I hope GOG will resolve thing thing positively, rather than insisting that current approach is needed.

I suppose we should start preparing to engage in PR warfare.

Practice 1: For each sale, someone should go into the sale's forum thread and bring up this issue, eloquently and politely, as a reason they won't be buying anything. (ideally someone different each time)

Practice 2: We need to find someone who's participating in the Galaxy Clent closed alpha who can help to share the FUD we're feeling in the sticky closed alpha thread.

Practice 3: Anyone who's got a blog or well-subscribed social media account, start telling the world how much this worries you and how you feel GOG's lost your trust.

(And, whenever possible, work in a link to the wishlist entry. We got GOG to backpedal on the regional pricing. Doing this using hash checks rather than encryption won't cost them nearly as much as their fair price policy.)

...and I'll continue to save a copy of this thread in case it gets deleted... which just goes to show how much trust in GOG I've lost.

To Everyone: Maybe we can start brainstorming the punchiest set of talking points now?

I'll start with:
1. GOG used to talk so loudly about their "principles". This shows they're just another corporation.
2. This will increase the attractiveness of the pirated option since it's not password-protected.
3. It's ineffective at preventing malware injection and there's another solution which is fully effective.
4. The other solution is acceptable to us.
5. This new installer crashes on Wine, even if the game itself runs perfectly well.
6. Many games GOG sells can be set up without needing any ability to run Windows code if the installer can be unpacked without being run.
7. DRM is an attitude, not merely a technology. Gowor has expressed the DRM attitude.

And why would they have to "announce" when they update their installer ? The never did it the previous time they did some updates. If they want to switch to something else than InnoSetup in the future they are supposed to ask for permission first?

And, password and no password, how is it different from what will happen every-time they update the installer ? Something they already have done multiple times in the past. If you backup you collection on DVD you will have to re-burn it sooner or later because of that, no to mention the limited lifespan of DVD-R (unless you used M-Disk of course)

Also as the password doesn't change, you just need to put a txt files with the list of password somewhere and your DVD will still serve their purpose without requiring you to re-burn them.

Well if you consider Free "as in free beer" then yes it is free for 30 days. If you consider the FSF definition of Free then... well... closed source games are not "free" either to begin with, so if it's not an issue no play a non-"free" games then why would it be to use a non-"free" Windows to extract it.

It takes 15 minutes (the first time) during which you can do something else and it works.

Correct me If I'm wrong but almost everyone is contrary to whatever you say, so I'll refrain from replying to your posts.

1. One of the principles GOG was founded on and used to sell themselves to publishers was "easier than pirating". This eats away at that.
2. Supposedly, 50% of the purpose of this is to prevent malware injection. It fails at that and there's a proper way to do it which we'd have no problem with.
3. People here complain about CD keys, even if they don't restrict multiplayer play, because they're one more thing to misplace or mis-record.
4. The slippery slope argument. If we excuse this today, who knows what some new GOG employee might try tomorrow. You can't trust companies the way you can people.

I seriously doubt either of us will convince the other so can we please just agree to disagree and both go do something more productive?

If you want the last word, go ahead and have it. I'll be pretending that your posts are invisible from now on to save time.

They said than they chose the current solution because it allowed them to easily add stuff to the archive without having to rebuild the installer; if they have to rebuild the EXE anyway to update the hash of the RAR then it kind of kill the purpose.

Sorry for off-topic. Just out of curiosity, why are you using DVDs vs let's say using a multiterrabyte hard drive or even a RAID array of several hard drives? DVDs aren't resilient for long term storage (which some don't realize until it's too late). Plus using hard drives is way more flexible and can save you the effort of burning disks each time.

And who know how long Microsoft will allow that use of Windows?

Reusing the same password on all games is a good idea. Thank you for bringing it to our attention here.

OK, this point is something that deserves clarification, so I will respond.

If you look at what I said more closely, I said that the release-build InnoSetup EXEs should check hashes. (While developing the installer, the hash check would be disabled for rapid iteration)

Of course, if they want to be able to update release RARs without updating release EXEs, they could also digitally sign the "known good" packing list and store it in the RAR rather than the EXE.

The key detail in making it work is ensuring that the RAR's contents are compared against something digitally signed. As long as the signature can't be forged, it's perfectly fine to store the checklist in the RAR too.

Depends on how much we're talking Long term storage, some of my old DVD's are well over 10 years and they work perfectly.

As for hard drives, I've had some bad luck with a few and I don't trust them in general part of the reason is because they're mechanical. My everyday PC gets a hard drive change every 3 years.


EDIT:

On topic - if they want to keep the rar structure just because it's more convenient to them I'm ok with it, but that password must go. The process how to generate it has already been discovered and it's no different than say: What's the point of selling a game with DRM when the "DRM-Free" version is already on torrents.

And if they're worried about legitimate customers extracting the files directly, let me ask, how many people actually know/knew they're using rar compression? Not everyone's a heavy weight computer user, with that in mind few people will actually think about changing the file extension to .rar.

No excuse justifies why pirates have taken a higher priority over us. What I expect from GOG is the removal of the password and if possible a list of the games that have had the password added to them.

By the way, which archive formats support adding files with minimal recompression? 7z / xz probably require full decompression / recompression to add even one file. FreeArc may be?

There are several benefits on using optical media. Ideally he would use the DVDs in addition to the HD solution:
- They would survive an EMP blast, solar flares, minor floods and so on.
- He could carry them one game at a time to his off-site backup location, in a log cabin in the woods where he keeps a spare Pentium 3. If he gets mugged on the way, no big deal.
- He can print the cover and fill real shelves with the games (not the virtual ones). That carries huge a coolness factor! :-)
- He can also get a real sense of what it means to own 50 games he hasn't played yet.

That's fixable with redundancy. I.e. RAID. Probability of all hard drives going bust at the same time is low (unless it's some flood or whatever). And if just one breaks down in the well built RAID you just replace it and the data is replicated back.

It's possible, but then it would mean they would have to implement some custom mechanism to check this signature instead of relying on the basic signing of the executable.

I know perfectly that multiple alternative technical solution exists, even some that would be tamper proof while at the same time allowing the installer files to be extracted easily, but I think the key thing here is that (IMHO of course):

It's not some sort of evil betrayal like some make it sound, or some conspiracy about GoG trying sneakily introduce more DRMs because they are an evil corporation.

IMHO it's just that GoG wanted something easier to be able to update their installer without having to rebuild them completely, something easy to implement, easy to maintain, transparent for users and that at the same time could prevent the average Joe from accidentally extracting the bin by double clicking on them files and then complains at the support that the game wasn't working.

And the current solution is what the came up with, it might not be the most technically elegant one nor the most tamper-proof one, and I am pretty sure that are perfectly aware of that, but they probably estimated that it was an ok compromise between efficiency and development time and that it was doing the job.