Then it means that, by your own definition, what GoG did it definitely not DRM because you will not see any pirate groups caring at all about circumventing GoG password as it doesn't impact them at all. The games are DRM-free, the pirate groups will simply do what they usually do with DRM-free games, package the installer as it in some RAR files and post them on torrent site, file sharing sites, etc...

Unfortunately those RAR files are more convenient compared to the GOG ones for me right now. Not saying I'm running off to TPB though, but still, this is just nonsense.

I've indicated this before, but I really don't think the term "DRM" needs to be a part of this discussion. In general, I've never held an ideological stance against artificial restrictions. It is within the rights of the provider to implement them, it is within my rights as a client to decline purchasing software that employs them. That's all that needs to be said as far as I am concerned.

My objection to this - and my recommended perspective for dealing with it - is that it is, simply put, an ugly hack. Restriction mechanisms lead to more fragile, technically inferior software. It is true that in this case, the implementation of encryption only deprives the software of an unsupported use case, but it does so for reasons that are seemingly irrational, and are better dealt with using other means (as some knowledgeable posters have clearly demonstrated here). So nobody really wins.

It is tempting to take a hardline stance and use words like "rights" and "ideals" to bolster one's position in this kind of debate. My own approach - which is just a negative appraisal of a software implementation - may seem rather limp wristed in comparison, seeing as it is unabashedly subjective. But the point to remember is that while I'm only offering my opinion now, which can be explained away or disregarded, the possibility of GOG not receiving any more of my money because their meddling with installers turns good software into shitwrapped garbage is very, very real.

GOG have a unique approach to game distribution, in that while they do not control their releases the way that Steam does, they do not relegate themselves to being mere middlemen either. With their installers and custom modifications, they claim a degree of stewardship over the software they distribute that is far greater than that of stores like Humble, which merely pass on the binary blobs that the devs submit.

But even with this basic level of control comes a degree of authorial responsibility. As I've said in a previous post, I've found GOG's packaging to be annoying, but this takes it over the top. I think we shouldn't need to teach GOG's engineers how not to fuck things up. I am not an expert in any of these matters by a long shot, but I can easily follow everything that has been discussed here, and I frankly think it's embarrassing that they need to take suggestions from forum posters for basic things like circumventing browsers' file type detection.

This, then, is a matter of demanding better engineering quality as a customer. While it is obvious that some users will never even notice this issue, it is potentially something that could tangibly influence a large portion of the userbase. What needs to be done, then, is to make sure that as many of these users as possible are informed, so that they may voice their displeasure over this, and if push comes to shove, vote with their wallets as appropriate.

How so ? as those RAR files will contains the exact same GoG installer that you could download here.

Pirate groups usually don't recreate installer unless they are forced to (e.g. the game is a Steam download and doesn't come with an installer to begin with), if the game comes with it's own installer usually they keep it and just provide the crack in a separate folder. (if a crack is needed)

I don't know; as a software developer myself for many decades now, it's not always that easy. Very often, the "best" solution is not the most elegant or the most "technically correct" but it's the "good enough" one.

The question most of the time is not "is it the best way to do it ?" but more "is it the most time efficient way to do it so that I can work on other things", if you have a solution that is good enough for 95% of the cases and takes one day to implement and on the other side another solution that 100% bullet proof, state of the art, but takes 5 days to implement, guess which one will be chosen most of the time ?

It has nothing to do with "incompetence" or or evil corporation tactics, it's just pragmatism, it's the kind of compromise most developers must do everyday. I could tell you many examples where I have personally to make such technically "bad/less optimal" decisions simply because it was the most "pragmatic" thing to do.

Maybe I am wrong here but I don't think Gowor made decision he made because he is not competent or because he didn't knew how to calculate a hash, or anything, (I suspect he probably already know most of the technical proposition made in this thread) but I think he did it because he considered it was an "acceptable" compromise, preventing "dumb" users from accidentally extracting a non working installation, making it slightly for peoples to add malware to the installer, while at the same time not impacting users. (i.e. users using the installers the way they were meant to be used). As he said he has a lot on his plate, so I guess making sure that Linux users were still able to use a third party tool to extract the installer's files was probably not very high in his list of priorities when he developed the new installers..

If you read some of my previous posts you'll see that I'm teetering between being understanding of the situation that Gowor is in and being kind of a jerk about it because I want my stuff to be good. You're right, of course. I've provided an example of making similar (though far less complex) compromises myself. Though I certainly didn't ascribe it to "evil corporation tactics", not sure where you got that from. I simply find that the disadvantages of GOG's approach sometimes do not suit me, and that influences my purchase decisions, which is a sentiment that's worth expressing, even if it is just one voice.

I don't know how pirate groups does their releases because I haven't pirated anything in a very long time.

IF the GOG installers are not included in the pirated versions, just normal RARs or whatever, then it is more convenient. Normal tools can be used to extract it.

I know there are scripts already for the GOGs (thanks ssokolow and shmerl and all the others digging into that) and I never doubted for a second that the community couldn't handle it.

Never said you were, it's just that it's something you often heard when talking about the compromised businesses have sometime to make.

Gotcha. The thing with "evil" is that when you break it down, it's just banal dynamics. You need to understand them to find a way to influence them positively. Which is why I regret my slightly venomous statements above. I may well end up deciding that I'm done with GOG, but lashing out will certainly not help anyone, and I'm glad you pointed out my folly.

Given the requirements posted, any architect or developer that did this would've been out the door so fast it would've been spinning. Not like it's hard to find a way to securely protect an archive without password protecting it (yes, I know that couldn't be used directly, but the method is perfectly valid). I'd give junior devs a pass for implementing what they were told, but if a senior dev didn't at least object they'd be out as much as the architect.

I was reluctantly going to give Galaxy a shot. Now? Not a chance. This is for a couple of reasons. Security generally is designed by the same group, or at least should be. I don't want to run secure networking code by the same people that thought this was in the slightest bit secure. The second is ideological. If you include something with even the whiff of DRM in your "100% DRM-FREE You buy it - it's yours", why should I trust your client? Only way I'll try Galaxy now is if at least the client is Open Source, and I'd be auditing it before building and installing it.

This is a great point. GOG's apparent lack of stringency makes me strongly disinclined to try anything more complex than what they're offering right now. I can be sympathetic towards a dev managing his time to the best of his ability, but that doesn't mean I have to accept compromises in the quality of the software I run on my machine. I mean, it's not like there's no precedent for doing things better. If GOG can't compete that shouldn't be my problem.

I'll have to agree on the Galaxy point. I was looking forward to use the Galaxy client as a downloader that does hash checking etc automatically because I've had downloads go corrupt. Now I'm really not that confident that I'll let that client replace my older working installers with new passworded ones.

I won't call any shots on Galaxy yet. I'm hoping it will work something similar to Steam minus the DRM, such as this: Steam works by downloading the game files and then installs the necessary registry entries via a "name.vdf" file/script and that works fine.

I think it would make it easier for us Linux people, at least for me it would, as I wouldn't have to spend time extracting the setup files.

If you wait ten years or so the supported OS for all the GOG Windows games you currently own will not be supported by Microsoft.

I want to be able to play my games on future computer systems that haven't been invented yet. What I am actually trying to buy from Good Old Games in most cases (certainly for all the old games) is not a pre-packaged installation experience, but legal rights to the game assets (the models, textures, sound effects etc.) for personal use. This 'feature', whether you agree it is DRM or not, makes GOG less useful than second hand CDs or pirate copies.

Fortunately the script kiddies can now use the script posted earlier on this topic...

I disagree, we need to have this discussion. One reason I buy anything from GOG in the first place is because I want to support their "no DRM" principles.