Removing Support for Third Party Closed Source Modules

Not full on as in that sense. I meant configurable, and I’m pretty sure I conveyed that.

Whether or not someone absent-mindedly uses a tainted module isn’t only on their head. You’re not apprehensive to call others ‘dumb’ despite the fact people DO make mistakes. If they notice that the module itself is tainted and refuse to remove it then, and only then, they may be held accountable for whatever happens to their game.

Roblox provides a safe environment for everyone, despite how many people believe otherwise - to do a damn good job most of the time. Be that with their anti-tamper module (well done ConvexHero, but try harder :wink:) or by moderating content. So to not mention that this change is a step in their attempts to solving a greater issue is insulting.

1 Like

Again, to SANDBOX even PARTIALLY changes the functionality of modules. Give a good example of something you would sandbox and how it would help.

1 Like

Totally agree with you,

I did not mean to direct that at you in particular, but at the general belief that the upcoming change will remove malicious scripts from Roblox or that free models will be ‘safe’ now. Malicious code will continue to be everywhere that code is allowed.

In the very best case, the private module change will reduce some of the malicious scripts, with inactive creators. The active malicious users already, obfuscated their code and checked allow copy, obfuscation is standard practice for malicious users and they don’t have IP to protect, so the allow copy means nothing to them. The malicious users are interested in the IP they can steal and/or the destruction they can cause depending on the nature of the malicious script.

In all honesty the malicious users win the day with this change as I see it. They remove useful functionality from legitimate creators with little to no impact to their behavior.

2 Likes

I’ve said this way too many times now, but it’s not an intentional feature. No one has claimed that malicious modules will be a thing of the past, but you would now have to analyse whether a module is malicious or not by checking the source. If it’s obfuscated, it could be for any number of reasons and people will be less likely to trust it. What is there to hide?

To this see as a win/lose situation is to reduce the magnitude of the situation to black and white, which it is not. It’s giving freedom to all developers to curate what code they use.

Yes. A better word would be careless - you don’t test new third party stuff on your game’s file. Ever. Do it in a blank baseplate where you can know exactly what is happening.

You are kidding, right? What sort of logic is that, people test in their games because that’s where they prove to be most useful but that in itself is sidetracking from the main point.

If you can view the code you’re using, you can verify whether or not it’s malicious without having to go through the effort of putting it in a new place. And who says that every module will be malicious as soon as put it into your game?

If they get hit, that’s fine, they likely didn’t look hard enough; but surely they should take precautions to protect their work. It’s my personal policy to have two whole installs of studio - a safe and unsafe one.

To determine that code is not malicious, you have to prove a negative. So that means only advanced scripters will be able to determine if the code is safe. You need the ability to analyze every line of code and how it all works together. For something painfully obvious sure, lower level scripters might be able to detect it. However, 100% of the malicious code I have found in places has been obfuscated, and most of the time was in places where people had around mid level scripting knowledge, but never detected it. I also don’t know any advanced scripters who use scripts that are provided in free models.

My advice to everyone I work with and to anyone reading this, if you get a free model, delete all the scripts. Find a scripter you trust to do the scripting work for you, or learn to do the scripting yourself. No solution will ever remove malicious code.

Perhaps one day we’ll have a good enough ranking system that some level of trust can be associated with people and/or products, but that is not today.

1 Like

Is there a way to make it so we can have “paid scripts” where you have to own a thing for the script to execute? You could make it so the script has a “hidden keys” section for the developer to hide api keys or something, but have it referenced in the script which only the script creator can view/edit. If they (the buyer) tried to copy the code and give it to another person, the script would be useless because the keys or whatever that are needed for it to run are hidden to the script creator. If you look at glitch hosting, https:/glitch.com/ you can view source code, but there is a .env folder which contains keys, data, etc so that people can’t steal the most crucial stuff. I think that would be a good feature so people can sell their products without hiding code and have the ability to hide keys and crucial data that cannot be exposed.Then you won’t run in the issues that module scripts have (security wise).

5 Likes

I want to take this moment to wonder publicly why someone would blame people for using public resources. Like, you shouldn’t use free models, sure, but to say that people deserve any negatives that come from it or that it’s their responsibility to not put malicious code into their games seems like misplaced blame to me. Surely we should be blaming people who are malicious rather than someone who just wanted a cool Thanos model in their life.

3 Likes

I agree. People who are malicious are why we can’t have nice things.

You could make a private module that checks to see if the place creator owns a gamepass.

I don’t believe that removing the feature completely is the best way to go before a solution with sand-boxed modules comes out. Some games could rely on these modules or some developers refuse to share their source code to the public to review it; for their own choice.

There at least needs to be a white list option, where a game developer can provide an ID that is allowed to be required in their own game, regardless if it’s private or not.

1 Like

I would really read this thread before giving advice. The problem with the advice you just gave is even in the title of this thread.

4 Likes

Is there a way to make it so we can have “paid scripts” where you have to own a thing for the script to execute?

My response was in regards to how this could be accomplished with the current system. Wouldn’t work once private modules are removed. Removing private modules removes a way for developers to provide a service while protecting their code.

I’m aware of what your response was saying.

Which is exactly what my response was about. It’s important to give the most productive advice you can. Advice which won’t work in half a month isn’t very useful at all.

1 Like

Would this mean that when using a require script it will warn the user of all the malicious context?

Example, if my script uses teleportservice it will inform the user of this?

Or would the malicious services/functions just not work?

4 Likes

I second this question. I think it’s important that we have the ability to see what kind of utilities or code a private modulescript can or cannot use