Removing Support for Third Party Closed Source Modules


Lifetime OBC removed -> Aug 2015
DevEx release -> Oct 2013

That’s a two year gap. Don’t propagate false facts, you can google this stuff.

PS: Please fork this off in a different topic if you want to continue discussion on other features


if this was a devforum only thing where you could use closed source modules, that’d be nice.
edit: fair point to replies.


Majority of people who benefit from closed source modules are not on the dev forum.


This is a bad idea, as it makes the devforum seem like a status. You shouldn’t get perks normal users don’t get just for being on the devforum. On top of that, users on the devforum can abuse private modules too.

Like SquirrelByte said, many people who are not on the devforum can benefit from closed source modules. This isn’t a solution.


I feel this can be both helpful and hurtful to have happen, we can’t tell how removing the private modules will affect people who rely on them but I feel it’s going to be a good section of ROBLOX, so hopefully some work around is made or published to allow.


Although I don’t necessarily agree with just removing support altogether, it is a necessary precaution to ensure players have a safe environment when playing games on Roblox.


All though there is no clear solution to this, I feel like this is a bad approach to fixing the issue. For example, if this update rolls out, people will just make their code obfuscated, make the modules public and the trust issue rises up again. Stuff like “AllowThirdPartyModules” is a good concept, but it is possible to just take advantage of gullible people and make them turn it on.

This reminds me too much of the strict chat filtering and Experimental Mode updates. They instantly provide a solution to it without thinking of the consequences the rest of the community will experience. I think the main problem of all of this is trust.
(also this is my first post :yum:)


I like this roblox proposal it is a great way to try to patch the virus in the free models. tbh I don’t use free models because of that. way to go roblox.


The only thing I would like is the ability to hide certain forms of http requests when I share my code. If I am accessing a MongoDB for data information and it is using a react api, I don’t want anyone to see that api key. I’m fine with them seeing the url because what use is to them if they cannot do anything with it, but accessing it is another story. So I’m not sure what is the best course of action for that? I think that is the problem @SquirrelByte is having with terabyte. I have no problem giving up closed source modules, because frankly it is a huge security risk, but speicifc things like http requests, or at least the api keys, headers and bodies, need a way to be hidden, even in a public model, or the original creator’s backend is completely vulnerable.


This will absolutely not stop any free model virusses, usually free models don’t even use private modules.


Its generally bad practice to keep API keys in plain text anyways.


In a regular game, any http stuff is in SSS so no one can get to it. With that being said, you need to keep stuff visible from now on and if you want to have a public model that requires the use of http service and an api key, what exactly would you do?


I will always be against this proposal due to the fact there is a multitude of better ways to handle this. For instance, you just released a thread on a Vulnerability (Script Injection Vulnerability), and why can’t there be a plugin/tool made by roblox to detect specific require() that call in a module? i.e search through scripts, and if there’s a require(1234) it’ll notify the user of the location? There’s still that great idea of AllowThirdParty if the user wants to Opt In and trust what they use, otherwise they can opt out and go about making their own stuff.


I think the primary issue is if a developer “went rogue” per say, or eventually had a plan to mess up large masses of games, they could have a perfectly safe module at first, but then modify the code at some point to allow access to the server or just destroy a game outright. Then what do you do besides removing it? You still had that vulnerability for that period of time.


Ctrl + Shift + F exists. I doubt Roblox is going to blacklist specific modules when they can delete the malicious asset anyway.


There will always be that issue, but it is up to the owner to trust. If they feel like it’s causing it, opt out. Use your own stuff.


Mhm, but where I’m getting at is Plugins as well. You can always grab the plugins source and all, but a lot of people don’t know how to do that.


Yes, but like already said here, this can be bypassed by not using ‘require’

Not even mentioning that that feature doesn’t even work for everyone


There have been several PSAs to check what plugins you’re installing, and this

does not change. Plugin, module, or model, it’s your duty to check over what is used in your game and report malicious assets.


Generally? Don’t use API keys in public code. If you’re doing that, you’re almost certainly doing it wrong. If you have to for whatever reason I would love to see the use case for that.