It’s unfortunate that this change will go through as the community who legitimately used this feature will now have to rely on potentially hacky and possibly unreliable methods to achieve what we already had or could have raised awareness in attempting to fix now rather than say later. I am truly disappointed in the direction ROBLOX has lead us here and those who refuse to understand why we need such protection. Yes, we can have a legally binding contract, but how do you take legal action on an underage kid? Again, it’s not the top developers who know what they’re doing I’m worried about, it’s the inexperienced and underage who don’t understand.
I have an alternative I’m currently designing and testing that won’t require obfuscation and can keep code private. It’ll require HttpService to be enabled, function just like closed source modules using require, but no loadstring nor loadstring VMs will be used. I am not sure on how reliable it’ll be yet unfortunately, more details soon.
I apologize if anything I say here is a complete duplicate of previous arguments. There are a lot of posts on this thread. I’ve read a good number of them, but there’s just too many.
I’m a bit late in joining this conversation since I wasn’t really on much in December and early January, but I really don’t believe that removing features in order to prevent users from being exposed to malicious code is a great idea.
It’s understandable that you want to prevent users from getting frustrated at the fact that they’ve at some point inserted an untrustworthy model. I get that. The thing is, it is entirely their fault. The rest of us should not be punished for their mistakes. It’s a learning experience, and it prepares them for the real world. After inserting untrustworthy assets and having their game infected with malicious code, the person would (hopefully) know better and never do it again. They’ve become a better developer through the experience.
If I disable my anti-virus software and visit untrustworthy and very obviously malicious websites, then it is completely my fault that my computer gets infected, because I stupidly decided to disable my anti-virus. Nobody else should be punished for my mistakes.
I really don’t understand the need to “investigate” this or to try and find “certain safeguards.” I know from experience that Roblox safeguards can be either extremely limiting or just very annoying.
Really though, if I insert a free model or use a plugin from an untrusted source, then it is entirely my fault that my game has been exposed to malicious code. If I were to figure out where that malicious code came from, THEN the originator should be punished after I report their asset as malicious. Then you can simply take the asset down and the module can no longer be required.
Even in a situation like this, why exactly would it be okay to disable a feature that certain developers rely on just because some kids are gullible enough to fall for this? I’m just not okay with the reasoning behind all of this. Removing features purely based on gullibility doesn’t seem right.
The ever-growing limitations of this platform are frustrating.
It’s sad to see that private modules are being removed as this was a vital piece for a feature in my game. Said feature providing people the ability to import their own arena into my game to use the wrestling system I’d created.
I can continue to provide this, but people who utilize this feature in my game now will be hesitant to do so, as they’ll have to make their module public and could lead to someone taking their arena (and anything else they import) without their explicit consent.
I think that let developers view the source code inside the game using the Development Console will be better. They can still view the code (inside the game) but they cannot copy them directly.
For example: printAllModuleScript() > Give a ID and corresponding name for that module printModuleScriptSourceCode("A") > print out the source code of the private module with given ID
Personally agree with lots that has been said here. I think what happened when they decided this is they didn’t consider IP concerns properly, but they do really care for people’s security. The fact they’re not even going to release any options in the meantime is not great for people who rely on it. (I did at one point but not at the moment!)
Here’s what I think should happen;
Release a feature such as AllowThirdPartyModules as a temporary solution
Disable by default
Work on trust system, having bought a bit more time by alleviating most criticism
Release trust system and auto configure based on AllowThirdPartyModules setting
I’d like to add on; this isn’t just affecting people selling. It is effecting the thousands of users that rely on the functionality for their game and/or group. This update will do more bad than good because all that’ll end up happening is exploiters (or people who make these backdoors) finding an alternative, and while they have found an alternative, hundreds of thousands of groups and game will be killed, all because Roblox took the easy choice of removing this feature in it’s entirety.
I will like to repeat a point I made before. There used to be (not sure if it still exists) a bug with audio that allowed you to upload any audio you wanted without it being moderated. This resulted in exploiters uploading racist or highly inappropriate audio, which gave Roblox a really bad look to parents, but that doesn’t mean they remove the feature, no, instead they fixed the issues, and that is what they should do with private modules.
If you had actually read @SquirrelByte’s points before, you would realise that it isn’t just about whitelisting. This update opens up a massive vulnerability with his ad service.
I honestly think this update is pretty “broken” …
This does not stop backdoors modules from being obfuscated lol.
Many people would try to get around it and run a private module somehow or hide the code …
That doesn’t mean they have to cut all their services? I have used several terabyte application centers and never did I consider ads or even really look at them. I feel like they could have come to some resolution. Ofuscated the code heavily even. That’s just my two cents.
That’s why I suggested api keys for their service considering they already have a domain. Even with that in mind, there are people that have obfuscated stuff to the extent that it would take incredibly long amounts of time to deobfuscate it. I don’t rally for that, I’m just saying it’s an option. API keys would be the better solution for the application center part.
I absolutely understand the reason for this update but this isn’t going to stop backdoors at all.
Most models with backdoors are not even what they say they are or are stolen.
This person does not care if he makes it open sourced or not because they most likely didn’t put any effort into it anyway.
Their only goal is to scam or annoy as many players as possible.
Besides that, a lot of groups and games will be destroyed because their application system or their guns use closed source modules.
I understand people can script their own application and gun system but the majority of the people that used these closed source modules do not know how to make those systems.
It most definitely is going to stop backdoors. Models will be forced to become open source, or go out of commission. Models can be easily looked through and any popular ones which would affect more games most certainly will be looked through, because more developers will decide to have a look at what it does and so more will find any backdoors in the script. Then, ROBLOX will be able to filter out which models are likely to be backdoors based on the quantity of reports, and moderation will have a lot less work to do - it is far easier to look through only models which have been reported much by the public, than to look through every model that is ever uploaded. Realistically, only models which are probably backdoors, and also popular should need to be looked into. Moderation might not even need to get involved, it could simply be a matter of enough reputable devs saying not to use a particular model will be enough to minimize the chances of that backdoor being put into games.
If you don’t want people reading your code, don’t release it.
If your “service” has to piggyback on other services, and does nothing more than act as a middleman, then you aren’t really providing a service. Actual services can provide api keys and the rest can become obsolete.
No this will definitely stop a lot of backdoors. Mass moderation isn’t entirely needed, like I said people will listen to reputable devs. It won’t be long until there is a thread or compilation of popular models which are deemed as unsafe, or a backdoor by the community. Filtering based on quantity of reports will work, because you don’t need to check anything which isn’t reported a lot. You only need to check models with many reports, and that greatly reduces the amount of work a moderation team might need to do. Models are uploaded constantly, every second and that can’t be kept up with. Bots can’t mass report every model - ROBLOX would be able to automatically moderate accounts used for mass reporting many models. Also with the new captcha updates, using bots is an unfeasible way to mass report a model on the kind of scale you would need to garner moderators attention. Open source does mean it will be possible to steal models, but it will also be much easier to find out and prove that a model did in fact steal your code. You are no longer fighting your enemy blind. You can look at examples of this in the real world - freeware is much less likely to be a conduit for malware than other software.
The pros just massively outweigh the cons on this one. There is almost no reason to keep private modules, versus a plethora of reasons to get rid of them, backdoors only being one of these, which for some reason people seem to keep focusing on. I’m glad you aren’t going to respond anymore because it’s late and I’m going to bed.
I very much disagree with this. As Roblox currently stands, yes, I completely get what you’re saying. Free models, as they’re currently named, should be free and open sourced. If someone uses a free model, then they should be able to view and edit all of the code provided. It’s just in the name.
However, people are trying to take the free model concept to a different level and provide their own services, and the only channel that they currently have for doing that is through free models. Therefore, until there is an alternative, private modules should be allowed. Give people an alternative that still allows them to sell services before breaking their code.
If players are only given one location on site to upload their services to, they’re going to use that location, even if it is deemed “free.” It’s their only choice.
Forcing players to use external websites in order to manage their services properly is not a great alternative. It’s frustrating because this should be a service provided by Roblox itself, and they’re just making things difficult.
I’m not exactly arguing that closed source modules are fantastic. I’m just arguing against the reasoning they have behind removing it, and the fact that they didn’t provide an easy-to-access alternative on this very platform.