I support this update, as Roblox is protecting users/Developers from the new malicious backdoors. I am glad that Roblox decided to provide an change instead of completely destroying this feature. Developers who are making modules shouldn’t be scared to show their code for Source Modules. This is a good step Roblox is taking, I just hope the next thing they do is the enter password feature when a different IP is found, to prevent cookie logging.
At best I saw a ‘maybe’ type of response along with ‘late 2019’ at the earliest. I believe this was associated with packages, but was never confirmed. If they have confirmed that a replacement is coming, please link it as I would love to see that.
Protection of intellectual property and security related concerns are the chief motivators for keeping source code private.
2 Likes
They said this in the post
On February 1st, we will be removing the ability to use closed source modules from other creators on the platform. If you want other developers to use your modules, you must open them to the public or publish them under the same account as the game.
That isn’t an alternative. That is exactly the change many of us are opposed to.
Yeah I meant a change sorry, I’ll edit it.
Is it normal that you get this message even if the module is uploaded by the group owner in the group?
We tested if you upload it on your own account profile and require in your own game you do not get the message. But in group games whatever you do, you get the message. We first though it was because we uploaded it with our own account and not the group account. But seems like it still happens even when it’s uploaded by the group owner.
4 Likes
Why don’t you guys do what you do to all the other assets? get them approved before they can be used.
You already do it for
Decals
Shirts
Audio
Why not check model’s, I’m not saying go check every single one right now but any new comers why not just do a little check?
Edit: or Heck why not have a option on a script that says “Allow Require”
4 Likes
The man power required for that is completely unsustainable, unfortunately.
Then why can they do it for everything else?
1 Like
Images and meshes are all visual, meaning they are easily recognizable when they’re offensive. Audio is auditory, meaning the same thing.
To audit a model or a script you have to know what it does and look at it closer. Finding moderators that can do that consistently is infeasible.
5 Likes
Would you want to read scripts consisting of several thousands of lines, some of them encrypted or minified, making them harder to read, and have that be your entire day job?
Oh, and if you made a mistake, you get punished for it. Your job is to correctly interpret whether a script is malicious, if it’s hiding other scripts inside it, if the script includes other scripts, and if it does, you read those and figure out what they do and if they require any other scripts. This is also counting having to untangle any obfuscation or minification that gets used in those scripts.
Do you still want that to be your day job?
2 Likes
Meshes, clothing, decals, audio, etc. can’t be changed after they’re approved. If they moderate module scripts, they’d have to re-inspect it every time you update the code. Otherwise, you could keep it innocent-looking at first, and then sneak in your malware after it passed.
2 Likes
The version control system built into packages would help address this. Once approved you could just review the diffs and throttle the amount of times a developer can publish (for review) a package. Keep as many versions as you want private, but max of one publish for review per day for example.
The biggest problems are packages aren’t production, yet and there has been no indication that it would support keeping source private. (Obviously the reviewers would need to be able to see it)
1 Like
That is highly incorrect.
I recommend not making assumptions about how Roblox works internally if you do not have the knowledge to comment on that. Stick to the topic of the post.
4 Likes
I really can’t believe people are suggesting moderating modulescripts.
When I used private modules, I quite often had some large modules, and made updates quite a bit. Do you really expect moderators to go through every private module? Please think next time before you post. This shouldn’t be considered, unless you bring some type of bot that can recognize malicious code, but I doubt that would happen.
2 Likes
Even attempting to moderate code in any way is already a nightmare… what approach would you even take? Any sort of human verification would be utterly impossible as it is so easy to hide malicious code already that it would be the joke of the entire Roblox community within the hour.
Any sort of automated analysis (sandboxing? virtual machines?) would be ripe with false positives and would also be completely useless if they decide to add anti-sandboxing measures (which would be really easy to do…)
In short, moderating modules in any way is completely useless and a lost cause the minute its attempted.
2 Likes
I support introducing sandboxing, however it should allow you to toggle everything that a script can access, individually - so that developers have the ultimate control over what the code can do in their game.
This is actually a viable alternative than just removing the feature entirely, or not implementing a system which is like HttpEnabled or LoadstringEnabled.
I don’t support sharing the source in any way - this provides incentives people to plagiarize proprietary code.
The ability to distribute code without providing the source shouldn’t be taken away from everyone - that isn’t right. This is just going to make providing services even harder without some kind of obfuscation.
Please consider adding a system which allows proprietary code to still be protected, while allowing everyone to use the module in their games.
8 Likes
I understand the reason to remove this but, I believe that in the end it should have been the developers choice to either opt in or not. That way it’s in the users hands if they want to stay on the side if they are new to developing and don’t fully understand scripts yet but for more experienced developers to allow them to utilize private modules as they will hopefully have a better understanding and have decided to opt in and use them.
2 Likes
I love the recent updates, ROBLOX, but this?
This ain’t it.
What’s preventing them from just making the module open source? The ones who generally insert these malicious models that include backdoored private modules are the ones who can’t script anyway, therefore, even if they looked through the source, they wouldn’t know how it works and wouldn’t know how to tell if it’s a backdoor, if they even bothered to look through the scripts at all.
This helps nobody, and if anything, hurts those who rely on this as a source of income, or as means to keep their source from being stolen and abused (For example, admin scripts that rely on Trello or other similar services to get bug reports from users, as they can now just spam the service with HTTP requests.)
This doesn’t help anyone, it just means slightly more competent developers can check the source of private modules in models, despite the more competent developers not inserting these models in the first place. The average joes who insert the malicious models won’t check the source due to a lack of scripting knowledge, so the people who make backdoors can just make it open source and have nothing hurting them, except maybe having to take time to obfuscate their discord webhook.
This just hurts people, and frankly, it’s a useless removal. It solves NOTHING, and it’s just another bandaid patch by ROBLOX. As I said, I’ve been loving some of the newer updates, but not this.
5 Likes
It makes it a lot easier to report free models that are installing malicious code into games, if we can actually look at their code, and it makes it so admin scripts now have to be transparent, and can’t just put in code that gives the owner and their friends admin in your games without your knowledge.
Since the code now has to be open source, they can now make a github for their admin script and link in the Open Source Module and let people submit issues and those who like the admin script and find issues in it can make pull requests to improve it further and fix glitches.
1 Like