roblox we grant all users the ability to use, copy and re-distribute our code without credit needing to be given to the original creator. People use Private Modules in a similar way to a Compiled Application due to the source protection it offers.

We are not after preventing Roblox using this code, we are after preventing other users of the platform claiming the work for themselves and devaluing all effort that went into it.

That’s a license you grant to Roblox, but not necessarily to users. If you release your work under a compatible “source-available” license, then you can request for infringements of that license to be removed.

I’m not aware of anywhere that is stated.

And a little further down in that section:

Now, this is the situation as is and perhaps Roblox would be kind enough to change this in their Terms of Use. But as of right now, publishing a free model, shirt, texture, animation, or uncopylocked place is allowing other players to use it to their own profit without any expectation of recompense to the original developer.

Now, even if Roblox was to change this and allow licensing within the platform (greatly increasing mediation costs from subatomic to astronomical) then protecting modules would not be the same as protecting other resources. Here is why:

1. On a platform largely made up of children who don’t understand the importance of respecting copyright laws and indeed can hardly be expected to, the only prevention without strong enforcement is the difficulty of obtaining the content. For parts in places, textures, and other assets this can be difficult and generally only those with the ability to understand licenses are able to do it (although grantedly, most probably never read them). Shirts used to be easily stolen by decreasing the asset ID in the url by 1, but because this was so rampant Roblox had to hide this. Still today there are hundred of copies of old shirts people liked so would copy and change up to resell. Likewise to shirts and in contrast to stealing places, stealing an open source module would be as easy as opening it up like any other script.
2. The definition of stealing code can lead to a lot of grey areas. All code is built from the same building blocks and syntax. Many scripts already contain similar sections. Also instead of “quoting” a script, “paraphrasing” or completely restructuring to the same effect is also possible.
3. Scripts unlike other asset types can contain novel or unique ideas, like trade secrets. These ideas may be what sets some modules apart and reward/motivate the developer. Once these ideas are leaked, they can be changed to be almost unrecognizable or interpreted as a concurrent coincidental discovery. As @Ncuti_Gatwa said, stealing is

To wrap it up

So even if Roblox was to change their Terms of Use, I don’t see a large influx of developers rushing to share their code for the above risks.

Trust me, I would love to see a time when the whole world progressed on free labor, however an economy must be put into place to direct resources to endeavors which actually matter and motivate those who would lack motivation otherwise. To not provide financial benefit through wealth sharing throughout the community is to economically say that developing services for other developers is not a time-worthy pursuit and does not matter. I say contrary.