Removing Support for Third Party Closed Source Modules


#303

You can still require open-source modules, so what you said about them not trusting the obfustation isn’t really true since the script can still just say require() but the code they don’t understand will be in the module source.


#304

I agree, you should make a #platform-feedback:engine-features request for it (if you haven’t already).


#305

Yes you have a point since they can have obfuscated code in an open source module script. However since it is open source, the player is able to retrieve the module script and read it’s contents and decide whether or not they want to keep the code in their game, with the code being obfuscated they likely would not want it anywhere near their game. With it being closed source you cannot do that, so you have to hope it doesn’t have any unwanted code.


#306

As I have previously said, experienced developers are unlikely to use closed source anyway and know the risks and signs of possibly malicious code.

The main issue with malicious require scripts is inexperienced developers, more likely to use free content from the Toolbox. People have been hiding back doors in scripts since long before private modules were even a thing, or rather, were popular.

The malicious will always find a way, this change will do worse to legitimate developers who need to protect their intellectual property more than the malicious who will just find a way around it.


#307

That is very true, malicious content has existed long before the popularity of module scripts. However I do understand the need to protect developer’s intellectual property whilst allowing code to be used throughout different places, but as Seranok put it:


#308

The rest of Seranok’s message covers things that a normal script, even malicious ones can do.

I understand there is a risk, but Roblox should offer us a good replacement to protect intelectual property; there are many services which have to close either temporarily or permanently; or use a more “hacky” or slower method to protect IP.

I am aware that replacements for good source protection may be in the works, I just want to express my personal disagrement for this change at this moment in time.


#309

If I remember rightly, theres a comment here saying that a replacement probably won’t be coming any time soon.


#310

That is correct, late in the year is the response given. Which isn’t very helpful at all.


#311

Although I’m sad to see them go, I am absolutely in favor of this change! If
Roblox addresses concerns (they appear to).

  1. It won’t improve security, but it will improve liability.
    I’m not, in favor of placing blame, but I do feel it is important to
    give the right people responsibilities. With these modules anyone could do
    anything, independent of their moral stance (example: everyone should be
    able to physically own everything, etc.).
    You can still hide malicious code, but now the responsibility is shifted
    from the third-party and Roblox to the game developer.

  2. My only use-case has an alternative (franchising).
    I once was a developer for a café group. We wanted to market our group and
    people wanted to use our unique technology. So, I developed a module which
    in exchange for advertising, provided that technology.
    If I was to do this today, I still could, but I’d have to change our
    processes (and ethics). I could, for example, take control of the place
    (hosting it in our own group). That way if someone does not include the
    requirements (advertising), I could revoke access to the technology, or
    introduce the requirements. This would require more trust from them but
    would work as an alternative! Could even automate it with a website (or
    Universe script?).
    It’s not a perfect alternative. But it does fulfill the requirements of a
    franchise until Roblox implements a proper solution.

I have other reasons, but they have been repeated here enough (ask me privately
if you want specifics).


#312

Although I will agree to Roblox’s incentive towards making this decision, I do have some opinions about removing the closed modules.

I understand that closed source modules can endanger developers’ games at a high level, I’ve experienced many cases of backdoors and exploits without even realizing it. However, as the developer of a large resort group, I must also say that we don’t create everything from scratch. Larger systems, such as admin commands, are often required through the require() function as a closed source module. To put it simply, I only know of one script that uses closed source modules, however, there could be numerous scripts throughout the game which I might not even know about. Removing closed source modules as a whole may put the entire development team at work, especially if either the owner of the closed source module refuses to open source the code and/or there are more closed source modules than expected.

I don’t know about other scripters on Roblox, I rely on these closed source modules for larger systems that either I cannot make or am simply too lazy to try to recreate when it’s provided on a golden platter to me. By closing off all of them, it could put the entire game into jeopardy, especially if we do not realize that a closed source module could exist somewhere.

I hope to maybe see if Roblox could make a way to have a team of people check through the closed source modules, or have an automatic system do it, and find a way to allow certain closed source modules to continue instead of having all closed source modules shut off.


#313

I think that the most effective way to prevent malicious scripts would be to prompt users when inserting a script from free models.

The prompt should only appear when inserting a model that contains any script instance, and it should ask the user if they trust the source. If not, let them remove all scripts from the inserted model with one click.

If the prompt detects a script in the model that requires a 3rd party module, it should warn the user that the owner of the module can update it at any time.


#314

There was no valid use case for private modules.

  • You cannot test the functionality the private module provides in Studio.
  • You cannot patch problems in private modules or edit them in any way the developer doesn’t let you.
  • Outside of Roblox, code you let computers that you do not own run is reversible, including consumer software. Yes, it’s far easier to decompile Lua bytecode back into Lua than it is to turn machine code into whatever language it was written in, but the principle still applies.
  • Users retain the Intellectual Property protections the same as they always have. If a user uses your code without a license, you may have legal tools at your disposal such as a DMCA takedown notice, and theoretically but not practically, even a lawsuit.
  • Any services of real value that licenses won’t satisfy can be hosted as web services, and developers can grant users API keys to use.

There were never real business interests at play (in terms of, say, USD or DevExable R$ value) with private modules; it mostly consists of supplying roleplay groups with small and unnecessary tools that could easily have source code available, like administrative commands or Q&A centers. It’s almost as if these developers were roleplaying as businessmen. The interest of all Roblox developers, particularly the newer ones, trumps this.

With source code available, many new developers are at least able to tell there’s an effort to obfuscate the code.

Simply consider modules to be just like letting someone run code on their server off Roblox. The code is not a black box, and business models are not built this way.


#315

You can say that for a lot of thing, you can basicly say that for parts, unions, modulescripts, they’re all replacable by meshes, scripting, …

Just because you can use something else to get something done doesn’t mean that you don’t need it, the current ways to replace the things that private modules could do requires bad alternatives such as obfuscation…

No, you cannot, that’s also the same for Datastores in team create (not group team create), does this mean datastores are useless?

I’ll just ignore this as this isn’t about Roblox.

I hope this is a joke, because a lot of devs aren’t going to spend that much time if a bot copied it a million times, which tends to happen.

“web services” aren’t easily available to all of us.

Everything that you told is basicly “because you can do it without them, means that we don’t need it” which is incorrect for many reasons.

Not many people would like to have code being public when they could make money from it, some private modules use things like donations, special features, … with the new system people can just copy the script and remove it (and use these features for free), People still use and like private modules a lot, they’re used to make sure exploiters can’t get into games, help with administration …

Of course, there are downsides to private modules, like scammers can use them, but this won’t help that even in the slightest.


#316

Sometimes its hard to trust people with your source code. Private Modules provide a way for scripters to protect their position and their work.

I’ve read stories of groups firing scripters in the past. The group owner may think, “Oh hey, the did all this work, and now that its done, I don’t really need to keep paying them” and they kick them out. If the scripter used private modules to protect their source code, the group owner can’t risk kicking the scripter out because then the scripter can modify the private module remotely and make it no longer function.


#317

That would be completely unprofessional on both sides. If you are doing commission work, the person you are paying can simply test the code and then pay. Or sign a contract if both parties are eligible to do so. I don’t want to stray too far off topic, but it’s worth noting that you retain the legal rights to your source code until you legally sign them away. Private modules are not necessary for this.

If you’re paying someone to write you code, they should deliver that code. The notion that you would somehow never give someone access to source code they paid you to write is silly and not sustainable.


#318

Oh god, wait until you get scammed. Private modules are both used for scamming and against scamming.
Some people need the scripting before payment, and private modules was a good way to make that happen.

I have no idea in what dreamworld you live in, because this is usually NOT what happens, I’d say, 50% of the time people scam you.

Usually these people are kids, not people who worked in a university that signed a contract.

Some people give the code as private module and when they pay as plain text

And please stop using legal stuff for this, in case you didn’t realise yet, KIDS DON’T CARE, yes, technically you could do stuff like sign a contract, do all kinds of legal stuff to protect you, but really, even when you do that the chance is very small that you’d be able to actually remove it, and with so many users on the Roblox platform, the chance of you keeping the code to yourself is very small


#319

People used private modules for premium content, which you had to pay to own a licence for; sometimes R$ (which is devexable or in a large amount) or hard currency (e.g. USD, GBP).
Also, there are real registered companies that use Roblox, including private modules.


#320

People pay for services, not code. You need to think of these private module systems as a service and not a program you own, since it’s usually given to a wide variety of people for payment.

People can still reverse engineer code or use it without the creator being aware. DMCA Take-down Notices can be time consuming and other law enforcement tools, while they are available; they are tedious for many developers, with the exception of very large ones who have built their contacts with Roblox and may even be an actual company with a legal team or soul lawyer.


#321

Having an admin where you pay for extra features (like effects on your character), or “premium”. As several have stated, and something that I’m going to say again: people could just copy the code and remove that part of the admin and then earn money themselves of something that they “stole”.

You can’t “steal” with the new update. You’re basically allowing everyone to take your code and they can use them the way they want.

Oh, private modules are perfect for not getting scammed as a scripter. I was glad it was available when someone tried to scam me.
They were going to pay me 15k for making a system. They said that they were going to pay me after I delivered. I know people think “they dont have the money etc blah blah”. But this group had 100k+ in funds.
I delivered the script which required a privete module. He said he was going to pay me “soon”. The script was still in the game, it was working as expected. After 3 days I tried to contact him, but he had blocked me. I messages him on Roblox and Discord with several users.

He didn’t pay… but since I used private modules I instantly revoked access to requiring it. His game stopped working, lol, after some hours he DMed me ans apologized and paid me. I reverted the update and the game worked again.

Yes, this shows how bad private modules can be, since you can change anything without the game owner noticing until players complain or whatever.
But, it also shows how I avoided getting scammed by having this feature.

I promise you, more users will be scammed.


#322

Last post I think I’ll make for now on this topic, but there is no advantage to private modules in deal scenarios when compared with letting someone into a testing place.

Testing place: They can see all code working, can’t steal it if it’s server-side. The programmer can be a jerk and not give what you’re paid for.

Private module: They can see all code working. The programmer can be a jerk and revoke permissions.

No real difference, I don’t think this is an effective argument.