Removing Support for Third Party Closed Source Modules


#154

Eyy ya took my advice. Spicy.


#155

This update is like the government saying “We’re leaking everyone’s credit card numbers on the off chance that someone, somewhere does something malicious with theirs. Everyone else doesn’t matter as long as we stop these outliers!”

Each and every one of us here on DevForums got here from hard work, and now that hard work will be available to lazy plagiarists looking for a quick buck. If you’re going to destroy private modules, could you at least provide a viable alternative first so we don’t lose months of progress and profit?


#156

No. You’re implying that 100% of private modules were used purely to hide sensitive data. I’d imagine a huge chunk of them weren’t.

It’s ridiculous to compare this with the government releasing everyone’s credit card numbers. You act like there weren’t hundreds upon hundreds of free models abusing private modules. As a legitimate developer, private modules are almost useless except for basically two use cases.

Everyone got here by hard work, yes, but not through private modules. Are you seriously saying that because private modules are being removed everyone on Roblox is going to lose their hard work? Are you aware that pretty much any game can be copied (except for stuff on the server side) with ease by anyone? And that’s been possible for years.

If your work is seriously so great, you shouldn’t fear people being able to copy it. Free models are free. Period. If you don’t want people copying your “hard work”, do not make it a free model.


#157

We are extremely sorry about this – our goal was not to shut down use cases around providing services to games. We understand the negative impact this is having on you.

We made a huge mistake by allowing third party closed source modules before our engine was equipped to safely handle them. The risk of allowing unauditable code in games when we lack any sandboxing support is simply too high, even if game developers are willing to take the risk. In the future, we will be more careful about introducing dangerous features like this.


#158

This is probably going to cause a lot of people to change over to obsfucation or simply stop releasing things publicly. Those both come with problems. Here’s hoping there’s no unintended consequences. :slight_smile:


#159

About time I can finally view the source code of Admin commands like the Old admin commands from 2012.


#160

Then you can inspect the code, observe this, and never use anything that such shoddy developers make ever again. :stuck_out_tongue:

Releasing a private source module was never the same as releasing things publicly (it’s not even simply closed source, the source holder can arbitrarily delete/add/modify logic on the fly without your knowledge). This change will lead to people naturally releasing more things publicly just by mere implication, because they have to open up the source when publishing a model for free.

If people want to make money off of their work, they need to sell services, not black box products.


#161

Something I want to confirm: this only affects third party modules as stated yes? Meaning modules you own can still be privately required by it’s owner?


#162

This is assuming the creator makes the module public. Not all private modules will instantly become public, and therefore many modules will likely not make the transition and will most likely be retired instead due to sensitive content being inside them just because of the way a lot of people used them when they first came out.


#163

How do you propose someone “sells a service” without basically giving the person who purchases it the entire source code of the service, allowing that person to do something malicious with the source code, such as use it without paying, resell it, release it, etc


#164

If your product relies on that, your selling strategy is flawed; you shouldn’t be wasting time on trying to make it profitable by relying on hacks like closed source third party modules. Consider making something that relies on an external service and then providing your time setting up / hosting / maintaining the application as the service that you are selling, rather than the code that you write once. This will always be supported and is the opposite of a hack.

Examples are:

  • Analytics system
  • Matchmaking
  • External global datastore
  • External group management dashboard
  • Web proxy
  • Discord bots for Roblox communities
  • etc.

For these you can host the logic/storage/etc on an external component that does not need to run on the game itself. You can provide a small open source module that interacts with your service, and give customers API keys or similar to use it.

Products that are a single component that do not require any external resources or global management, are incredibly hard to sell at mass scale because it will just take one person to leak the source and you’re done for, since you’re dealing with a young user base. So this is not a reasonable investment of time, if you have to rely on these horrible hacks to make it work.

In such cases, I would instead recommend that you sell your time maintaining / bug-fixing / extending the source as the service that you are offering to a smaller customer segment (i.e. as a contractor for a popular game or multiple games). This is a much more sustainable way to make income off of providing such services, and these customers will not likely leak your sources.


#166

I’m not really interested in nitpicking on words rather than addressing a discussion point (there are none in your post), but: “Hacky” in the less literal sense that it is something you should not want to be doing, in this case because it violates a bunch of security principles as pointed out by Seranok and other posters earlier on. Sorry if that usage of the word seemed confusing.


#167

Given how many groups I’ve worked with that just didn’t bother supporting their 3rd party code/systems, that feels like a full time job, haha.


#168

Remove a feature again… This is the problem i’m having with roblox lately. Instead of fixing things, they just remove them.

Eg.
Tix -> Bots for devex, claiming that they were “Too complicated for new users”
Lifetime obc -> Bots for devex (even though they claim you can’t devex from buildersclub earned robux)
Comments -> Spambots

and now they remove 3rd party modules.

You could just add an option like LoadStringEnabled, for ThirdPartyModulesAllowed you know… but no, go ahead, remove another feature.


#170

I can see a lot of Bots


#171

While it does seem to be a trend of removing features, it feels disingenuous to equate this to removing tix or lifetime builders club. Those were remove for very good and unrelated reasons.

Of the examples you gave, only the comments are a good comparison, and even then there was a good reason for doing so. That’s the case here as well:


#172

I am not sure where you are getting all of your information – it’s not all accurate.

  • You can read up on the rationale behind removing tickets on the blog.
  • I cannot find any public information on why Lifetime Builders Club was removed, but the reason is straightforward: having a Lifetime membership option does not create a sustainable long term income for Roblox. We need to make money in order to continue to grow and provide a platform for developers like you to make money.
  • With regard to comments, you are correct that they were removed due to botting concerns. I agree that we should not have removed them and should have instead focused on anti-botting efforts like we are now starting to do.

#173

In a rather late change of events, @SquirrelByte’s Terabyte Service has chosen to raise a petition to prevent this change. The disagreement has massively change from the private threads seen here on the DevFourms which has helped lead to this debated change

(All links below require full member to access)
https://devforum.roblox.com/t/front-page-of-models-filled-with-thanos-models-also-including-private-module-backdoor/205870/
https://devforum.roblox.com/t/plugins-being-botted-to-the-front-page-containing-potential-malicious-code/204991
https://devforum.roblox.com/t/4th-most-taken-free-model-is-with-a-high-probablity-a-backdoor-for-exploits/132950
https://devforum.roblox.com/t/possible-backdoor-or-place-stealing-exploit-in-copied-plugin-models/207126/


#175

My organisation provides application systems to groups and relies on private modules in order to power over 60,000 games on Roblox. These games have drawn in well over 2 million unique players.

Releasing the source code would expose months of work on our services, and our HTTP API would become more vulnerable from attacks, making maintaining our systems harder and more time consuming.

This abrupt removal of private modules with no alternative will effectively push Terabyte away from working on Roblox, ruining the application system used by thousands of groups.

We do acknowledge the security risks associated with private modules. However, during our operation we’ve found that the benefits have far outweighed the drawbacks. We have started a petition against the removal of private modules without any proper alternative being implemented. At the time of writing, there had already been 3,900 signatures from our platform.


#176

Could you explain what your system does and why your code needs to be private in more detail? Maybe they can fulfil the use case in some other way if you better describe what you need.