I’ve said this once, and I’ll say it again. This is a complete waste of moderation resources. You could be working on things that actually need to be worked on, like the faulty report system.
Edit: My trust level in ROBLOX has died. The fact that this has been going on for months and you just told us is ABSURD.
but why would code be flagged roblox has released no actual guidelines of what code gets flagged and the guidelines about where code won’t get flagged are still very vague.
Also you only have to go on twitter to find grow a huge distrust for any roblox flagging and moderation team.
As @devSparkle said, I’m happy to trust this moderation team, but I want sufficient proof to verify this trust.
I still have a bit of doubt in the filtering system, but I guess that’s made up by the fact that manual review is going to be used after the filter is tripped.
Thank you for more details on how the system works though.
I’m assuming unless you know you’re intentionally trying to put bigoted / NSFW / certain political / unfiltered content into games, you’re probably going to be just fine and this system will never bother you at all.
Just do what you always do. It’s not meant to trip up normal development practice, it literally says this in the announcement.
We need clarification now about API keys. I do not want ANYONE looking at my secret keys. I wouldn’t trust CEO Baszucki with my API keys, let alone a “small special-trained team.” There needs to be a new system. I don’t care what it is.
If there is even a chance of anyone reading my API keys, I will switch to Godot in a second. You don’t seem aware that there are other platforms like ROBLOX. If you keep kicking the developers around, we will switch.
There are many other factors that need to be addressed and answered.
EDIT: Couldn’t there be a possibility of a rogue admin who would sell our keys for a lot of money? The chance of this happening is small, but still, if it did happen, what would happen to the developer, the admin, and ROBLOX itself?
They shouldn’t even be stored in developer code to begin with. Application code should not contain application secrets in a professional environment. This is bad practice.
You can store application secrets in datastore keys or you can make a feature request for a service for managing secrets (i.e. being able to set environment variables / application secrets on a per-place level), then you can entirely get rid of that bad practice from your code base.
You see, this doesn’t answer my question at all. It doesn’t matter if it is ‘bad practice,’ it’s still not okay. Beginner programmers don’t know about ‘bad practice.’ What happens if they put an API key in their code? An admin can still see it, regardless of ‘bad practice.’ I am disgusted at this update, especially since it’s been going on for months, and we were just told about this.
Also, I’d just love to know what kind of apparently massively valuable API keys y’all are apparently storing. analyitics keys? are you really afraid of them getting leaked and people spamming it with false information?
@RealJayDev I don’t know, but if it were to happen, and a rogue admin saw it…
I don’t like the idea of admins reading my code at all. ROBLOX needs to focus on better moderation, like fixing the chat filter system so it doesn’t tag the word, “I” or “we” sometimes (seriously?). ROBLOX needs to focus on fixing the report system as well.
If the code shows something bad in-game, the game can be reported (that is, if the reporting system is fixed), and the game can and should be put under review.
There is always a way for a layman to mess things up spectacularly. That doesn’t mean the consequences for a layman are as dire compared to a top game’s API keys being seen. If you know better and the stakes are high, then you should follow best practice.
This topic isn’t about API key management though so I would reserve more in-depth discussion about who uses API keys in what way for the feature request topic.
Some developers host their own external programs on servers for various reasons. People getting hold of the keys and potentially abusing them or leaking them could lead to large incurred costs, player data leaks, deletion and other tampering, and so on. It’s totally justifiable to want to keep your keys secret.
Cross server communication is made possible thanks to these keys.
If someone were to gain access to said keys, they can change any of that data, if I’m lucky, they’ll just wipe all player data. If I’m unlucky, they’ll make people’s names super NSFW words and while asleep in my cozy bed, I’ll wake up in the morning to my account being terminated.
External databases are what allow developers to make real-time interactions across all servers within a game. Even the Messaging Service isn’t quite as fast.
Data insecurity is never okay.
The most you can do is try to have backups and then catch the person making these changes before further damage can be done.
I wouldn’t call it paranoia, developers are just protective of the intellectual property that they’ve spent thousands of hours working on.
The second announcement clarified that the system is less aggressive than some initially thought, but there still isn’t much we know about it. Of course we can’t know exactly how it works (otherwise it would be too easy to circumvent), but here are a few things that could still be clarified:
Is it possible for old places to be flagged?
Will we be notified if our code is reviewed?
Does the moderator team have access to the entire place file, or just the flagged script’s source?
Are the moderators restricted by non-compete agreement?
In cases like these where you’d use an external database, I can completely understand. But, in all honesty, likely the vast majority of the people complaining about this only have things like analytics keys, discord webhooks (although I’m still massively unsure why people use Discord of all things to log stuff, both sides get pretty angry about it) and Trello to worry about getting “leaked”.
tl;dr for the vast majority of developers, this seems like a huge overreaction. perhaps I am wrong though, I’ve never personally needed to use external sources in any projects I’ve wroked on.
So, like, does this mean private modules can come back?
If the goal is to get rid of harmful content, and ignore legitimate stuff that isn’t going to be seen by anyone (private modules) then I really see no reason to bring them back. These were the reasons they were removed in the first place. People even literally suggested Roblox review private modules instead of removing the feature altogether. No, they removed them. But, here we are now, Roblox reviewing our scripts…
Our code is not open sourced becuase it’s not meant to be opened. At this point, your just turning our closed sourced projects to an open sourced mess. And big or small teams makes no difference. I still don’t trust it. And what stops them from a false alarm? Thank you for answering our questions, but you did not answer our concerns.
Edit 1: So basically when you have a possible threat, you send a SPY TEAM to overlook our creations. Our code is ART, not a toy. We shouldn’t have to be forced to have a violation of our privacy, that in the end of all this will probably end up being another way to capitalize on.