Removing Support for Third Party Closed Source Modules

That’s fair - no developer would be looking through a module every day to check for backdoors (unless they are paranoid - and in that case, just clone the module). But someone will probably check the module if its reasonably popular enough and see a backdoor in it, report it to the Roblox staff, and get the publisher the fair moderation they deserve.

I found a vulnerability to steal private modules 2 years ago (as I said in my earlier replies) - half of the modules I stole had a backdoor in it. I wouldn’t expect much to change in those 2 years, so yes.

3 Likes

And because half of those modules had backdoors, that means all the others must as well then right? Let’s punish everyone else for their problems.

1 Like

Why that, when there are more options? Roblox could do something else other than “Welcome to life.”

1 Like

There’s a few threads in #platform-feedback somewhere with feature requests on how to rectify 99% of the issues listed in this thread. Would recommend checking them out.

Oh yes, I have seen the one posted by @Scriptos. Still, that doesn’t answer my question. Your solution is that private modules should be removed because “Welcome to life.” My question is, why do you think that is a valid reason?

1 Like

Was more a retort about the reality of life. Wasn’t intended to reflect anything really about this specific situation other than it’s what happens all the time in other situations in the ‘real world’.

800th post on this thread :cold_sweat::cold_sweat:

2 Likes

Anyone know why the flag hasn’t been flipped yet?

Statistically? Yes. Please consider that you are asking Roblox to sacrifice potentially millions of players so that a security flaw you happen to like doesn’t patched. This is the equivalent to arguing that loadstring should be allowed to load bytecode. It’s unsafe and should never have been supported.

2 Likes

Loadstring is opt in. I would like private modules to be the same way.

1 Like

Bytecode is not opt in. It posed a security hole and was removed promptly once that was made evident. Similiar to this situation, it was also useful to hide code. Yet it was removed. Because it wasn’t safe or secure.

1 Like

Oh, bytecode. I misread that. I’m familiar with bytecode, and I am glad it was removed. I don’t see why it really had a purpose, other than for exploiters to take advantage of. I don’t see this being compared to private modules, which can and do have genuine uses.

1 Like

Maybe we need to step back a bit and ask what the original intent of private modules was?

I doubt that any of the genuine uses today were on the minds of the engineers tasked with implementing them, otherwise none of this would be an ‘issue’.

It was a method for (relatively) closed source code and couldn’t be easily be messed with. How is it different than this situation?

1 Like

I never saw Roblox show this off as a way to genuinely release closed source code. All I ever heard about bytecode was that it was responsible for many exploits. Roblox does go into detail about private modules.

1 Like

That’s because it was a byproduct of a normal function of the engine… (Third party) Private modules were also never intentionally added. They were simply a byproduct of Roblox adding third party modules. People using them like they did is the natural result of their existence, but they weren’t ever specifically planned out or designed to be entirely closed source, as you can see by the absolute lack of security.

3 Likes

There is no other platform that I am aware of that allows users to run code while making it categorically impossible to know what that code is (if there is, please point it out to me).
Private Modules have undeniably been the exploit vector of nearly every backdoor in free models, removing them is correct because private modules cause more harm than good.

2 Likes

Okay, so they were a byproduct. Which went on for a long time. And they are just now deciding to do something about it. :huh:. Many people use this. Some for bad, some for good. Terabyte for example. I am another example, though I don’t have a giant service such as Terabyte did. Just because some people put malicious things in their code, doesn’t mean Roblox should just remove them entirely, and ignore everyone else who used it legitimately. I don’t see why I should be punished for the actions of others. If they release a viable alternative to private modules, then that would be amazing.

2 Likes

Your not being punished for the actions of others, but sometimes the actions of others on the internet mean that is is good and proper to remove a feature that was already deployed because it is being misused, a good example among the greater Internet community is HTTP Public Key Pinning (HPKP) per RFC 7469, which was then removed permanently from chrome in Chrome 68 and in most browsers following. For more information see: Redirecting to Google Groups

1 Like

All I am asking for is a way to genuinely use closed source code. Whether it is sandboxing, or whatever Roblox can think up, I am all for it. I don’t want closed source to be removed. I will not be forced to open source my projects. I don’t want to resort to obfuscation, but if it comes to that then, guess I will!

1 Like

That’s how the real world works buddy. If something is broken, you generally fix it. In this case, the fix was removing it. Removing something that was never supposed to be there. It may have taken a while but they are finally getting around to it. It’s not their fault people decided to use it for what it was never intended for. Don’t get me wrong, I would love to see actual businesses providing services like the ones above, but we have to wait for Roblox to actually give us the functionality to do so.

2 Likes