I’m sure many of you have seen this thread and know exactly what’s about to come. Prepare yourselves.
As a Roblox developer, it is frustrating to see such a useful feature come to an end due to a few people writing malicious code.
The feature that I’m talking about is closed source modules, which allows users to expand their creativity beyond creating games on this platform. People use(d) this feature in order to create their own applications that would then be sold and used in multiple games.
But closed source modules aren’t perfect, we know that. They definitely need to be removed as they currently exist, but I urge you to provide us with an alternative, new and improved feature before removing support for something that creates its own sub-genre of content variety within this community.
These are some arguments that I’ve seen popping up all over the announcement thread. Here’s my take on them.
There are many, many arguments on the original thread, so my apologies if I’ve left any out.
Open Source Argument
I’ve seen a large number of people on the announcement thread jump onto the open-source bandwagon and declare that all closed source modules, or a newer version of it, do not have their place on this platform because “all published code on Roblox should be open sourced.”
The problem with this argument is that it completely ruins business, which is what players are attempting to imitate. Open-sourcing everything sounds like a lovely idea that would work in a world in which you can sell products and not have to worry about people easily taking that product and giving it away to everyone else for free. Unfortunately, we exist in the real world, where open-sourced programs completely ruins business.
Can you image if Adobe were to open-source all of their software and then continue to try and sell Photoshop? Would you buy Photoshop if you can just go to the Adobe website and download it for free?
You may be thinking “but this is Roblox, developers aren’t exactly comparable to Adobe.” Yes, that’s true, but players are trying to have an entrepreneurial mindset. They WANT to imitate large companies like Adobe. That hunger to create is what fuels this platform, and I think that it should be applauded rather than snuffed out.
Web Service Argument
If you can just use some external web service to hide your code, then what exactly is the reason behind removing support for third party closed modules again? Players can and will malicious with this alternative. They can revoke your key at any time, which could completely ruin your game depending on how dependent you are on their service.
No offsense, but the run-of-the-mill Roblox developers that rely on this feature aren’t exactly comparable to Google, either. Having to use a remote webserver to host my code is also a lot more difficult than an on-site alternative. People don’t want to have to jump through hoops in order to develop. That’s the entire point of feature requests - to make our development lives easier.
Also… people have to “Allow HTTP Requests” in order for your external website-calling code to even function. So, why exactly can’t there be a toggle in your game such “Allow Closed Source Modules?” That brings me to the next argument…
Get Tricked Argument
Okay, but what exactly is stopping people from doing this same thing with enabling loadstring, or http requests for that matter? “But Mr. Scriptos, sir. I can simply view the source code of open-sourced scripts to verify whether or not the loadstring code is malicious or not.” Fair point. But are you forgetting the entire web server argument mentioned previously? Yeah, this same trick can already be used to trick people into allowing external web servers to load private code into your game by using loadstring to load heavily obfuscated code from an external website. By using loadstring to execute code read from an http request, the provider is able to change the source at any point and run that code dynamically in your game, which can be malicious.*
Why exactly is it only a problem when we’re talking about closed source modules, then?
Another issue with not being able to view source code is that users can dynamically change their code on the fly in order to harm your game. This is a good argument, but people are already able to do the same thing with the example mentioned above, yet we have a toggle for loadstring. For this, I’d suggest some form of version control.
*There was a huge discussion about obfuscation on the announcement thread. Yes, people can eventually deobfuscate your code and figure out the source (or quickly, depending on how good you are). But this takes time (depends), effort, and an existing understand of scripting. I can’t imagine that players that are using malicious privatized code are entirely capable of deobfuscating that well, if at all. People will pay for convenience. Plus, if it’s a somewhat popular user that was selling the obfuscated code, many people will probably still be tricked into buying it even if someone has managed to deobfuscate the source and is providing it for free. The point is, there are many other ways to be malicious with existing features, yet they haven’t been removed yet. Is it simply because there is a stigma around not being able to view the code? As I mentioned before, you can’t view the code for Photoshop either (at least not fully or easily), yet people still pay for it. You may argue that Adobe is a reputable company and that you can trust their code, and that would be accurate. Which is why, yet again, this is a request for an alternative. I am not asking to keep closed source modules as they are. Allow players themselves to determine whether or not they want to trust third party modules in their game.
Free Models Should be Free and Open Sourced Argument
They’re called “Free” models for crying out loud.
Entirely agreed. Which is why I’m asking for an alternative to be provided before we lose support for closed source modules. if someone uses a free model, then they should be able to view and edit all of the code provided. It is in the name.
Closed source modules are not perfect. I am not arguing for them to be kept around forever. Instead, I’m insisting that they continue to exist and function properly until we’re provided with a reasonable on-site alternative. They’ve existed for a while now. They can continue to exist until they’ve been successfully replaced or locked behind some sort of enable setting.