Removing Support for Third Party Closed Source Modules


#924

This securtiy flaw impacts not just the inexperieced develoeprs though.

If serious developers are relying on closed source services they are just as suseptible despite their skill level. Again there are many ways to mask behavior from tracking and one of the most simple and extreamly effective is sporatic behavior.

Imagine this: I don’t like a developer of a game because they said no to adding something I wanted them to add. Rather than do something obvious like give myself content in their game I decide to mess with their game by updating my private module kick users randomly.

To the developer, this is just a spike in users saying they have disconnect issues. In reality it’s a bad private module they will have zero ability to identify even if they are highly skilled themselves.

Again the greater risk runs to Roblox though.


#925

People have brought up the idea of opting in, and acknowledging that you are using private modules, and what they can do. If you use a private module from someone and they do something malicious, it’s your fault.

Then again, I don’t know why I am even replying anymore. Roblox is going to make a replacement, so I’m happy. I just wish we had something to use until then.


#926

That would be terrible. Unfortunately I see a lot of that happening. I am just glad many people may still be able to distinguish the original version of what was made and who the original developer was.


#927

There is not going to be a replacement.


#928

That was specifically replying to packages. He’s said before that long-term they would like to introduce sandboxing so that closed source code may be revisited.


#929

It would be strongly inconsistent with the first quote, I linked for them to bring back closed source after making a change that is specifically to remove closed source. However, if you have a quote that contradicts that please include it. I’m not assuming that I’ve retained everything, but the two quotes I listed seem pretty specific, to me.

It is my understanding that packages were the successor to the current remote module system since the functionality performed by remote modules is a subset of what would be provided by packages. I don’t have a quote for that at the moment.


#930

These both make it seem as though sandboxing will be followed by some sort of closed source system. I did ask for clarification above, but I was not given a reply, so this comes with a solid “probably” as I’m obviously not someone who knows the inner macinations of Roblox.


#931

If we had no further data than your quotes I would say about 50% chance at some distant point in the future, but the newer quote tells another story. The change is precisely to take away closed source, it’s possible but highly unlikely that 6 to 12 months from now they will make a change to precisely put closed source back into a product that they are pretty much done with.

In 6 to 12 months we’ll probably be using packages. If you look at what is planned for packages, it’s a lot of the changes that private modules needed if they were to have a future. I mean look at this stuff.

If closed source isn’t going to happen in packages, where most of the security issues are already going to be resolved, then it’s not going to happen.

I will grant about a 5% chance that when this change goes live, the negative impact on communities is so large that the monthly active players drops instead of growing. A couple months of that and maybe, just maybe the change would be reconsidered.


#932

Here’s my prognosis: Developers that want to provide services and not work on games on the platform will start doing more contract-based work for larger communities, or providing services that are actual services (rather than just a closed-source storefront on something that can run in-place and doesn’t require a tertiary presence).

Several open-source versions or variants of popular closed-source tools that are out there will appear, and people will start contributing to these tools. Eventually, the demand for closed-source alternatives will drop due to an increase in open-source efforts because it is easier to maintain and distribute compared to the closed-source variants that rely on heavy trust on collaborators not to leak components + require obfuscation to publish.

This is a much healthier ecosystem for service developers, because they will be encouraged to work on code that is actually serviceable without needing to rely so much on trust and obfuscation.

This change will probably have a negligible / highly temporary effect on player activity because players/developers will do what they have to do to keep their communities running no matter what requirements there are – this has always been the case on Roblox. Players will play the games of communities that make the best use of whatever services are out there.


#933

RIP my project with private modules secure check…

I was working on a place where you enter the private module id and click a button, then it would tell you if its a possible backdoor.

How it works: I can get a private module’s descendants.
I can see if it uses the loadstring module (the one backdoors use to execute scripts from server).

Backdoor modules arent protected so this could work and it can be done in like 30 minutes or more if you want nice GUI lol, sadly Roblox removed private modules …

Oh and, I know roblox didnt want private modules to be removed because backdoors, seranok said it, but I still think with or without them, its the same thing.
People who dont know what they are doing and cant read the code will anyways be backdoored, with open source module.

I know I miss alot of ’ but I am too lazy to add them from phone.


#934

As a developer directly affected by this, I can tell you 100% this change has not encouraged me to work on any open source Roblox projects.


#935

If you are trying to say that I am suggesting that, I am not – I mentioned there is a way to make viable third party services that are closed source, just make sure the tertiary presence is warranted. (Don’t do some trivial work on an external service that can run locally just for the sake of closed source – not worth the effort and not inspiring to work on.)

These services are better for your users because they have clearly defined inputs and outputs (i.e. REST interfaces) and typically do not allow arbitrary code execution. You’d make the interface open-source so that customers can inspect that this is not the case.

You could still publish your locally-running closed-source module in obfuscated form or however else you want to obscure the actual source (assuming there is a good enough obfuscator that cannot reconstruct easily-maintainable source compared to your original source, so you can push updates the fastest yourself), but then take note that this will make debugging harder on your part and it’s an extra step in the release/trust procedure that open-source variants do not have to worry about and customers are not as likely to accept your code over the non-obscured variant. The movement will be towards proper services, sharing progress and showing code (of at least interfaces) rather than obscuring it overall; whether that be by existing developers in this closed-source community or new ones that will take the place of the people that are discouraged to continue making the services.


#936

No, the demand for closed-source alternatives will drop due to the problem being pushed to 6-12+ months into the future, to a point where proponents of disabling third party closed source modules are hoping that we’ll just forget about it. It’s just being pushed to the side. Who’s going to be arguing about this in a year from now?

This isn’t a great argument for this change. Players will make the best use out of whatever services and features we have currently have available, yes, because we HAVE to. Given no other alternative, people will make do with that they have, yes, this is true only out of necessity. If modules were removed entirely, people would eventually be forced to adjust and revert back to how we coded before modules were introduced. That’s just how things function. It doesn’t make this change any more agreeable, though.

This is very limiting, and I think that we’re all having a bit of confusion with the way we’re throwing around the word “service” here. People are talking about creating sellable products. Take my Adobe Photoshop example. Players want to mimic companies such as Adobe and sell products such as Photoshop to people on this platform, but to be used in their games. You can not view the source code of Photoshop - it is obscured. And Photoshop is a very successful program, despite not being open sourced.

Online product based businesses thrive on code obscurity, and that is what the closed source community is attempting to replicate.


#937

It wasn’t an argument, it was a prospect. Detail is important in that case. I’m also not arguing for or against the update in the past two posts, just explaining what I think the consequences will be.

So am I – I recommend doing a double-take on my post. The sellable part would be the access to the tertiary service that is running elsewhere and can still be closed-source that is providing a meaningful service that can’t just run in-place (i.e. not just selling access to something like admin commands that don’t even need to interact with the outside world, that is a joke).

In an effort not to contribute to the tireless circular repetition that is this thread, I recommend to refer to previous discussion on all other points you bring up once again. I don’t feel like I can meaningfully add anything else here, everything has pretty much been said.


#938

This is called nitpicking. Your very last statement in the quote that I was referring to sounds like an argumentative prospect. “Players will play the games of communities that make the best use of whatever services are out there.” While it is an observation, it’s phrased in such a way to make this change seem somewhat okay, since people will make the best use out of whatever is available. Prospects can be argumentative, as well.

I would also recommend doing a double-take on my own post. I said that your alternative is very limiting in comparison to what we currently have available. It has been explained many times on this thread.

But yes, I agree that there is a lot of circular repetition going on that I myself am growing tired of.


#939

Last follow-up on this since you are absolutely right that nitpicking isn’t a great way to spend one’s time: That sentence is a response to the poster mentioning they think the update would eventually be turned back because of drops in player activity; all I’m saying here is that I don’t think player activity is a good pro/con for arguing about this update.


#940

I just want to be clear real quick that I completely understand why people such as yourself are arguing FOR this change. I would certainly feel extremely uneasy about having third party code in my game that I can’t view. I would rather just make my own version of their product. I would not want to risk someone doing something malicious to my game.

However, I absolutely love the idea of people being able to create products on Roblox with code and sell them to people. It opens up so many opportunities. Sure, people can use some external service to create closed source third party services, but it feels very restricting. It would be much better for Roblox to provide us with these tools built into the platform, not only for convenience stake (though it would be a lot more convenient), but I think I’d feel much better if my code was being hosted on Roblox itself in some way, rather than having to rely on a third-party. That’s just me.

While it has major flaws (seriously, I would love some form of version control), this is the best that we currently have. I definitely hope to see it improved or entirely replaced with some other alternative, but I don’t want to see it disappear completely until that time comes.

Edit: Geez, my connection to the dev forums is terrible right now.


#941

I assume you are referring to me, since you at least in part quoted me.

A 5% chance doesn’t indicate that I believe this will happen, instead, it indicates that it I believe it to be fairly unlikely. It was not presented as a pro / con for the update either. I was presenting the only possible scenario I could imagine where an alternative would be provided in the future considering this statement.

Usually for a company to pull a complete 180 on policy requires a rather public or costly event to occur.

Context is important, the discussion was about whether or not an alternative would be provided in the future given the presented information. I think it would be wrong for people to believe that an alternative is coming.


#943

This post was flagged by the community and is temporarily hidden.


#944

For clarification about this reply please read this post since the original post was from a couple day’s ago

I would like to add on, on my personal Knowledge working for SmartTech as a Creative Advisor (The company that Wind_o owns that makes CheckMeIn), that yes if you step in our shoes we would prefer an alternative to private modules. Although we have figured out way’s to find a temporary fix (For obvious reasons I will not be disclosing our Security Measures) until our next version of CheckMeIn comes out in a few months it isn’t perfect. But if you think about it not everyone is lucky enough to be able to do that, For instance, Terabyte Services had to shut down for the security issues which to be honest with you the creator of that was focusing on his Alternative to Roblox to the point he never fully finished TBS. It’s not a great deal for the people who use it and I kind of do believe that They could find a better way of doing private modules, but at what cost.