Unless I am missing something, wouldn't the galaxy.dll just be inert?

Galaxy typically runs with elevated permissions, and certainly has system services that are elevated as well. This opens room for a possible bug or exploit to be found that could be used by malicious attackers to infect systems. Games that use it could potentially similarly be exploited. Some of these could be remote exploits, too, since Galaxy is built with Internet connectivity in mind.

No I believe that the only definition that matter is the one that Gog uses because that's the one that uses to decide is the game is DRM-Free or not for them.
Yes but here we are not talking about Galaxy itself but about games that have the Galaxy.dll in their install folder that's two different things.

Is this the same for steam.dll?

GOG Games with Galaxy integration are hard-coded (inside the game's .exe) to make Galaxy API calls with the expectation it will be running. This is unfortunately true even of offline installers. Eg, say a game "pings" Galaxy to unlock an achievement via the Galaxy API. If Galaxy is running an achievement will unlock. If it isn't then the galaxy.dll in offline installers acts like a "fail safe" allowing the game to continue without crashing upon receiving no expected response (from a client that isn't running). They're definitely not inert and the error message I showed earlier is what happens to Divinity Original Sin (GOG version) when galaxy64.dll is renamed / prevented from running, the game instantly refuses to start long before any Galaxy features (achievements, etc) are used.

Yes, you'll see a similar error message if you blocked steam_api.dll from running for many Steamworks integrated games for the same reason. Amusingly Steam games have more of a backup plan in the form of Goldberg Emulator. It would certainly be amusing if in years to come someone had to write a Galaxy emulator crack to get the "DRM-Free" offline installer games here to continue to run...

I see. before galaxy weren't their steam.dll files on gog anyways though?

The DLL is communicating with Galaxy, not with the Internet, same thing with the Steam one. So the risk of either representing any serious security risks on their own is infinitesimal.

In a few games. Prior to Galaxy (the older installers) most GOG games were "clean" ie, didn't call any client at all. Same is true of other stores DRM-Free builds (eg, Humble).
You're missing the point (as explained in 2nd paragraph of post #60) but never mind, I'm really not going round in circles on this on a Friday evening.

I see, although considering how steam took off even if gog didn't introduce galaxy then the steam.dll would have been there at some point.

My point was for illustrative purposes. It's easy for many people to essentially write off these issues with the offline installers. I know you have repeatedly said it isn't acceptable and I thank you for that, but it still seems to me to ring a bit hollow because there is no urgency at all that we can see on GOG's end to fix the offline installers. We can say it's unacceptable all day but it doesn't seem to get through to GOG to fix the issues. That's what's bothersome, as if the situation was reversed, you know there is like no way they would stand for it.

But for offline installer-only users the problem is essentially the same (actually, I would say it's worse for several reasons, but I digress). Only difference is now the offline installers are out of date with both clients, lol.

When the Deus Ex Mankind Divided DLC released locked behind Galaxy requirement until it was fixed, a user suggested GOG test the offline installers then Galaxy after that.

I say GOG should focus on making sure the offline installers are up-to-date within a day or two, and more importantly, not having anything locked from these "bugs" where Galaxy is required.

I get that Galaxy was made to push updates faster but for what it has done to the treatment of offline installers it is not worth it imo. Galaxy needs to prove its case from scratch, if you ask me.

This is supposed to be a DRM free store, there is no room for compromise, compromise means removing the entire goddamn point of GOG's existence. This argument is the same as being ok with a vegan restaraunt serving 'a little meat on the side'.

So in theory, replacing the DLL with one that exports the correct functions but returns no data can be a solution?

They won't even acknowledge that there is a question as to whether or not Hitman is DRM-Free, so what makes you think DRM-Free has any relationship to a clearly defined definition that is unambiguous?

Maybe a little bit offtopic, but since you used the word crack yourself: do you consider an emulator (like Goldberg) a crack, if it just replicates API calls? The creator of Goldberg compares his project with WINE and console emulators and denies any breaking of DRM. I've searched a bit, but I'm still not sure about it's legal status. And if it's so legit, since APIs aren't copyrightable as of now, then why you can't find a single mention of Goldberg on PCGamingwiki (which has a lot info about DRM)?