Removing Support for Third Party Closed Source Modules


Anyone know why the flag hasn’t been flipped yet?


Statistically? Yes. Please consider that you are asking Roblox to sacrifice potentially millions of players so that a security flaw you happen to like doesn’t patched. This is the equivalent to arguing that loadstring should be allowed to load bytecode. It’s unsafe and should never have been supported.


Loadstring is opt in. I would like private modules to be the same way.


Bytecode is not opt in. It posed a security hole and was removed promptly once that was made evident. Similiar to this situation, it was also useful to hide code. Yet it was removed. Because it wasn’t safe or secure.


Oh, bytecode. I misread that. I’m familiar with bytecode, and I am glad it was removed. I don’t see why it really had a purpose, other than for exploiters to take advantage of. I don’t see this being compared to private modules, which can and do have genuine uses.


Maybe we need to step back a bit and ask what the original intent of private modules was?

I doubt that any of the genuine uses today were on the minds of the engineers tasked with implementing them, otherwise none of this would be an ‘issue’.


It was a method for (relatively) closed source code and couldn’t be easily be messed with. How is it different than this situation?


I never saw Roblox show this off as a way to genuinely release closed source code. All I ever heard about bytecode was that it was responsible for many exploits. Roblox does go into detail about private modules.


That’s because it was a byproduct of a normal function of the engine… (Third party) Private modules were also never intentionally added. They were simply a byproduct of Roblox adding third party modules. People using them like they did is the natural result of their existence, but they weren’t ever specifically planned out or designed to be entirely closed source, as you can see by the absolute lack of security.


There is no other platform that I am aware of that allows users to run code while making it categorically impossible to know what that code is (if there is, please point it out to me).
Private Modules have undeniably been the exploit vector of nearly every backdoor in free models, removing them is correct because private modules cause more harm than good.


Okay, so they were a byproduct. Which went on for a long time. And they are just now deciding to do something about it. :huh:. Many people use this. Some for bad, some for good. Terabyte for example. I am another example, though I don’t have a giant service such as Terabyte did. Just because some people put malicious things in their code, doesn’t mean Roblox should just remove them entirely, and ignore everyone else who used it legitimately. I don’t see why I should be punished for the actions of others. If they release a viable alternative to private modules, then that would be amazing.


Your not being punished for the actions of others, but sometimes the actions of others on the internet mean that is is good and proper to remove a feature that was already deployed because it is being misused, a good example among the greater Internet community is HTTP Public Key Pinning (HPKP) per RFC 7469, which was then removed permanently from chrome in Chrome 68 and in most browsers following. For more information see:!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ


All I am asking for is a way to genuinely use closed source code. Whether it is sandboxing, or whatever Roblox can think up, I am all for it. I don’t want closed source to be removed. I will not be forced to open source my projects. I don’t want to resort to obfuscation, but if it comes to that then, guess I will!


That’s how the real world works buddy. If something is broken, you generally fix it. In this case, the fix was removing it. Removing something that was never supposed to be there. It may have taken a while but they are finally getting around to it. It’s not their fault people decided to use it for what it was never intended for. Don’t get me wrong, I would love to see actual businesses providing services like the ones above, but we have to wait for Roblox to actually give us the functionality to do so.


While I appreciate that you may not want your code to be revealed to the wider public, as I stated previously unfortunately closed source code on Roblox is doing more harm than good, so while this will cause harm by removing it, it’s counteracting massive harm being done through misuse of closed source code for malicious purposes which is going on at the moment.


I asked for a way to opt in previously. I’m not saying private modules should be left as they currently are.


I feel as if you two believe I want private modules to stay exactly as they are.

No, I do not. I do feel like something should be done to prevent all the problems they are causing.

Do I believe straight up removing the feature without another way to release closed source code is a problem? Yes.


Unfortunately it will take time for a solution to be made, and we’re at the point where nearly every top free model is actually a malicious backdoor using a private module as its attack vector. So for now, it makes sense for Roblox to drop closed source code entirely. Sometimes released systems have problems that nobody foresees and so it is proper to go back and look again at whether this system should exist in the first place, in fact, its better to remove private modules earlier, rather than later when more and more people depend on them for their workflows.


As long as they provide some type of replacement, whether it is sandboxing, or restricting what they can access, I am happy. As a genuine user, I would not be affected, because I have no need to write malicious code that would be sandboxed and removed.


That’s going to take time, I expect Roblox will look again at whether closed source / protected code is healthy for the platform, and then decide where to go from there.