Removing ability to require non-owned module scripts

I believe it works (for require) in online servers, and that that’s by design.

5 Likes

We are actually looking into removing the ability to require non-owned module scripts from games, it wasn’t originally intended behavior.

11 Likes

If you publish a single modulescript with the module object’s name being “MainModule”, any game can require it in a live server from a server script.

AFAIK, require (assetid) won’t even work if the module isn’t named MainModule.

3 Likes

Please don’t. Even though it was unintentional behavior, it’s the only way to distribute code wothout giving away the source, and many private modules are already being used in a plethora of places.

18 Likes

Please do. It’s an awful security hazard and shouldn’t be encouraged.

14 Likes

Mfw Anaminus is intent on breaking numerous existing modules and depriving developers of useful behavior for petty opinions on security. Oops – better remove group places because more than one person has unhindered access to the game!

People who use private-sourced modules either already understand the risks of giving another developer unhindered access to their place or wouldn’t even bother opening the script to view its source to begin with. Private modules are useful for the same reason closed-source applications (like ROBLOX) are. Closed source programs have their uses, and it’s silly to remove them for unwarranted security concerns.

8 Likes

I think there’s a difference between explicitly giving someone access to edit your game versus accidentally giving them access to teleport all of your players to their mega fun obby.

Running code in your game that isn’t under your control is crazy. If you are relying on this then you’re already at risk of your modules not working.

7 Likes

I figured you were going to blow up. Listen, downplaying a security issue only because it conflicts with a feature that you desire does nothing to get the issue resolved.

I don’t have a problem with private modules. My problem is with how the feature is currently implemented. It’s undeniable that it is a big security risk.

Roblox should have a private modules feature, especially since it’s been shown that there’s a demand for it. But it needs a dedicated implementation with thought put into it, rather than being a hacky side-effect of privately-owned models. It needs to have a reliable system of trust and/or permissions built in.

8 Likes

It’s actually a really big problem. If you want people to use your code, you’re going to have to give it up. It’s that simple. Otherwise it’s too easy to trick people into giving you the ability to run whatever code you want on their game. It’s not just a petty opinion on security. There’s a larger picture.

2 Likes

Could you still keep it open for those that are free? I have alts that use a few modules of mine (which are free) that I would rather have no ties linking any possibility of me owning or coming into contact with those accounts.

Thanks. :slight_smile:

3 Likes

To be honest, I wouldn’t remove this ability since it is very useful actually. We use this method for remote updating an admin system me and @VolcanoINC have been working on.

So, I personally wouldn’t like this ability to be removed.

6 Likes

If i’m right you can only require a module not owned by you if it’s named MainModule.
It’s very usefull so i dont see why it should be removed.

5 Likes

Yeah, that is correct. As long as it is called MainModule you can require this in game or in Studio

4 Likes

I use it for a model i made for others, so removing this feature would break it.

3 Likes

Yeah, I agree. We use this for an admin system that requires live updates. So, we update the module it requires and then when the game shuts down. It is updated. No need to re-insert the model and whatnot.

4 Likes

Any real-world application that has modules will open-source them so that the developers using them can prevent shady behaviour. EG teleporting to places in the case of Roblox.
If you’re happy for someone to be using your code as a developer, they should at least have the courtesy to let them choose to see under the hood, or save a local copy so that you cannot do something malicious.
Any developer worth their salt using modules should ALWAYS take a copy to prevent potential breaks.

3 Likes

That’s exactly what my model does also. It would be a waste of they removed this feature in my opinion.

4 Likes

To be honest. They’re talking about not allowed modules to be required if you’re not the owner but modules do have their own kind of security in a way.

If the module you upload is called “MainModule” then it can be required in any game. If the module you upload is called "AnythingButMainModule’ (you get the idea, any name you want except MainModule) then you cannot require this in game or in Studio or anything since you do not own the asset. Edit: and if you do own the asset. You’re the only one who can require it.

So, this is technically a security thing in a way. You have the choice to allow it to be required either for your self or for any other user on the website.

6 Likes

I think it would seem more acceptable if we were to provide a dedicated feature for this before removing the only way developers have currently to load private modules into games.

I’m currently using modules in this manner to remotely update code in multiple games simultaneously, some of which I work on but aren’t owned by me (they’re owned by a group where multiple people have access) and I’d like to keep the code private where some of the other people with edit permissions on the place can’t tamper with that part of the code. The group owner does know the code and has approved me running it in the place, but it can’t be uploaded to the group without compromising it to the other users and the group owner can’t own the module either because that would prevent me from remotely updating it.

We’ve had the situation many times before where very useful functionality was simply shut down for “security” with a replacement for said functionality being predicted somewhere a few years down the road. It’s frustrating to say the least and I really don’t want to go down that route again.

EDIT: I’ve always seen private modules as something similar to a *.dll - it’s a library of functions you can bind into your project, but the source code to it isn’t always available. It’s up to the developer to trust it or not. I really don’t see why we have to go all protective parent again.

12 Likes

So many admin systems will break. I might just have to cancel Nexus Admin because I don’t want it to become open source because so many people would reupload it. Could we please just get an option to require the creator to own the module rather than require it for all modules?

5 Likes