[Private modules] New way of securing code?


#33

I wouldn’t say people have adapted to the need for private Modules because people have always tried ways of keeping ownership of their code or unique ideas whilst allowing others to still use it on Roblox.
The earliest way was to compile the script into Lua byte-code and call loadstring on it (This was easy to reverse but it at least helped). The only people that I’d say have adapted to this paradigm specifically are those who have relied on selling private code as their primary source of income.

The main reasons why people want to keep their code secure are clearly explained in @IdiomicLanguage’s last reply (here) and are not issues that have only appeared as a result of private modules being possible.

In an ideal world where people don’t not steal other peoples work and benefit from it themselves and Roblox protect our IP from such acts, I’d agree that all public code should be open source because there’d be nothing for the original creator to lose.


#34

You’re basically saying that Roblox, more or less a game development platform like Unreal Engine 4 or Unity, should allow proprietary code & stuff like that to be hidden from developers. Most if not all code from the UE4
Marketplace is easily accessible & editable. There’s honestly no reason why developers on Roblox can’t allow the same freedom. The “unique” ideas aren’t really unique when you can easily replicate them just by studying how it functions. Sure, you might have secretive web endpoints, or a fancy algorithm, but on the surface, to a player, the internal code structure does not matter.

The idea of using ModuleScripts or models in general as a way to gain income is against the TOS, too I think, or Roblox might’ve changed that. I know at one point, selling “Free” Models was against the TOS.

If we want proprietary assets to be on the Roblox platform, it should be officially supported and moderated by Roblox staff - not through the abuse of a feature that’s not even serving it’s intended purpose in that instance.

We could prevent copying by having a object similar to a package link, which already prevents the deletion of said package link. It would basically be a package link, but have the original creator, upload date, etc. etc. All descendants under the model couldn’t have their parent changed, nor could they be reuploaded by someone other than the creator.


#35

Your solution would also need to protect the rights of the developer too. It’s no good doing all that and then the other developer can just copy and paste the contents of the modules in full or in part and add them to their own projects, stripping away all previous credit or value the project had from the original developer.

The unique ideas and proprietary code argument is that we don’t want other developers or users to be able to just recreate these by looking at our code and seeing exactly how we do it. We keep them closed source to keep them unique and proprietary and that value is lost the instant they are leaked. (I’ve had first hand experience of this happening to my code which is why I am bias and believe an absolute way to protect our original ideas needs to exist [IRL original ideas are protected by the IPO]).


#37

Then that’s exactly why you should keep it in your own game? If you’re going to give something to someone, you’re giving it to them.


#38

That’s what a license is for. I allow you to use my product within these terms, and reserve the right to terminate this access for any reason if deemed being abused. There, I just gave you access to my project, without giving up my competitive advantage.


#39

That’s not what’s being asked for, but I agree


#40

It seems that the forum has broken into three points of view. Right now, private modules exist without any code review process or safety to the user and pose a huge security threat. No one likes this. Roblox’s response to this threat is to require all shared code to be public starting February 1st, with possible options for sandboxing code or selective sharing in the future. This will make all modules open source and free. Because paid modules incentivize innovation and is already a major part of many developers’ income, two alternatives have been proposed:

  • Continue to make modules public, but change the terms of use to allow authors to publish it under different licenses. Provide a method of infringement mediation through Roblox.
  • Continue to remove private modules, but make protected modules to allow authors to grant access to the code. Provide a method of code review and certification (doesn’t have to be Roblox).

What do the readers think? Free modules will always exist, but should current private module owners make their modules:

  • Open source & free
  • Licensed source w/ mediation
    As @Anaminus says: “If you release your work under a compatible ‘source-available’ license, then you can request for infringements of that license to be removed.”
  • Protected source w/ certifications
    As @IdiomicLanguage says: “Perhaps a third party, trusted by both the private module developer and the user, could certify that the code is safe without [publicly releasing the source].”
  • Other

0 voters

I tried to keep this post neutral, please let me know in a direct message if you think a view was poorly represented.


#41

What I said and what Anaminus said aren’t exactly mutually exclusive (although I worded it wrong). Open source is built entirely upon licensing.


#42

Edit:

Hmm, actually, nevermind.

I see where the license comes into play. :smile:


#43

This cannot be more false. Contacting Roblox support and asking them to remove games using your code will not end in your favor, ever. I had a guy helping work on my game at one point and he ended up not ever doing anything so I fired him. He got mad and took the game files elsewhere and uploaded it, selling everything at half price of the real game. I’ve reported this game several times for stealing my code and I always get the same runaround saying that it’s my fault for allowing him to edit the game/view the code. The game is still up and still making money to this day despite several attempts to get it taken down.


#44

What did you guys discuss in your contract about licensing/ownership of the work? As far as Roblox is concerned, when you give someone access to something via Studio then that other person has ownership of the assets, but if you decided something else in the contract you would have to pursue that legally outside of Roblox.


#45

Exactly my point. Now imagine making something open sourced then having thousands of people using it and you try to remove certain peoples’ ability to use it. You’d have to handle all of that in court because Roblox wouldn’t just remove it like Anaminus said. Open source licensing just isn’t the way to go.


#46

Closed source also has the problem that its flaws can’t be detected as quickly as in open source. Assume that a private module contains code that conflicts with the GDPR. Now this code can be conveniently hidden intentionally, or it might have ended up there by accident. If the module were open source, this problem could be detected by anyone using the module.

Obviously this point also holds for games. I think it’s more important for modules, though, because their code may spread more widely. Also, game developers should be responsible for what is in their games, and when using a private module they can’t even know what they’re responsible for.

When it comes to protecting intellectual property, there seems to be a problem for many developers. However, we shouldn’t settle for the simplest possible solution because of its downsides. I personally support an open-source licensing system and appropriate co-operation between Roblox and developers to prevent infringements.

A potential problem this may pose is something that YouTube has also been struggling with, that is, false positives. Given that Roblox as a platform isn’t as large, we can hope that human moderators could be able to deal with this more properly.


#47

My quote above from the Terms of Use:

Yeah, as @buildthomas said and I said above, Roblox doesn’t care right now about licensing or privacy once you make your modules public. That is what will happen to all code if it is made public come February. No protection. Changes definately need to be made, we can all agree on that. We disagree on how though.


The GDPR issue is a problem with private modules as is, not with the proposed protected source system. The review and certification process would detect violations like this and be conducted by a third party whom both the module developer and game developer can trust. It is true that not all bugs would be caught in a single code review, but the certification isn’t to certify that the source is bug free. It is to say that the module doesn’t send information off to some IP in China and is safe for the game developer to use. I’m working on a system right now, but its development is slow and some parts are difficult without Roblox internal support.


#48

Of course not, because you’re not using the process outlined in the ToS defined specifically for handling infringements (DMCA). The implication of my point is that you’re prepared to take the measures necessary to defend your IP. This involves correctly licensing your IP in the first place, and following established procedure when infringements occur. You’ll have to be willing to do this all on your own; no company has an obligation to defend your IP beyond what is required by law.

If you don’t feel like playing this game, then you’re free to slap on a permissive license, and get back to programming, drawing, composing, or whatever else it is that really matters.


#49

And this is the problem. While I can agree Roblox shouldn’t be held accountable for protecting your IP on the platform, removing private modules is removing my IP’s only protection. I can’t go through all this legal trouble to protect my stuff. I’m a minor myself, so I can’t even sign a contract. And even if I did all that stuff, could you really imagine suing or taking action on every violator of your IP? On a platform as large as Roblox this isn’t feasible in the slightest. We shouldn’t be distracted from the fact that Roblox is mostly played and developed on by kids, and legal stuff makes no sense to them at all. (myself included)

My point is, private modules were Roblox’ only simple way of protecting IP in free models. Now they’re leaving, and there’s no simple, first party alternative. It’s incredibly frustrating.


#50

Fair enough. I believe including such a third party may not be as scalable as delegating the work of checking the modules to their users, but it may be a good compromise.

@wind_o: It is an undesirable consequence that copyright owners must experience stress about their work being protected. However, I think that is part of the responsibility when it comes to becoming a copyright holder, just like creating the work is.

So essentially, a developer must do extra work to protect their IP, but this is for the sake of users’ safety, the other option being that malware is widely distributed via private modules. I’m assuming that if the work really matters, the developer is prepared to do it.

I’ve been working on my GitHub project (roblox-dissector) for a year (including some breaks). I have never gotten any money for it. Still, it is important, so I continue to work on it, sometimes up to 10 hours a day. I very rarely get any money for coding, yet I continue to do it. This should prove that securing one’s income is a great motivating factor for protecting IP with other means.


#51

Aha! It has been revived! I’ll take the bait, here are some more thoughts:

An excellent point! I plan to overcome this issue by employing economic principles. I was actually working on the protected modules service when I got the notification of your message. I plan to ask for compensation for my time spent creating the service and reviewing/certifying code. This has a couple advantages:

  • I’ll only have work if the module developers value protecting their code more than the cost of the service; this proves the value of the service by asking developers to put their money where their mouth is.
  • If the demand outmatches my capacity, I have two options as in classic economic supply and demand. Either I can scale up and hire help (which would be quite a process to ensure the same standards) or I can raise the cost so only the most worthwhile modules become certified.

I really believe that a certification service is valuable. It benefits many people involved including:

  • Game Developers: it helps them determine which modules are safe and which may be risky. This is especially helpful to developers who don’t have the ability to check code for safety, but it also benefits game developers who can by allowing them to spend their valuable time elsewhere. This reduced risk and increased time is valuable.
  • Roblox: Any benefit to Roblox’s developers is a benefit to the Roblox platform. Reduced risk means less stolen places and disillusioned developers. It also centralizes code review; with public modules each developer who wants to know if the module is safe must review the code. One experienced developer reviewing code is more worthwhile than a thousand reviews by new scripters and takes man-hours versus man-hour days away from game development. It also helps new developers by simplifying game development by removing the need to check for insecure code (as long as only certified code is used).
  • Module developers: This one is pretty obvious. It protects their IP, taking a huge load off of them and putting it in more specialized hands with lots of practice doing so.
  • Me: I get food on my table. Yay! In addition to monetary compensation, it also increases my notoriety by helping others and proving my worth in a position of trust. It’s a pretty sweet gig if you ask me!
  • Exploiters: This service helps them by… by… Oh, well, I guess this service doesn’t help EVERYONE involved. As the number of certified modules increases, the places for them to hide becomes smaller and smaller as well as less trusted. This distrust devalues whatever module they are hiding in until ultimately they are starved of victims… a dire prospect indeed!

Here are two feature I plan to utilize to keep code safe in addition to my reviews:

  • All protected code will run on my server in an environment without external access except to a single place instance. My server environment has no ‘HTTP service’. The code on my server is completely safe; however, it could cause problems through its interaction with the public code running on the place instance.
  • I’ll add in the option for game developers to use my sandbox (found here) to enforce game-specific restrictions on code like removing access to standard library functions, whitelisting and blacklisting instance access, limiting function call depth, or even limiting run time. This will be an optional feature due to the overhead.
Current Progess

I’ve been working on a custom web server built in C and Lua to host this service… Over the weekend I got my domain certificate and enabled HTTPS on the login page:


(Yes, that’s the URL. If you go there now you’ll see exactly that and nothing more. This is the only implemented page. In addition, my server may crash due to odd requests from untested browsers. I quickly hacked together a HTTP parser and am working on a more robust method now. Also note that service may be dropped at anytime as I push updates to core functionality like that parser.)


Protected Module Service Alpha Testers
closed #52

#53

This has strayed way off of the OP’s original question. Keep ideologies and opinions in the announcement for the removal of private modules.