Removing Support for Third Party Closed Source Modules


#817

Known models can often have their name copied in a malicious model with different scripts in them. Take the front page of the models page for example. A car would definitely have a script, possibly closed source, in order to function although (with all due respect and no intentions of defaming) the car could, for all we care, have a malicious code that allows for exploiters in. Some of the top models could even purely have malicious code in them and became popular through bots but the developers would end up making an assumption that the code is somehow needed in the module.

Edit: Oops ended up seeing that I was replying to myself :sweat_smile:, the reply was intended for b_irdio


#818

Your friend would still end up asking you for the code for it, I don’t quite see how making private modules public would make a difference in your situation?

If anything, your friend could always distribute the closed module ID and the code that goes with it. Any good scripter could probably make an educated guess at how the module works and adapt to it (possibly even change stuff around if errors show up).


#819

The point is, I don’t want him getting to the code. Simple as that.


#820

If people want their code to be private, then so be it. Don’t interrogate them on their relationship with someone else.


#821

This just shows that it makes more sense to not have private modules. If your friend owns the group, they’re free to let you go. The ability to hold this over someone is terrible and you should have never done this in the first place.

I would never take code for a game of mine that can just be modified or taken away from me at any time, and your friend shouldn’t either. That’s dangerous.


#822

So far flag is still not flipped, so it’s speculated they’re having last second discussions on it.


#823

Although closed-sources modules were important, it had to be done. There was no sandboxinv at all, so there was no security at all. It was definitely a hard choice, but hopefully the right one.


#824

What’s that have to do with my post? I’m saying the post I responded to is using private modules in a very shady way. I don’t see how whether or not Roblox is having last minute discussions has anything to do with how correct their practice is. You have to explain your point better.


#825

If you’re so concerned with not being able to see the source code in private modules, it’s simple: don’t use them. Just because you’re concerned with your own games being affected by something that ROBLOX isn’t forcing upon you to insert in your game doesn’t mean others won’t benefit from it.

I also can say that many of the people who would get viruses from private modules are also people who simply would not even bother to check the source code of open modules; thus this change doesn’t solve the issues ROBLOX is trying to fix.

I understand why ROBLOX think this is a fix to their issues, but it hasn’t been well thought out as these changes won’t simply have people suddenly think to themselves Oh! ROBLOX removed private modules! Hm! I must now check the source codes of open modules and ensure they are safe! which I probably think ROBLOX hasn’t thought about.


#826

Doesn’t matter - that isn’t the point of this change. Forcing all require'd modules to be public allows me (and others) to reverse engineer malicious scripts easily without being forced to work around a black box enforced by Roblox itself. It also enforces accountability - an admin script (for example) cannot hide a secret backdoor without being easily noticed now.


#827

Once again, if you’re concerned with a specific admin script using a backdoor, don’t use it. It’s simple.


#828

This has nothing to do with “not using it” - I already don’t use any private modules for obvious reasons (still quite funny that Adonis, a public module since day 1, is better then any other admin script) - but as I said, it enforces accountability for script developers. If a script developer secretly updates their public module to include a backdoor, chances are someone will notice within a short time frame. On the other hand, a backdoor added to a private module will likely never be discovered unless someone finds another way of stealing their source code.

Simple rule: If X code runs in your game, it should be visible to you to analyze.


#829

I see what you mean, but I can’t imagine a developer frequently looking through the open-source module code to ensure no backdoors have been added which makes this update somewhat not logical in my opinion.

Since you said that, I assume you are concerned for others who rely on modules?


#830

That’s fair - no developer would be looking through a module every day to check for backdoors (unless they are paranoid - and in that case, just clone the module). But someone will probably check the module if its reasonably popular enough and see a backdoor in it, report it to the Roblox staff, and get the publisher the fair moderation they deserve.

I found a vulnerability to steal private modules 2 years ago (as I said in my earlier replies) - half of the modules I stole had a backdoor in it. I wouldn’t expect much to change in those 2 years, so yes.


#831

And because half of those modules had backdoors, that means all the others must as well then right? Let’s punish everyone else for their problems.


#832

This post was flagged by the community and is temporarily hidden.


#833

Why that, when there are more options? Roblox could do something else other than “Welcome to life.”


#834

There’s a few threads in #platform-feedback somewhere with feature requests on how to rectify 99% of the issues listed in this thread. Would recommend checking them out.


#835

Oh yes, I have seen the one posted by @Scriptos. Still, that doesn’t answer my question. Your solution is that private modules should be removed because “Welcome to life.” My question is, why do you think that is a valid reason?


#836

Was more a retort about the reality of life. Wasn’t intended to reflect anything really about this specific situation other than it’s what happens all the time in other situations in the ‘real world’.

800th post on this thread :cold_sweat::cold_sweat: