Removing Support for Third Party Closed Source Modules


#877

May this topic be closed now? Nothing is really being added aside from more & more opinions. (in my opinion)

This change is good for security reasons but also bad for users that utilize this as a means of distribution or security.

Personally I use this as an extra layer of security in my games while also protecting my source code, there’s a sense of pride for some like me who want to keep their code private without users copying and pasting snippets of it into their own games while taking all the credit.

As a compromise I would suggest making an option to allow private modules to be used in a user’s game like loadstrings, loadstrings warn the user about the ability for their game to be hacked before enabling it, while users can check this they’re accepting that their game may be given free access to multiple other people.


#878

I have been testing around and I found out that in personal games, closed source modules don’t work displaying “Unable to find module for asset id”, but in groups, closed source modules do work, but only display a warning (The warning that closed source modules are shutting down support in Feb 2nd).

I hope this isn’t a bug and I hope they are reconsidering.


#879

An official statement as to what exactly is going on right now that would be great. We’ve been in limbo for a week.


#880

There must be a reason for this limbo, because as I have seen ROBLOX staff usually never forget to update a promised update.

I hope it stops soon because when they are changing the settings I don’t want to make a project that in the end is not supported. Right now I am not touching any product modules :disappointed:


#881

I think you’re confused here. Closed source modules are still supported, regardless if it’s in a users place or a groups.


#882

Erm I meant closed source modules that are from a different owner. Apologies.


#883

This post was flagged by the community and is temporarily hidden.


#884

Honestly, I couldn’t agree more with your opinion. I had a good solution. It would be to basically keep private modules but you will have to accept an option to take free models at your own risk, and ROBLOX should update the TOS so that they are not held liable for anything that happens when you take someone’s free model. And if someone complains to ROBLOX that they got hacked from a backdoor, ROBLOX can simply say “Look at the TOS, its not our issue.” It’s just like what windows is doing like what @Semaphorism said and @Scriptos said. If you download something off the internet and get a virus, its your fault. However, windows wants to keep earning money so they are constantly improving windows defender. Like @Scriptos said, ROBLOX is not giving us the option to disable this “firewall”, and they are not giving us an option to still take Private Modules at our own risk. I really hope they add something so you can still take Private Modules. I hope ROBLOX gives us an option for once. As I ROBLOX player, I feel like we are loosing our voice more and more and ROBLOX is making tough decisions that we don’t want, we didn’t ask for, and we can’t change. This is a truly tough situation.


#885

They still work in other people’s places as well. Tested this on 3 alts.


#886

So we’ve finally circled around and are now arguing that it’s not Roblox’s job to protect people on their platform? How very non-elitist of you.

That viewpoint is insane. You can’t disable the security for anything else on Roblox beyond loadstring (which is a separate case, and I wish people would quit bringing it up). Why would they allow you to do so for this?


#887

I find it weird that ROBLOX has yet to implement this change, seeing as it’s 8 days into February and nothing. They’ve either not cared enough, changed their mind, or trying to get some kind of replacement before going through with it.
On the thread, it specifically states “On February 1st”, but it’s the 8th and nothing. No news or anything.
EDIT: Realized people already brought this up, keeping this here anyway.

The change is worthless, some people will check the source code, but as many have brought up, the people who insert these malicious models generally won’t check the source anyway, it just means that people who care enough will check the source, and report the module, but what if it’s obfuscated, and they can’t prove that it’s malicious? Then what will they do?

I feel like we need something like HTTP enabled in Game Settings, or LoadstringEnabled in ServerScriptService. Maybe a new option in Game Settings, “Private Modules”. When you press Yes, it opens a message box and you need to wait 3 seconds before saying you understand the risks, with the risk in bold text and easy to understand, simple words. Something like “Stop! If you activate this, people can destroy your game! Are you sure that you want this on?” with some image to the side to catch their eye. A stop sign or something.
Some stuff like that. People who press Yes are then liable for any malicious code that may be inserted into their game.


#888

Same here, I was going to work on an alternative for private modules for my product but its almost been a week without them saying anything and I’m seriously wondering if they are reconsidering. Worried it’ll be a waste of time making anything at the moment.


#889

We are still planning to disable this functionality. There have been unexpected delays in the implementation but the change will likely occur mid next week.

I have been following this thread closely and I see a few main topics popping up. I would like to address them in a Q&A form.

Q: Why is Roblox removing this feature without providing a replacement?
A: Ideally we would like to provide replacements for features before removing them. However, we have to consider the time and cost of creating a replacement first. In this case, building a robust sandboxing system will likely take on the order of 6-12+ months minimum due to the amount of complexity and the number of cases we will have to handle. We considered the risk of waiting this long too high.

I would also like to add that this feature was originally not intentional – it was a bug with the original implementation. We would never expose dangerous functionality like this intentionally.

Q: Why not give developers an opt in option to use third party closed source modules? It’s my game so I should be allowed to take the risk.
A: We understand that some developers are willing to take the risk of running untrusted third party code in their game. We however as a platform are not willing to take this risk. Imagine a scenario where a game uses a closed source module and the module creator abuses that module to do something malicious. The developer could accurately claim that he had no way of knowing what the module is doing and is not liable. By ensuring that developers can audit all code in their game, we are giving them power to examine and uncover malicious activity in their dependencies. They are not reliant on Roblox to check what modules in their game are doing.

Q: How will this stop malicious code?
A: It will not. This update was never about preventing malicious code. This update is about ensuring that developers have visibility into what code in their game is doing, whether malicious or not malicious.


Determine when model gets deleted that has script in it
#890

It sounds like this is confirming that there will be no private source option in packages. Is that correct?


#891

There are no plans to support closed source third party code in packages.


#892

Ideally, as a platform, ROBLOX encourages its’ users to create and innovate their imagination. Without having a wall of protection for our IP when this change is enacted, the wanting to create will decrease from this as a user’s creation will be free to be copied, re-purposed, and re-sold without the original creator knowing at all. Is there any plan to a possible licensing system or a way for a user to protect their IP without the chance of it being taken and re-sold?


#893

So Roblox is looking into providing a replacement eventually then? It sounds like you’re saying that but I thought I would ask to make sure there’s no confusion.


#894

@Seranok stated earlier in this thread that this was the case. The reason there is so much outrage is because he said it will take up to a year (if not more), but by then all of the groups and services that rely on this functionality will have died.


#895

There isn’t a replacement coming. Sandboxing is what would take time, however…

Since the modules will only be open source, the addition of sandboxing won’t be relevant to the companies groups and services affected today.


#896

I was just referring to what was stated earlier on in the post, but thank you for clarifying.