Removing Support for Third Party Closed Source Modules

They’re working on a separate Roblox clone which is what the poster was responding to.

I think it should be said: those of us who are in favor of this change don’t think all code should be open source or free to use. We just believe that the inherent risks of third party private modules, because they are unauditable, are too great to justify having on the platform.

I urge Roblox to make a replacement for selling services more of a priority because this thread has made it abundantly clear that we need something like that sooner rather than later. Whether this change is good or not is moot because we do not currently have an alternative that doesn’t involve third party resources, which severely limits our options as developers. There is more to Roblox Development than making games, and the sooner Roblox begins actively supporting and encouraging those other faucets, the better.

I second this, as I wouldn’t be so against the changes if they would either have an immediate replacement, provided temporary tools to show us what private modules are doing in-game while working on something more permanent, or at least showed they were serious to making an alternative asap. I am completely for a revised system as there are most certainly issues with Private Modules. I am very against at losing our only method of true IP protection without going through some serious hassle and no known first party alternative in sight.

My few cents on the Private Module problem:
If you are using private modules to hide your source code, you are doing it wrong. There have been various exploits to steal private modules. A proposed solution to this problem: there are various obfuscators/minifiers, such as LuaMinify, LuaSrcDiet, and uyjulianRBXPersonalScript that will remove comments, local variable names, and whitespace, so more advanced tools are needed to determine the code flow of your obfuscated code.
If you are using private modules to prevent copying, you are also doing it wrong. There have been various exploits to steal private modules. A proposed solution to this problem: use a remote webserver that will generate code to be sent to loadstring for a specific game instance using job ID, place ID, the time, and other variables specific to that game instance, so that the script will run only on that game instance.
If you are using private modules to hide API keys, you are also doing it wrong. There have been various exploits to steal private modules. A proposed solution to this problem: interface with a web service storing the API keys. If you can make money off of your private module-based solution, you can afford a USD5/month tier from a cloud service provider.
If you are using private modules to hide URLs and prevent DDoS, you are also doing it wrong. It is possible to see outgoing requests by hooking HttpService. A proposed solution to this problem: a static script would validate the user agent, and send data to a server using additional arguments (POST data, headers) contating game instance-specific data (job ID, place ID, the time, presence/number of objects in the DataModel). The server would return an (obfuscated) script to be sent to loadstring, and the script will return an API that will only work properly with the correct game instance-specific data. If the specifications are wrong, the connection can be ignored (do not acknowledge; let it timeout) and the IP added to a blacklist.

A few of those things, I’ve mentioned already, stating that Roblox should provide us with ways to do such things rather than using a remote webserver, etc. They seem to want to make it difficult, which is baffling considering that, as @Dekkonot said…

You’d think they’d want to support the variety as much as they can.

Sure, private modules aren’t perfect, for multiple reasons that you stated. I don’t even use private modules, but I’m arguing against their removal due to the fact that we aren’t being supplied with an easy on-site alternative before they’ve been removed. People don’t want to have to jump through hoops in order to develop.

Unless roblox releases a list of all their server ips (which there are a lot, I’ve logged tons of them and normally find a new one (or several) every day, you can’t just ignore non-roblox servers.

You can always do what websites like Discord do, where they filter by user agent and block specific IPs that abuse the rates.

You can block ips, but the first request they make, they already have access to whatever you were protecting/hiding, and you can’t tell if it’s not a real roblox server.

If you’re giving people access to sensitive web services without any form of authentication, it will be a very important lesson.

This was the right thing to do. I know that this has ups and downs, but the amount of back-doors and viruses was just getting out of control.

What I’m about to state has almost certainly been stated before, but I feel it needs a rehash in response to your post.

The people who are most likely to fall for back doors are also the same people who will be unable to differentiate back doors from honest code in free models - or worse, they just won’t check at all.

This update does solve the problem for experienced programmers, but it also removes a key feature for game development that many people rely on. The foremost example I can think of is Clans & Guilds; almost all forts are dependent on some form of admin commands, and all Kohl’s Infinite users will be affected by this update. I will concede, however, that Kohl could just open-source his admin, but there may also be several drawbacks of which we do not know (as we don’t have access to the module itself, we can’t diagnose). Developers can now no longer make a good product without open-sourcing the whole thing and running the risk of having their hard work stolen.

The removal of this feature may not necessarily be for the best as I’m sure those who use back doors to have their way will continue to do so under the radar, while those of us who don’t most certainly will be hindered.

That wasn’t the point, but yeah.

without open-sourcing the whole thing

Obfuscators/minifiers can be used to remove the source code.

Your code wasn’t secure anyway, because there have been module stealing exploits in the past. However, with obfuscators/minifiers, your original source code can still be secure while allowing code to be run on the game server. Roblox keeps the source code of their client private, but the compiled client can still run on your computer or phone. That is essentially what obfuscators/minifiers do for Lua code.

running the risk of having their hard work stolen

The usage of a remote webserver that will generate code to be sent to loadstring for a specific game instance using job ID, place ID, the time, and other variables specific to that game instance can be initiated, so that the script will run only on that game instance.

The Roblox client can be copy and pasted to other computers or phones, but it still relies on Roblox servers to operate correctly. Using remote webservers to generate a script made to work only with a specific job ID and other variables accomplishes the same thing.

No. Obfuscators do NOT remove the source code. Obfuscators in most cases barely help. I’m not against obfuscation, because it is better than nothing (even if ineffective), however it is not a replacement. Your source code is still there, and extremely easy to dissect/read.

No, you can spoof that extremely easily. This again isn’t a replacement.

People aren’t saying module’s are 100% secure, they’re saying they’re more secure than the current alternatives.

Ive said this before and I will say it again. If they were able to make good modules they can almost definitely make good games. Or maybe even commission their work, maybe move to clothing design???

Now, if un authorised distribution/modification of your work is going to be an issue for you, license your work. If you are the original creator of the module this gives you the right to determine whether and in what conditions it can be used by others. You could take someone to court who doesn’t follow your license and even win unless they can prove it was fair use.

There are many available, have a look : https://choosealicense.com/

You think developers within Roblox should go through the trouble of enforcing a license? I mean, If I added a license to my module, I certainly don’t have the time to track over 60,000 licenses.

The whole “license your work” idea is just irrelevant. I’m not going to be taking 12 year olds who steal my module to court.

Almost everything about this post is wrong. I’m not going to be taking a bunch of minors to court for stealing my module.

Sure, if you can make a good module, you can make a good game. But what if you don’t want to make a game? Making games is not the only legitimate way of making money. It is like saying someone who makes clothing should suddenly move to game GFX overnight. People may not want to and may not know how to use the tools required to make game GFX.

Mm. I understand why this has to be done, but it’s pretty obvious most people are against this since they want their source code hidden.

One question, forgive me for my ignorance , but what does “sandboxing for scripts” mean as it says that it will allow developers to “have full control over what code they import can do in their game”. I know what the purpose of it is, but what actually is it?

Thanks,

P.S. Sorry for the bad phrasing.

Your source code is still there, and extremely easy to dissect/read.

Google keeps the source code of their websites private by using minifiers. If one of the big companies uses minifiers, why can’t you?

No, you can spoof that extremely easily. This again isn’t a replacement.

How easily can you spoof that? Would you take the effort to spoof that? If the generated code takes 1 hour to spoof, the code would be useless by then because the obfuscated API would been changed by then. If you tried to use the outdated API for retrieving code, you would be instantly blocked.

This is more secure than private modules because even if Roblox has an exploit to steal modules, you only get part of the (not really source) code that may or may not even work properly.

Minifiers can easily be turned into readable code. I think you are getting minifiers mixed up with Google’s (probably) highly advanced and secure obscuration.

It make take an hour or so to work out how to spoof it, but once you work it out you can spoof the requests in a matter of seconds to get the source.