oh no someone is wrong on the internet i gotta go spend almost an hour writing a detailed reply with sources and research to prove my points mom i swear
Disclaimer: None of this is meant as a personal attack against OP, but rather against the points they have tried to make. @1TheNoobestNoob is still cool.
I disagree with this post. Shocking, I know! 
I’m actually a little annoyed, because many people will not read past the title and will have tons of misinformation and ideas stuck with them.
Your post completely ignores threat modeling, and basic security.
That pretty much invalidates a lot of what you’ve said.
Threat modeling
What is it?
In essence, it is a view of the application and its environment through security glasses. Threat modeling is a process for capturing, organizing, and analyzing all of this information. Threat modeling enables informed decision-making about application security risk.
Thanks, Google, that was a little vague. Threat modeling is a way to plan and optimize security operations. Security teams lay out their goals, identify vulnerabilities and outline defense plans to prevent and remediate cybersecurity threats, at minimal cost.
It’s best demonstrated with an example.
Let’s take a look at my phone.
It’s secured with my fingerprint. In Hollywood, that seen as high tech and secure. In real life, its actually terrible security. Passwords are meant to be secret, right? Well, if your fingerprint is your password, it’s not a secret. You leave the password everywhere you go! Not only that, but it’s fuzzy matching, because otherwise you’d get false negatives all the time, and it would piss you off. In 6th grade my friend and I broke into his phone by faking his fingerprint.
If it’s so weak, why do I use it? Threat modeling. Analyzing my threat model lead me to take the option that speeds my workflow through convenience at the cost of security, because the security is overkill. Slowing myself down and making my phone less streamlined for the sake of security provides me with no added benefit.
What’s my threat model? In other terms, what am I trying to defend against?
My little brother, my mom, and my friends.
Is a fingerprint enough to stop them? Yeah. None of them will go through the effort of cracking it, even if all they needed to do is to watch a 5 minute YouTube tutorial.
What are the potential threats? They put their thumb on it, or try to force my hand on it. No real worries there.
If I were a spy or criminal, my phone would have a long alphanumeric+symbols password on it, because I’d be trying to keep out much stronger attackers.
So, threat modeling is used to decide what is necessary for our level of threat. I hope I explained that well.
Further reading on this topic can be found here:
- Threat Modeling Cheat Sheet (Super helpful)
- 12 Methods of Threat Modeling (Extremely useful)
- Threat Modeling Explained (More network specific but still good)
Basic Security
AAAAAAAAAAAAHHHHHHHHH!
If you store secrets or valuable info (someone’s credit card) in your code, or in a plain text file, you lose the right to code. Thanks.
Cryptographic hashing has joined the battle!
This is way too much for me to cover in a reply. Maybe I’ll update this post in the future, but I haven’t even had breakfast or a coffee yet.
For now, here’s some external reading:
If you’re wondering how to implement these hashes on Roblox, I’ve got your back.
I already open sourced a library of hashes! HashLib
This is a great counterpoint to what you said. This is giving everyone the key to my security, right? They know my hash algorithm! My library isn’t obfuscated or hidden! They know exactly how I store my secrets!
Wait. The hashes are standard, and can be found in almost any language you want.
How can they be secure? Surely, you can read it and exploit it!
That’s the entire point of a properly made cryptographic hash. It doesn’t matter if they know that you used a standard SHA256 hash, because it’s a one way function and they cannot get the original input data out of the hash result. It’s no encryption that can be undone with a key. Again, see the further reading on this.
Well, let’s take a look at open source work and decide, based on these concepts, if they should have been kept secret.
I’ll start with a few of my own works.
Yup, all good.
Alright, but some of those may not be fair examples because they aren’t full systems, but just pieces for you to implement into your own.
Here’s a long list of open source projects.
I’ve been scrolling for a while and still have yet to find one that I think should have been kept secret.
The replies above mine actually did threat modeling of the Roblox userbase, even if they might not have realized that’s what it was. @Anaminus did a fine analysis:
@berezaa open sourced Miner’s Haven. Your post implies that such a popular project with such incentives to exploit would totally been cracked by now, but it hasn’t…
Your post gave no examples of an open source going sour, and only gave an example of it going well. Not the best way to make your point, is it?
What you meant to say was “Don’t open source poorly written security features and terribly stored secrets.”
In that case, yeah, I agree. But don’t discourage our community from sharing and growing together under false pretenses.
Edit:
@EtiTheSpirit’s reply made me realize that I only approached this from the cryptography and security side. There are other factors in play on the business side!
I have a syntax highlighter module that can highlight any TextObject you throw at it, and an IDE module that uses this along with a lot of other things (like autocomplete and error detection) to have a really nice in game IDE. I haven’t open sourced them, because they are one of the primary things that give Lua Learning an edge over its competition.
However, I still firmly believe in open sourcing and benefiting the community. What if I told you that I open sourced parts of them, or even other versions! My TextBox Plus module is built off a branched version of the IDE (uses the undo/redo sections of the IDE, stuff like that.) The lexer that runs under the highlighter is also given away for free!