Removing Support for Third Party Closed Source Modules

Regardless of what developers think about the system, roblox is a corporation and thus the security of their platform comes first. Meeting industry standard is impossible when their developers are vulnerable to malicious code. It’s a bad public image and bad for the platform in general.

Making a replacement would take a very long time, so they have to improvise and remove it in the meantime, which is beneficial as it stops the problem at a very minor inconvenience (most close-source modules used by games have open-source alternatives, such as administration suites.)

Silent updates will still be possible after this change is live, there is no change in that behavior according to any official post I have seen.

If you want to start a discussion about that particular mechanic, it should go in a different thread since it’s not related to the change in this thread. Or you could read the post about packages which seem the logical successor to private modules.

What should we call private modules after they are no longer private? Public modules? I think that is probably the most relevant thing to discuss at this point.

The same can be said about your reply, as your own points have also been answered multiple times (with the exception of #1, which is a fair point). This includes #3, which was…

This statement is simply untrue. You can attempt to decompile a program, and may get better results with different programs, but you’ll mostly be left with a large amount of meaningless mumbo jumbo. This includes Roblox, which I have attempted to decompile in the past (though it’s entirely possible that I used terrible decompilation methods). Even if you do manage to decompile a useful amount of a program, you’ll only…

You’ll also get a rough idea of what a private module does simply by testing it. (This is where you say that the source code for a private module can be changed at any time, which has also been addressed many times in this thread. The argument being that public scripts can also be dynamically updated, with the fact that the source can change at any point in time completely nullifying the fact that it’s open source.)

And then there’s point #2, which was also addressed multiple times.

For one, I’m not denying what you’re saying is false, but I would love some actual statistics proving that the majority of models on the front page have back doors in them relating to closed source modules. You can’t just make this statement without attempting to verify it. Second, as was mentioned many, many times in this thread… make a temporary checkbox where the place owner must manually allow closed sourced modules to run in their game. This is NOT a final solution, and is only meant to negate a large amount (not the entirety) of security risks associated with private modules until a better solution can be implemented.

5 Likes

Not to mention, if you insert a model in your game; there can be hidden malicious code, and it’s entirely the users fault.

Only use models from trusted users. Don’t take candy from strangers.

Generally, the whole thing came up because people were uploading malicious plugins and botting them to the front page. These plugins inserted heavily obfuscated scripts into services that weren’t visible through the explorer. They made use of the ability to require closed-source modules to be able to hijack any game they wanted whenever they wanted as long as the developer installed their plugin at least once and opened their place.

Though that’s not the only reason closed-source modules are going away.

Again, please read the whole thread before posting. It’s unhelpful if we have to keep repeating the same points.

4 Likes

Have you read the topic post? The security issues with module sandboxing were overlooked when they allowed private modules to become a thing. The feature was originally spec’d to have the modules be public, but I think private modules were a case of a bug becoming a feature without considering the potential risks of doing so.

5 Likes

Okay, but just asking, hasn’t it been known for years since the original and intended implementation was released?

How long it’s been known for isn’t relevant, honestly. Over their lifetime they’ve become a more and more severe problem, and that is what the issue is. They’ve become a big enough problem now to warrant this.

1 Like

The fact this should’ve never been a thing and should’ve been removed at the start does not matter because it’s not worth talking about. It changes nothing. We can’t change the past. What we can change is the future.

I think the fact that a Roblox staff member brought up the possibility of public modules (loaded from site) being removed is a good thing. However, I think they should really tell users in a more clear post that they should be prepared for this possibility. Just like private modules, public ones should be removed too since they share a lot of the terrifying issues that the private ones do.

2 Likes

Well,

If they removed it once they knew it:

  • People would not have used private modules today
  • No one would have cared
  • A sufficient replacement would have been made which we would have been able to use today

If they remove it now:

  • Thousands of game = broken
  • Many upset developers and players
  • Owners of smaller places need to pay a lot for the same functionality they had with private modules
  • Basically removing a little needed feature on the Roblox platform
  • People care
  • Almost forgot; people lose their income

Removing items after it’s being used by a large amount of users, you should not remove it without a replacement. The same story can be told about NPM (Node Package Manager) once had an incident, where a module was used widely, and millions of users relied on a package.

Then, Kik (messaging app) had an infringement with a package named “Kik” by an author. The author of course had no right to continue to keep the name, but in the discussion, he got so sad and upset, that he removed every package that millions of users used and relied on, and several thousand sites went down because an important thing was removed. This is not related to this story, but it shows the consequences. It was so dramatic for NPM that they decided to make huge internal and functional changes to their site to avoid situations like this.

Now think of this with private modules. Thousands, if not tens of thousands or hundred thousand places use private modules in their game and potentially rely on them. Removing them would break those games that rely on them.

No, we cannot change the past, you are right, and yes we can change the future, also right. Why remove something thousands of games rely on without a sufficient replacement. Here we go, “security risks”. There is no longer a point for me to continue in this discussion as all my points have already been stated in this, and in my former posts.

6 Likes

We are well past that, it would be nice to see an update.

4 Likes

Update please! This update isn’t out yet and i’m very curious where the team is at on pushing this through. Very excited to see the removal of Private Closed Source Modules

1 Like

This update is anything but exciting. There needs to be an alternative otherwise the backlash will affect the platform.

7 Likes

Yes, anything but exiting. I will have to go through and find new open source codes for like 20 different things for my group to be able to successfully operate again. If I can’t find an open source admin, this could be the end of my group and many others.

There are many open sourced admins that are amazing to use, Adonis is one. The main part of this update is getting rid of users’ IP and allowing no security to a user’s work.

This is insanely exciting. I’m very happy that we’re getting rid of closed source modules. No developers should have a need to use closed source modules, and doing so is bad practice.

There is no security to the person who downloads your closed source module with the current system, so saying it ruins the security of closed source module devs is hypocritical.

Multiple users use closed-sourced modules as a business foundation. There are multitude of services that use this system to protect their IP, and avoid a stolen malicious asset that will fool others.

There is security to be used if people would actually background check what they’re using. If you use a free model tree, and there’s a script in it, there’s a high likelihood that it’s a malicious model. If there is at any point in your game a time when a user is abusing it and doing malicious things via server control, simple Ctrl+Shift+F “require” and disable it. It’s not normal to be using more than 3+ private modules for any game. The failure of the ‘developers’ who do not do this is what caused this issue. Yes, the feature may have never intended to become this but as @WhereAreTheLights has said, this should have been a scenario where the feature has a unknown development. If you cannot background check the assets you use, closed-sourced or not, you have no business to being a developer if you cannot check what tools you use.

2 Likes

Seranok has said there is a ‘possibility’ of a late 2019 usercase for this, but when is information ever right with releases? For all we know, there will never be any protection of a users’ Intellectual Property ever again.

1 Like

If you ask me they would bring back private modules, but more secured like developers should have limited in their code what can they use or Roblox should add the permission system (I know this sounds stupid) for example there will be a check box

  1. Allow Player Kicking.
  2. Edit DataStores.
    Ect