Yes, to be honest removing this will hurt the community more than it helps at the moment. If a developer gets burned by a malicious module or plugin, they will likely eventually figure out which one it is and not use it anymore. As a result, the actual damage that can be done (especially to a dev that does proper version control by actually saving to their computer) is practically none, short of place-stealers. But even those can be stopped through private modules by a clever developer.
3 Likes
I think at minimum the best way to re-implement private modules is to:
- Let us see what kind of code the private module wants to run
- Make private modules sandbox-able or however you want to phrase it
- Allow us to control RBX.Lua API components, IE prevent it from using a specific service.
Iām aware this wouldnāt work perfectly but I think it would be much more secure.
I think one of the other concerns is that private modules can essentially bypass the whole filtering enabled thing by secretly granting a user access to do naughty things which could be hard to detect.
Another problem is that a plugin could give a private module a sandbox environment that allows it to do malicious things and more beginner developers wonāt understand how sandboxing works.
To be honest, plugins need to be reworked entirely. Plugins are the major culprit here. They chase you around from place to place. The modules themselves are much less harmful. I think the first start should be the removal of non-local plugins. Now that thereās community support for discords and so on, GitHub or similar services would be a better replacement. Also, it saves roblox time moderating plugins - if a link is reported enough, they unlink it and warn the creator.
Also, plugins are advanced tools that shouldnāt even be installed by users that donāt understand their powers or how they work.
2 Likes
No. Itās definitely modules that are the culprits. Malicious plugins could use modules but that doesnāt mean that things such as, say, a mass-uploaded model of Thanos, couldnāt have a backend. Plugins have far more legitimate uses than private modules, and their source code can be checked and validated.
2 Likes
Obfuscation is a thing.
1 Like
Continuing my point, plugins can do a lot more damage as well and be harder to detect. Modules will typically be limited in what they can do. GitHub opens it up to read the code before you download it and therefore it is safer than the current state. Plugins are also, as I said, advanced tools. Anyone unable to understand how they work should not be using them.
1 Like
They are exactly as limited as whatās requiring them, so thatās a moot point. Theyāre not inherently limited or unlimited.
Something like this could be added for private modules. LoadString can be used to execute code pulled from a web server.
Iām aware this has already been suggested, but nobody has pointed out that LoadString is just as unsafe as Private Modules. Feel free to remove this post, or ask me to remove it, if it should not have been posted.
7 Likes
The main issue with private modules is that they canāt be audited, which means thereās a fundamental security flaw that canāt be overcome. Loadstring doesnāt have that problem because Roblox has disallowed loading bytecode.
1 Like
I think there needs to be a setting that allows Close Sourced Modules to run in the game. That way people canāt just take our work.
2 Likes
If you read through all the replies above, it has been outlined how that is not a smart way to go about doing this, as there are majpr security flaws with modules. If you are selling work, it is better that you learn who you are selling to and make sure they are trustworthy. I as a scripter never give my stuff away until the user pays, but considering my status, I have a good track record and it is much easier for a user to file a scam report then me saying someone didnāt pay and screwed me over. Additionally, if you are selling something for a high price, the chance of the user sharing that is low, as it is a loss of money on their part. Roblox is trying to come up with solutions to this problem, but adding a tick box which a user can enable a closed source module without knowing what it does through social manipulation, is not a good choice.
I understand this change fully. So as long as you own a copy of an item, you can require it? Right? Thanks.
1 Like
Honestly Iām mixed feelings regarding this. I wasnāt aware it existed until the day this topic was posted and honestly I would have probably put out some closed source modules had I known before. Thatās not to say I disagree with the decision though.
Iām overly protective of my code and donāt like sharing it, which is often the reason I work on solo projects and donāt group up with people. I like making and sharing things, but I donāt like sharing my source. Itās the kind of reason I wouldnāt expect someone to pay me to complete a project unless it was a very simple project Iād have no sentimental attachment to the code for.
Expecting to work on a project without exposing your work is unrealistic, and not how the real world works. The unfortunate sentiment is if you, like me, donāt want your work exposed to anyone you donāt work on projects with other people involved.
I personally feel Roblox has given quite a generous time frame for warning they are removing requiring private modules. This should give people who are using them time to reassess their business models, or prepare to gracefully close down operations. I understand how that can be upsetting, but from a community standpoint itās the right decision for all the reasons Roblox and others have called out (running code without anyone being able to check what it is, not good).
Protecting the creative rights to code is difficult, and black-boxing the code certainly isnāt the way to do it. I look forward to future solutions that make sold code less accessible to being used without permission while still allowing transparency.
1 Like
The warnings are live. Join your game and open the Developer Console to see if you are using any third party closed source modules.
13 Likes
Still wishing there was a better alternative to thisā¦
1 Like
Just found a custom implementation of loadstring. Gonna be using this + my external server to recreate the functionality of private modules. Might post it in #learning-resources:tutorials(?)
Edit: Decided to upload it as a free model. Credits to the respective owners. (Found this in the Adonis source, btw)
Edit2: Waiting for a lead top contributor to move a post i made to #learning-resources:community-tutorials-resources
3 Likes
Though Iām not even sure if this is allowed anymore, Iād use regular loadstring to hide the server code and I wouldnāt hide the client code.
That way it still runs as fast but people canāt leak the exact same product.
By the time they figure out a solution for the server, I would have released a new update which most likely breaks their code.
2 Likes
The point of the custom implementation is that loadstrings donāt have to be enabled. All the user needs to do is enable HttpService and everything else is automated. Iām going to be using this + obfuscation and my VPS to recreate the functionality of private modules for my service.
2 Likes
Honestly at that point you may as well run a Lua VM on your server and just request the results. Itāll be faster than a custom loadstring implementation and if you spend some time making an API for instructions that are Roblox specific itāll probably work as well as can be expected, especially if http caching is used to keep requests to a minimum.
2 Likes