Removing Support for Third Party Closed Source Modules


Please ensure your posts are constructive when replying.


Then ask for payment before giving them access to what you’ve created… I don’t see any reason for a scripter to give someone a script they’re paying for before they’ve even paid you, that’s just asking to get scammed. Plus, if they paid for it, making them use private modules to even access it is a bit scummy. That’s theirs, they paid for it, they should at least have access to the source for it…


Ultimately it dwindles down to you losing protection of your Intellectual Property. Once it’s sold, it can be re-sold for more money than originally possibly, and no one would be able to tell. Then one day you find your stuff in a random game and they say they bought it for $100 while it was say $50. There’s issues that this removal will cause that can be prevented if they listened to our solutions. Become EA for once, and listen to the community.


If you’re scared about losing control of intellectual property that you’re selling to other people on Roblox then maybe selling scripts/services isn’t for you. If you’re so worried about people re-selling your stuff then make your own game, find a dev studio to work for, you’re not limited to just selling “private modules” with the ability to remove them from whoever buys them at any time you want.


Obviously you miss the point that Private Modules protect Intellectual Property, something that roblox said they hold so dear to protect for their users.
Also, it’s not about the worry of losing it, it’s the fact that people can claim credit with absolutely no proof whatsoever but just showing the code. Imagine someone submitting stolen work to RbxDev, and being accepted.


What? Private modules protect intellectual property, yes, but they allow for the developer to remove access to it at any time to any people who buy it. If someone pays money for a script then they deserve to have access to the source of that script to make sure you’re not doing anything scummy and to improve on it themselves.

I’m pretty sure people have been submitting stolen work to RbxDev since the start, and I wouldn’t be surprised if some of those people were accepted. If someone tries to claim credit for creating a script to you or your group then get them to explain it. It’s obvious that they’ve lied when they can’t actually explain what decisions they made in the design of it or what certain functions/snippets of the code do and why.


I suggest you do the following:

  • Each time you sell a script to someone, get his Roblox account’s ID number.
  • Modify your script to work in places only with that ID by simply checking the CreatorId.
  • Obfuscate the modified script and give the guy the obfuscated version. Keep the original one to yourself only and re-do the same process each time you sell a script.

Your code can no longer be sold for cheaper by the people who purchased it.


I already have a webhook to post if a unauthorized game is attempting to use it with the game details in the embed. If I remember correctly, someone said obfuscating code isn’t allowed?(Correct me if wrong), and it wouldn’t take someone long to figure it out.


An every-day user cannot deobfuscate the code, and if you tell your customers that you are giving them an obfuscated code and they still want it, there isn’t anything wrong with it.


But that’s not who we’re worried about, we’re worried about the people who can, and want to use it against the code creator.


A public thread is really not the place to have a heated discussion on the merits of private modules. This thread didn’t invite a debate; it was a statement of intent by Roblox that acted as a polite warning of a change. If you have other suggestions on how to fix the issue of private modules, I encourage you to make a feature request on it.

If your use case for private modules is that people will get scammed more often, then I encourage you to consider the years before they existed and realize there are other ways to prevent yourself from being scammed. If your use case is a web api, use a better practice to prevent abuse of it. If your use case is not wanting people to have access to your source code, there are multiple reasons why you shouldn’t sell something that’s arbitrarily updated and has no validation to see what it does, and if you can’t see that then I’m sorry.

The issue of IP will need to be resolved at some point, but this is not the time for that. I can understand completely the worry that hundreds of hours of work will just be stolen and published from there, but it feels elitist and disrespectful to see that thousands of people are unintentionally injecting malicious backdoors into their game and then making the argument about whether or not that should be fixed.


Then why are they adding free models or things they have no business inserting in the first place! We, developers, use Modules for many things, HTTP, reselling work with an easy way for people to use something in many games and have it update just like that, and ensuring that they should indeed have access to it by our code. By removing this they are removing our way to make a profit, and ensure people are getting the newest update, with the least amount of trouble. They are doing this with no alternative, that is the major issue here.

For your last point, Not just hours of work, months/years of work. It’s not disrespectful, it’s their fault they added something and did not do any investigation on what they were adding. Perhaps they should be more careful.

Sorry, this is just a really annoying thing.


You do realize most people who are being scammed are children or newer developers, correct?
Killing off third party modules is a good way to prevent people from having backdoors inserted into their games, and I personally don’t see any reason why you can’t make a profit by oh, I don’t know, doing what Roblox is intended for - creating games, not services.

You also fail to realize that packages are replacing closed-source modulescripts in the coming months when they’re enabled for developers to insert them. You can update them and developers who have inserted said package into their game have the choice to update their copy, which will prevent people who abuse this feature from adding a backdoor in an update even though it was completely safe the day before.

I’ve suggested time and time again that Roblox could officially support selling assets through an asset store of sorts, similar to UE4, where they would review each update that is uploaded, instead of having a blackbox that may or may not have a backdoor present.


But here is the thing: games are made of Services. Admins are a service. Terabyte Services, literally it’s in the name, and people use them. Game’s use modules for many things OOP, Admin, Exploit Detection, importing GUIs. You act like every single person is going to abuse requires, I use Modules because people can’t see my code, why because it’s a paid service, if you want to use my website, and my code, I want to be paid for my time and effort, if someone pays for it is it fair to allow just anyone to have the code, that way they can go and steal it? No, of course not.

Why would Roblox make an Asset Store? Why not just use Models, an already existing feature in ROBLOX?
This feature being removed is going to destroy many places, make people lose money. ROBLOX says they’re investigating new ideas to replace it, but is ROBLOX going to actually do it, how are we guaranteed a new replacement?

Developers should know not to use free models, They will have to learn somewhere, and somehow. I’ve had my own code stolen and it sucks, but you have to learn to find a solution to the said issue. Modules can, and can’t be safe in certain scenarios. What do modules have anything to do with scamming?? It can prevent backdoors, but what are exploits, and what about the people who are not adding backdoors and creating some legit service/feature, Who are you hurting then?

I am going to have to learn this new package feature, but it seems like a waste of time when I have an easy way to share code with requires.


Wow. I don’t have anything else to say about that but wow. You’ve merely proved my point when it comes to this being an issue of elitism. If your business model relies upon being able to arbitrarily update code on people’s clients, that is a you problem. No real world company – and I mean none – expects that they be allowed to update software without at least telling the end-user they’re doing so. The fact that you and so many others want to do so indicates an absolute disregard for your end-user and for their potential thousands of players.

If you want people to pay for access to your website, sell API keys. Your money should never rely upon Lua code because it can and will be replicated. The entitlement being displayed in this thread, that you are somehow owed an immediate replacement to something that was never officially supported (selling a service), is outrageous. You and me and other developer forum members make up a small fraction of the overall Roblox community. You cannot expect to have your wishes bowed to when there exists a major security hole in closed-source modules.


Why would I sell API Keys? My business model doesn’t just rely on being able to update my client’s code, and when I announce updates in a private discord channel with my clients. I have no disregard to my users, If it wasn’t for them, I would not be making said services. When they pay for my service, they are being allowed to access my website, create an account, and use that account to manage their games. They pay for both the code, and them being able to use my service in there game.

I’m also not saying that people adding backdoor is an issue, I just don’t think it warrants ROBLOX to remove the entire feature, and not add any sort of way to still provide my service.


No, this discussion is fine. Roblox thoroughly investigates changes before making them, but is always open to community feedback. There have been a number of cases in the past where the community has provided new feedback or change of circumstance and that feedback was iterated on to make the platform even better.


(An example of this was rthro)

Reading this discussion is important to me and others to see what people are saying and their POV. I have my POV (some I’ve said here) but if you feel it breaks the rules just report it.


Then your main service is the website? Unless your issue is access to the website itself you can simply make the module that you distribute public. The odds of someone being able to make use of your code without your website are minimal, unless it does a lot more than advertised or has lackluster security. It’s also unlikely anyone who isn’t using your service will bother with the module because it has no obvious use beyond with your service.

Generally when people say website they mean a web API of some sort, which is why I suggested an API key.


Microsoft does it. Anyway, private modules can also be used to safeguard versus backdoors and placestealers by using web hooks and ID verification (and then if you make it really cleverly, you can run all your functions such that they have to turn on HTTPService in order for your stolen game to function) and then the game tattles on the placestealer.