Removing Support for Third Party Closed Source Modules

Yes I can see that. But just for everyone’s information, I did have a conversation with the staff prior to this.

When I wrote my position on this more thoroughly I found that models with private module backdoors had accumulated at least 27 million takes, I’d say this massively overwhelms the people who use them for legitimate purposes at the moment (which while noble, is also, arguably, not many people)

My arguments have literally been for their removal …

There isn’t a side of the argument that doesn’t do this unless you propose Roblox moderation.

This is a case for Roblox to moderate all shared scripts instead of ‘shoving the risk on the end user’ which is what happens before or after the proposed change.

As far as I’m concerned, there’s no other platform like roblox to enables users to make their own games entirely. This gives people opportunity to make some income by providing services that may benefit their game. This will get rid of that entirely.

To everyone claiming that Roblox needs to protect users from toolbox models, think of it like this;

If you install a virus on your computer? Is it the fault of Microsoft or Apple (or whatever OS you use)? Of course not, that would be ridiculous right? So if a user inserts a malicious model; is it Roblox’s fault?

Common sense is the best defence. While I understand the points may come from, but companies like Polymatic can have engineers working on finding alternative means to protect code or to use laws to protect their source. The everyday developer, like Terabyte cannot do this easily. While Terabyte could be open source, and there would be no issues, there are people like wind_o and smartTech who use private modules to protect their paid products (e.g. Check Me In), which is used by hundreds, if not thousands, of groups.

We aren’t asking for Roblox to just keep modules in their current state, we’re just asking for Roblox to provide a good alternative so we can manage and continue with our business.

But they’re FREE models!!!

Think of Models like Software (which is the case with large scripts). People can still pirate software, people can still leak software, but hiding the code with possible methods is still better and safer than just having no protection and being forced to tick the box that says Put model in PUBLIC DOMAIN.

There is paid software (like CMI), there is free software (like Terabyte), there is open source software (like Adonis), and there is malicious software (like the backdoors).

Oh, so thats why microsoft is making windows defender better and better against viruses. It may not be their fault, but it’s their platform, and yet they’re fixing the fault of the users in many cases.

In my opinion, telling everyone to use common sense is a bad argument against this, problem with common sense, is that it’s not common. People think differently, and don’t have the same knowledge as others. It’s really up to roblox to ensure the people who don’t have “common sense” also don’t have a bad experience with the platform, and private backdoors are not a great experience if you’re just getting into development, and are not entirely sure how to make something yet. They also may not understand how to research developers or about modules

Except the user has the choice to disable windows defender in this situation. We’re being robbed of our choice.

I have been testing around and I found out that in personal games, closed source modules don’t work displaying “Unable to find module for asset id”, but in groups, closed source modules do work, but only display a warning (The warning that closed source modules are shutting down support in Feb 2nd).

I hope this isn’t a bug and I hope they are reconsidering.

An official statement as to what exactly is going on right now that would be great. We’ve been in limbo for a week.

There must be a reason for this limbo, because as I have seen ROBLOX staff usually never forget to update a promised update.

I hope it stops soon because when they are changing the settings I don’t want to make a project that in the end is not supported. Right now I am not touching any product modules

I think you’re confused here. Closed source modules are still supported, regardless if it’s in a users place or a groups.

Erm I meant closed source modules that are from a different owner. Apologies.

Honestly, I couldn’t agree more with your opinion. I had a good solution. It would be to basically keep private modules but you will have to accept an option to take free models at your own risk, and ROBLOX should update the TOS so that they are not held liable for anything that happens when you take someone’s free model. And if someone complains to ROBLOX that they got hacked from a backdoor, ROBLOX can simply say “Look at the TOS, its not our issue.” It’s just like what windows is doing like what @Semaphorism said and @Scriptos said. If you download something off the internet and get a virus, its your fault. However, windows wants to keep earning money so they are constantly improving windows defender. Like @Scriptos said, ROBLOX is not giving us the option to disable this “firewall”, and they are not giving us an option to still take Private Modules at our own risk. I really hope they add something so you can still take Private Modules. I hope ROBLOX gives us an option for once. As I ROBLOX player, I feel like we are loosing our voice more and more and ROBLOX is making tough decisions that we don’t want, we didn’t ask for, and we can’t change. This is a truly tough situation.

They still work in other people’s places as well. Tested this on 3 alts.

So we’ve finally circled around and are now arguing that it’s not Roblox’s job to protect people on their platform? How very non-elitist of you.

That viewpoint is insane. You can’t disable the security for anything else on Roblox beyond loadstring (which is a separate case, and I wish people would quit bringing it up). Why would they allow you to do so for this?

I find it weird that ROBLOX has yet to implement this change, seeing as it’s 8 days into February and nothing. They’ve either not cared enough, changed their mind, or trying to get some kind of replacement before going through with it.
On the thread, it specifically states “On February 1st”, but it’s the 8th and nothing. No news or anything.
EDIT: Realized people already brought this up, keeping this here anyway.

The change is worthless, some people will check the source code, but as many have brought up, the people who insert these malicious models generally won’t check the source anyway, it just means that people who care enough will check the source, and report the module, but what if it’s obfuscated, and they can’t prove that it’s malicious? Then what will they do?

I feel like we need something like HTTP enabled in Game Settings, or LoadstringEnabled in ServerScriptService. Maybe a new option in Game Settings, “Private Modules”. When you press Yes, it opens a message box and you need to wait 3 seconds before saying you understand the risks, with the risk in bold text and easy to understand, simple words. Something like “Stop! If you activate this, people can destroy your game! Are you sure that you want this on?” with some image to the side to catch their eye. A stop sign or something.
Some stuff like that. People who press Yes are then liable for any malicious code that may be inserted into their game.

Same here, I was going to work on an alternative for private modules for my product but its almost been a week without them saying anything and I’m seriously wondering if they are reconsidering. Worried it’ll be a waste of time making anything at the moment.

We are still planning to disable this functionality. There have been unexpected delays in the implementation but the change will likely occur mid next week.

I have been following this thread closely and I see a few main topics popping up. I would like to address them in a Q&A form.

Q: Why is Roblox removing this feature without providing a replacement?
A: Ideally we would like to provide replacements for features before removing them. However, we have to consider the time and cost of creating a replacement first. In this case, building a robust sandboxing system will likely take on the order of 6-12+ months minimum due to the amount of complexity and the number of cases we will have to handle. We considered the risk of waiting this long too high.

I would also like to add that this feature was originally not intentional – it was a bug with the original implementation. We would never expose dangerous functionality like this intentionally.

Q: Why not give developers an opt in option to use third party closed source modules? It’s my game so I should be allowed to take the risk.
A: We understand that some developers are willing to take the risk of running untrusted third party code in their game. We however as a platform are not willing to take this risk. Imagine a scenario where a game uses a closed source module and the module creator abuses that module to do something malicious. The developer could accurately claim that he had no way of knowing what the module is doing and is not liable. By ensuring that developers can audit all code in their game, we are giving them power to examine and uncover malicious activity in their dependencies. They are not reliant on Roblox to check what modules in their game are doing.

Q: How will this stop malicious code?
A: It will not. This update was never about preventing malicious code. This update is about ensuring that developers have visibility into what code in their game is doing, whether malicious or not malicious.

It sounds like this is confirming that there will be no private source option in packages. Is that correct?