Removing Support for Third Party Closed Source Modules


Like Colbert said, it’s all but impossible to automatically detect a function in Lua because you can obfuscate it so thoroughly. You would need to pre-process the script and as far as I know no one has built a way to do that with Lua automatically yet


Let’s say I open soucre my admin panel. Currently I have it connect to a database and check for moderation actions so I can have a synced moderation list over multiple group games. Now let’s say I open sourced the panel, but didn’t nessesarily want to open source the actual backend. How would I go about that? Have it so each developer creates a unique api key using a web portal and then puts that in their game? That seems overly complicated and ilnessesary.


In that case I would say you should use a public module to host a list of the moderation action and use public endpoints on your database to get information about those specific actions. You don’t need to have the backend public, but unless I’m missing something you shouldn’t need to have it public to get a list of moderation actions, seeing as they’re already public in the panel.

This is ignoring the fact that you’re publishing something and open-sourcing it so you really should expose the backend, and that you’re asking people to put an admin panel in their game that they can’t see the source to.


I am really against removing module scripts. If they were to remove it they should at least give us something back, as a compromise. There’s a reason why people do not want to give away their source code, like @SquirrelByte is talking about.

Sure (the ones of you who wants module scripts removed), you want it back. But, are you using module scripts made by others, are you waiting to use module scripts until they have been open-sourced or don’t you use them but still want them removed?

(This is not meant to harass anyone, just wondering) If Roblox wants us to open source our module scripts so everyone or no-one can use them, well, why doesn’t Roblox open source Roblox Player or Roblox Studio? Exactly, they can’t, it would reveal wild secrets that we should not know about, and this is how I, as a Roblox developer, feel as well.


Also the fact that a ‘solution’ is coming late in the year isn’t much of a solution. Some people make their most profit off of private modules being their source of business, and this is ripping them off. IF they offered the Opt in/Opt out at least the week they remove modules, I’ll be fine with that.


I think to be honest that an AllowThirdPartyModules option would be best. This would be set to false by default, making the ones that don’t know the risk safer from malicious ones.


I totally agree! I can see the need to remove it due to most of the front-page game creators being inexperienced devs(no offense but come on, tycoons and adopt me games are front page?) and these games being easy to target.


I don’t really like the decision to do this but I do understand why the choice was made. This still hurts developers who are creating subscription products and don’t want to release the source. Take @wind_o’s Check-In system for example, it isn’t sold at a large amount because he doesn’t have to worry about people leaking the source and creating their own.


The biggest issue here is primarily Intellectual Property. While roblox states they want to protect users IP, this very thing is disproving that statement. There has to be another alternative before, or right after at most, when this is executed. Yes the need is evident because some developers are incapable of background-checking what tools they use at their discretion, but is it worth going against a multitude of developers’ Intellectual Property?


Another thing is, pardon my rudeness, if someone is dumb enough to unquestioningly use third party stuff that they can’t investigate then they aren’t gonna be smart enough for any protections to be effective.


Couldn’t have said it any better in all honesty. If you use a model found in the catalog, it is your responsibility, even if the model has a backdoor or not, to search through it and make sure it is what you want. If it isn’t, don’t use it period. If you find it uses a backdoor and looks suspicious, make sure you hit that report button and drop a like for the support team. That’s all there is to it to protecting your game.


I have one question. I have an admin script that I created only for myself which imports a code module(which of course is private). Will this admin script still work if I am the only one ever using it? I am worried because I use this admin in a lot of my games. Normally I wouldn’t use a module but since I need this admin in more than one game of mine, I need to use one as it will be much easier for me to fix a bug in the code or add a new command and have that change easily be published to all my games by simply joining a new server.


If you own the module that’s being imported there’s no problem


Ok good, I do not have to worry. Thx!


I disagree with this change, but it’s well-needed due to the vulnerabilities that have been occurring with private modules.


I agree with the reasoning of this change, some developers do insert malicious codes into their private modules. There should be an option to allow use of third party modules, and an option for the owners of third party modules to allow users to use their modules. Just an idea cause I have some friends who like to keep their code to themselves but want to share the features of the scripts to other developers.


1. A compromise
I’m not sure if this has already been mentioned, but I feel like this is a good system:

  • In order to use a closed source module, the developer must be friends with the game’s creator
  • A setting must be ticked in Game Settings with warnings about it,
    – Similar to the original LoadStringEnabled setting, which warned you about game security if you enabled it.

This likely would give a positive for both sides, a compromise between security and the protection of intellectual property.

2. The issue with just removing third party closed modules
Developers can hide admin command systems or Lua Virtual Machines which let them execute code, this will still be oblivious to the newer developers who don’t know how to look for the signs of malicious source. Experienced developers would still be able to find it, but they wouldn’t use free models anyway.

3. People will always find a way around
I’ve seen several methods published that (kinda) hides the source code, either through obfuscation, Lua Virtual Machines or downloading code from a HTTP server [or even all three].

4. Conclusion

In my personal opinion, this will cause more harm to the people who are selling services and need intellectual property protection, than good.

People have been putting back doors in their scripts since before private modules were a thing, and they won’t stop just because they got removed.

I hope Roblox staff take everything myself and other developers, from both sides of the debate, into account before fully removing this feature; or while working on a substitute.

As for a substituent, I hope there is a easy solution to protect the intellectual property of game developers; while preventing back doors.


We also need more plugin options like AllowThirdPartyHTTPRequest. They can send an http request and set source code from a third party web server.


Only issue I can see being with this is either the developer has max friends(200) or only has limited friends for security assurance on places they develop in(I see it all the time).


I was thinking about this, and you have a very good point, someone could obfuscate their code to hide unwanted things. However, at that point the player can open the script and not be able to understand anything and have the choice of deleting it since they aren’t able to configure it. Since if the script only had a require() the player wouldn’t know if the script was up to any good or bad

I believe removing support for this feature is the best step forward in my opinion, since I have seen what terrible things malicious developers can hide in their scripts. Removing that power from malicious developers is vital to ensuring a better Roblox