Removing Support for Third Party Closed Source Modules

Disallowing code obfuscation is actually counter-productive in that it prevents honest developers from working to their full potential. People wanting to distribute malicious code will not be adhering to these rules, and attempting to enforce such a rule is a moderation effort Roblox is not equipped to deal with.

Also open-source doesn’t mean more secure, there’s been examples of this before. NPM being recent example


As LordHammy said, RIP Kohl’s Admin and many other modules developers have provided for the public to use. But this is a step in the right direction since I once encountered an issue where a user tried to do something malicious to one of my places one year ago.


I’m not saying it’s more secure. I’m saying that hiding your code for a “freemium product” is not a good reason to keep private modules since all models should be 100% open source.

If you or someone else wants to obfuscate your code, that’s fine. But it should still be available for all to see.


We shouldn’t keep private modules, at least, not in their current state. It would be nice if there was some other way to make proprietary scripts.


I honestly don’t see how this would work… Private modules were the only way to keep hard work out of malicious hands. This isn’t on anyway going to stop these botted models and it wouldn’t stop the majority of underaged users from using the malicious copies.
I honestly believe because of this, people who open their source, especially if it’s something that shouldn’t be really opened like an admin or a driving script, both exploits will be easier to be made and botted reuploads will get worse.
If you do want to help, actually solve the problem with botting and taking in reports into consideration, this would stop this a lot more better.
Also, do do the whitelist thing…


I am incredibly disappointed that this was the course of action decided upon but it’s understandable given how quickly a solution was needed. I’m hoping in the future we’ll see more viable methods for hiding code because as people have shown before and in this thread there are perfectly legitimate reasons for allowing private code.

Not to repeat Anaminus but there’s currently an active thread (that I happened to have created) for more serious discussion of alternatives located here:

At the moment though I worry about the impact this will have on people who use modules to hide web APIs and those who sell products/used private modules to ensure their copy of code was the only one. Again, I’m disappointed in Roblox, even though I understand why.


Smart move to be honest. There’s just too many risks associated with something like this. Props.


In my opinion this is a REALLY good move that should’ve been implemented long ago. It was something that I recently thought about as developers have been getting GDPR takedown requests. If a game has closed source modules and those modules access data stores there’s really no way to delete player data stored there.


Make a feature request for having a similar but less exploitable version of privatemodules included in the upcoming packages feature, although I think something like it might already be in the to do list for packages

On the main topic: it’s about time we got rid of privatemodules yeahhhh :yum:


I do honestly like how most of you go “Yay, it’s about time.” This will ruin complex scripts that need to be privated. For instance, a secret API key or a part of code which if released won’t be as useful because people know how it works. This IS going to ruin a lot of good people.

Thanks Roblox, yet again pushing your fault onto us…


I’ve also suggested a Asset-Store type deal where you can upload your paid-assets and have them be closed-source.


This is a wonderful change. I don’t know why this wasn’t the norm to begin with. Free models requiring third party closed-source modules are dirty and barely contribute anything worthwhile, can’t even open them up and learn anything from them and can’t trust them. If you need to make the module closed source, chances are you either aren’t doing something right (lets not leave a bunch of API keys or something in there) or (more likely) you’re being a bit greedy. There’s no reason a game should ever be able to remotely load something that the place owner either doesn’t own or can’t take and read, and allowing such to happen gave rise to the massive amounts of “backdoored” models that seem to be everywhere.

Will games still be able to use closed-source modules that the game creator has in their inventory (but didn’t necessarily make?)

Good stuff :+1:


That would be a great idea, a controlled place with assets made by trusted developers. Even if it’s closed source Roblox would have checked it and said A-okay.
It is honestly getting to the point where the majority of the model/ plugin catalog is malicious and private modules are apart of it. However this isn’t the best way to go.


You shouldn’t be leaving a bunch of sensitive keys sitting in an uploaded module. Flaws have been found multiple times that have allowed people to steal closed-source modules. Doing so would be bad practice and waiting for disaster.


Well then the model can’t be publish to the public, beating the idea to make something public in the first place.


Code can still be hidden and/or obfuscated. It’s just that now you can look at the source; making sense of it is a different story.


Seems to be nothing more than an explorer-UI after being stripped down. Apologies for the previous post. :smile:


Adonis is open source. It can’t really be leaked seeing as I leaked it then on day one lol. Dex explorer is just a GUI that was made by I believe Raspbi pi or someone else that was originally intended to be used for exploiting, but I clipped it down to just be a normal explorer, and without an actual exploit it can’t do anything, especially server related. People requested that I add it due to how feature rich it is, so I did (with credit to the original creator.)



These two things still concern me though to be honest. You sure they don’t function any? :smile:


When it runs, it’s running as a normal localscript. It can’t do anything a normal localscript can’t, which includes things like saving places.