Removing Support for Third Party Closed Source Modules

Also, I keep seeing this open source bandwagon pop up everywhere. Not everything should be open source. It’s a nice idea, but open sourced programs completely ruins business.

Example : Roblox Studio keeps giving me blue screens. I want Roblox’s source code so that I can verify that Roblox isn’t doing anything malicious to my computer. Open source is good, right? So why can’t I have the code to Roblox itself?

4 Likes

Incorrect. You can still make an admin script without being sketchy AF and using closed source only code.

The owner of the game can still used the closed source module in their own games.

That’s litterally the same thing reworded 3 different times
It’s not like anticheat systems REQUIRE a closed source private module that will actaully be more secure since, exploiters can’t just read a server script as easily as they can read a closed source module.

2 Likes

You have good points there, aside from calling out all closed source code as sketchy. Read my previous post right before yours.

At least with Roblox Studio, you have the binary file, which you can decomplile with software such as IDA or Hopper, with closed source modules, you can’t

That’s a hacky solution - there are hacky solutions to getting the source code of private modules too.

If you really want to hide the code, hide it behind a web service. That means that no code, compiled/bytecode, obfuscated, or original, will be seen outside your web service. The only thing that the script on the Roblox server side will do is call, get and set variables/Instances/etc in the DataModel. Google has been hiding code behind web services for years, why can’t you?

You’ve already mentioned this multiple times and people have already explained the problem to you multiple times.

Also, you can’t keep using Google as an example. Most developers on here are teenagers. They can’t exactly compare to Google.

3 Likes

I guess people want to keep on talking about it instead of working on a solution for their specific problem (hiding source code, hiding API keys, hiding URLs to prevent DDoS, prevent copying/stealing).

Closed source modules can make the solutions to the above problems easy on the surface. However, it will still rely on Roblox doing their security jobs properly (and they have a history of not doing it properly). If you want a “one and done” solution, closed source modules are nice. However, it is also possible to add additional insurance when Roblox does not do their security jobs properly, such as obfuscation and web services.

Most developer’s aren’t capable of creating something on an external server and shouldn’t be expected to just because Roblox took the easy route instead of actually finding fixes for its issues. Once again, I want to use this example:

(gtg for the night)

3 Likes

I completely understand what you’re arguing for and I agree with you.

The problem, which we keep repeating to people that keep joining the conversation without reading recent posts, is that Roblox didn’t even attempt to provide a reasonable on site (not external) alternative BEFORE deciding to remove closed source modules.

If they had done that, there would hardly be any outrage.

Also, I’d like to mention again that I don’t even use closed source modules. I just dislike the way this was handled.

6 Likes

Is ‘encouraging’ open source only a pro?

What is the expected impact when the malicious users start checking ‘allow copy’?

Open source malicious code and the change didn’t stop it from running. People with little to no knowledge on how to really mess a place up will have all sorts of code to copy and paste.

For every pro listed there is a con to go with it. The change is, at best, neutral.

I honestly don’t find a purpose in the removal of private modules, people will continue using backdoors with open source modules, it’s only going to make things harder for developers. Instead of completly removing private modules, I’d atleast expect an alternative that could be used to hide your source without it having backdoors. I have suggested an alternative method that could work like that one of my previous posts, here. It’d be the least I’d expect.

It’d take less than a minute to figure out how to spoof it.
You send the only two headers roblox has unique, and it’s bypassed.
You can’t use any other method than those two headers. You can’t communicate to a roblox server for extra information, and if the loader is open source it doesn’t matter. You can just copy the request the open sourced code makes.
It is not more secure than private modules, it’s a lot less secure.

Also, roblox removes the source from MainModules. There are still ways to get the source, but that’s irrelevant. No one is saying modules are 100% secure, they’re saying they’re more secure than every alternative we have available right now.

Also, as stated by several other people. Minifers AREN’T obfuscators.
In web development, I use minified code to allow my users to load javascript/etc faster by removing unneccessary characters (newlines, comments, etc) Minifers were never meant to hide your code (which they don’t), they’re just meant to load assets quicker.

4 Likes

And, what about any scripts contained within this module? This solves nothing. Might as well create a function that displays everything in the module. Heck, why not just put the module in your game so you can see it yourself? You’re just open sourcing it.

2 Likes

I feel that a way to opt in to using private modules would be the best solution to this. You’re still running code that cannot be seen, but hey, who’s fault is that? It’s yours. Don’t use it if it gives some random people admin. Kids won’t even know how to fix open source scripts that do malicious things, other than just deleting the whole thing.

5 Likes

I do think that a more viable solution may be to have a setting that allows the game creator to toggle whether or not external imports should be allowed. This could be off by default, and if the game creator wishes to turn it on, a warning could be displayed that shows the risks.

9 Likes

I agree with this. This is what happened with loadstrings. Roblox never removed the feature, they just put a warning when you tried to enable it in the ServerScriptService properties and all the risks coming along with it.

6 Likes

Perfect example for this thread actually. Loadstrings was changed to an opt-in feature, why not do the same here?

5 Likes

I wonder if the admins are actually reading our arguments and considering then, or they are just completely ignoring us :thinking:

2 Likes

Changes like these aren’t made by some arbitrary group of “admins” at ROBLOX. I am sure that the engineers evaluated the many effects that would be caused by this change and weighted multiple factors (ie; accessibility, security, ease of use, etc) into their decision.

While it may feel like you are being “ignored”, I am positive the teams over at ROBLOX don’t make changes to simply be evil.

1 Like