It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
Gowor: The Installer is designed mostly for reliability and ease of use for any Windows user and it's intentionally designed as it is.
Ftfy

Example:
Heroes of Might & Magic 3 Complete runs wonderful in Wine, but at the moment you have to get the cd-version and install it or find a Windows system to open up the Gog installer and repackage the files.
Convenience successfully defeated.

Some time ago the installers at least worked with Wine and when this stopped working Innoextract at least got us the files out of the package, but for some reason Linux support on Gog has become worse over the years.
We can handle Wine, Dosbox, ScummVm, KeeperFx etc... ourselves, just don't throw additional stones in our way (it smells of Drm too).
Post edited December 30, 2014 by Klumpen0815
avatar
Ganni1987: I'm not sure which browser identifies the bin files as rar, can't say I've ever heard about this either.
avatar
shmerl: I highly doubt any browser performs binary header checks. Browser relies either on MIME type information coming from the HTTP server (something that GOG controls) or on the extension (something that GOG controls as well and can set to anything they like, for example to .gogpackage or whatever).
I was searching about it and everything refers to the MIME type. My suspicion fell on some browser plugin that could case this (similar to how Firefox opens PDF files inside the browser itself) but none point to a RAR version of this kind.

I can confirm that VLC does associate bin files and even changes the icon to the VLC Cone. I'm 99% sure some user actually had the .bin extension associated to WinRAR or some other archiving software and being a rar file it opened up.

In truth, if a system has the .bin extension associated with an archiving software (7-Zip, PeaZip, WinRAR, you name it). The file will still open whether you use RAR,7z, Zip compression cause they can read the header, which keeps making the entire password thing useless.

I think the best solution is (as you mentioned) for GOG to create a unique extension which no other software associates. Archiving tools will still be able to open the archives but without confusing the user and more importantly, without having to add a password. That way less headaches for their support and freedom to Linux users.


EDIT:

Might I add that since the .bin files created with Inno can be a container of multiple compression types it shouldn't be hard changing the extension to something else from the source code.
Post edited December 30, 2014 by Ganni1987
avatar
shmerl: I highly doubt any browser performs binary header checks.
https://en.wikipedia.org/wiki/Content_sniffing
Post edited December 30, 2014 by drennan
The files available at abandonware sites are easier to handle than those installers here.
So much for convenience.
avatar
ssokolow: The whole point is to make sure users don't try to unpack it as a RAR. If the browser says its an EXE but the OS refuses to execute it because it lacks the EXE extension, mission accomplished.
If the browser see it as an EXE then it will save it as an EXE.

You could cheat by having the EXE part at the beginning of the file while at the same time keeping the BIN extension. It might do the trick by preventing Browser or explorer from detecting it as a RAR file but IIRC (not 100% sure though) it only works for the first file in a multi-volume archive; if the other volumes have it too they won't be extracted.

avatar
ssokolow: As for the "altered format" part, I suggested that too as the next step along. It's trivially easy to add or remove the seven-byte identifying string from the beginning of a RAR file and, given that they apparently implemented the password calculation within their unrar.dll, it should also be easy for them to comment out the check for those seven bytes.
Well the problem with that is, as I said in my previous post, that it wouldn't be compatible with "official" RAR extractor/compressor; so it you want to extract those files on Linux (or on Windows for that matter) you would need to create/build a custom RAR extractor supporting GoG format (or patch the files).
high rated
avatar
Ganni1987: 2. GOG requires you to login once through the site to download the files and then you can forget about the Site entirely and you know your game works fine in Wine just as the Steam version does.

However you find out that you can't install the GOG version because there's a password in your way.
(The old) GOG on DRM and control:
DRM, also called copy protection, tries to control you and your games. We don't believe in that - all the games on GOG.com come without any DRM at all.
Image source: http://b-i.forbesimg.com/erikkain/files/2013/05/GOG2.png
From: http://www.forbes.com/sites/erikkain/2013/05/30/good-old-games-gog-com-and-the-drm-free-revolution/

Here's TET's personal definition of DRM in the infamous thread that marked GOG's abandonment of one of its three core values:
DRM is explicitly a class of technologies that attempt to control the utility of a digital work after sale. Regional pricing, by the definition of it, is something that clearly works before (or possibly, you could argue, during) sale. Further, once you have purchased the game with regional pricing, you are free to do as many things with it as anyone else in the world is, so we're not attempting to limit your post-sale utility of your files. That's why I say it's not DRM.
Source: http://www.gog.com/forum/general/announcement_big_preorders_launch_day_releases_coming/post4015

No matter how well-intentioned the use of passwords may be it nevertheless constitutes some measure of control - for the sake of (assumed) convenience - and as such ought to be treated as an absolute no go for a company with GOG's particular set of values and principles.
Post edited December 30, 2014 by Lemon_Curry
avatar
shmerl: I highly doubt any browser performs binary header checks.
avatar
drennan: https://en.wikipedia.org/wiki/Content_sniffing
Hah, IE who else. As the article notes it's a flawed practice because it opens the browser for security risks. Dumb if you ask me, but that's MS for you. Then indeed, it can get associated with RAR or any other type IE can detect. In such case GOG can use a known algorithm for compression (LZMA2 or whatever), write their own block compressing tool and package games using that. And as I said, provide code to the community to be able to unpack that thing. Alternatively GOG can supply some mime type to IE from the server which would block content sniffing. There might be a way to do it.

UPDATE:

Here is what I found:
Mimesniffing doesn't mean that there is no way for a server to control how a file is handled. <Content-disposition: attachment; filename="filename.ext"> header enables a server to do precisely that. With this however, IE makes sure that the user gets prompted with the file type information (based on the extension specified by the server here) before the file is opened/saved.
http://blogs.msdn.com/b/ie/archive/2005/02/01/364581.aspx
19.5.1 Content-Disposition

The Content-Disposition response-header field has been proposed as a means for the origin server to suggest a default filename if the user requests that the content is saved to a file. This usage is derived from the definition of Content-Disposition in RFC 1806 [35].

content-disposition = "Content-Disposition" ":"
disposition-type *( ";" disposition-parm )
disposition-type = "attachment" | disp-extension-token
disposition-parm = filename-parm | disp-extension-parm
filename-parm = "filename" "=" quoted-string
disp-extension-token = token
disp-extension-parm = token "=" ( token | quoted-string )

An example is

Content-Disposition: attachment; filename="fname.ext"

The receiving user agent SHOULD NOT respect any directory path information present in the filename-parm parameter, which is the only parameter believed to apply to HTTP implementations at this time. The filename SHOULD be treated as a terminal component only.

If this header is used in a response with the application/octet- stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a `save response as...' dialog.

See section 15.5 for Content-Disposition security issues.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html
Post edited December 30, 2014 by shmerl
avatar
ssokolow: The whole point is to make sure users don't try to unpack it as a RAR. If the browser says its an EXE but the OS refuses to execute it because it lacks the EXE extension, mission accomplished.
avatar
Gersen: If the browser see it as an EXE then it will save it as an EXE.

You could cheat by having the EXE part at the beginning of the file while at the same time keeping the BIN extension. It might do the trick by preventing Browser or explorer from detecting it as a RAR file but IIRC (not 100% sure though) it only works for the first file in a multi-volume archive; if the other volumes have it too they won't be extracted.
Ahh. I hadn't realized that. Modified file header it is then.

avatar
ssokolow: As for the "altered format" part, I suggested that too as the next step along. It's trivially easy to add or remove the seven-byte identifying string from the beginning of a RAR file and, given that they apparently implemented the password calculation within their unrar.dll, it should also be easy for them to comment out the check for those seven bytes.
avatar
Gersen: Well the problem with that is, as I said in my previous post, that it wouldn't be compatible with "official" RAR extractor/compressor; so it you want to extract those files on Linux (or on Windows for that matter) you would need to create/build a custom RAR extractor supporting GoG format (or patch the files).
Patching the files on Linux is trivial and we were OK with InnoExtract.

The important thing is that we feel safe in our ability to extract them, which means that it should be simple to rediscover the mechanism without running Windows code or keeping notes.

A trivially modified unrar.dll that's visible when pointing innoextract at the EXE would satisfy perfectly well as sufficient clue if they just customized the 7-byte identifying header without changing its length.

I could patch it back in one line of Python if I didn't feel like compiling a trivially-patched /usr/bin/unrar. (Two or three lines if you want to loop through a list of them)

$ echo "This is a test" > test.bin
$ cat test.bin
This is a test
$ python -c 'with open("test.bin", "r+b") as fobj: fobj.write(b"That")'
$ cat test.bin
That is a test

Just replace b"That" with b"\x52\x61\x72\x21\x1a\x07\x00" (the 7-byte RAR identifying string).

Hell, there's probably even a way to do it in shell script.
Post edited December 30, 2014 by ssokolow
avatar
shmerl: Alternatively GOG can supply some mime type to IE from the server which would block content sniffing. There might be a way to do it.
There is a way to do it for every browser I know of, as I mentioned on the previous page. Off the top of my head the following would probably be sufficient.

Content-Type: application/x-gog-binary
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename=whatever.bin
avatar
shmerl: Hah, IE who else. As the article notes it's a flawed practice because it opens the browser for security risks. Dumb if you ask me, but that's MS for you. Then indeed, it can get associated with RAR or any other type IE can detect. In such case GOG can use a known algorithm for compression (LZMA2 or whatever), write their own block compressing tool and package games using that. And as I said, provide code to the community to be able to unpack that thing. Alternatively GOG can supply some mime type to IE from the server which would block content sniffing. There might be a way to do it.

UPDATE:

Here is what I found:
Mimesniffing doesn't mean that there is no way for a server to control how a file is handled. <Content-disposition: attachment; filename="filename.ext"> header enables a server to do precisely that. With this however, IE makes sure that the user gets prompted with the file type information (based on the extension specified by the server here) before the file is opened/saved.
avatar
shmerl: http://blogs.msdn.com/b/ie/archive/2005/02/01/364581.aspx
So if I got that right, GOG could:

a) Block or change the sniffing to something that doesn't read "RAR"
and
b) Change the file extension to something unique so "Insert software name" doesn't try to open it.

Not sure why they opted for a quick password lock instead of this. :/
Post edited December 30, 2014 by Ganni1987
avatar
shmerl: Alternatively GOG can supply some mime type to IE from the server which would block content sniffing. There might be a way to do it.
avatar
drennan: There is a way to do it for every browser I know of, as I mentioned on the previous page. Off the top of my head the following would probably be sufficient.

Content-Type: application/x-gog-binary
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename=whatever.bin
Good, so GOG can prevent this browser mix up from the server side. So this reason is out.

avatar
Ganni1987: So if I got that right, GOG could:

a) Block or change the sniffing to something that doesn't read "RAR"
and
b) Change the file extension to something unique so "Insert software name" doesn't try to open it.

Not sure why they opted for a quick password lock instead of this. :/
That's what it looks like, yes. Not sure why they opted for the password either, and for RAR format to begin with. Except that Gowor brought several reasons and browser confusion was only one of them. The second one was the DRM-ish torrents / malware concern. I think both of those were refuted in this thread already.
Post edited December 30, 2014 by shmerl
avatar
Ganni1987: Not sure why they opted for a quick password lock instead of this. :/
Because they thought a diary lock (symmetric crypto with the shared secret included) was a suitable substitute for tri-point screws (custom RAR header or custom archive format) and a tamper-evident "warranty void if opened" seal with a holographic certificate of authenticity on it (verifying the BIN files against a digitally-signed manifest).

(To continue the analogy, we're complaining because they can easily change the lock's innards with every release and we don't like that because not everyone has the time and tools to figure out how the bobby pin needs to be re-bent.)

In fact, one darkly funny parallel is that DRM is the example of how sending the decryption key along with your encrypted data renders it worthless.

In crypto terms, crypto is worthless when you can't ensure that your intended recipient and your attacker will be separate people.

Digital signing works because it's using asymmetric crypto. You sign with the private key and give everyone the public key so they can verify it.

(Did you know that public and private keys can both encrypt? The only rule embodied in the math is that the one which encrypted it cannot decrypt it. Normal encryption encrypts the content with the public key, so only the private key can decrypt it. Digital signing is basically encrypting a hash of the content with the private key. If you can decrypt the hash using that specific public key and it matches the content, then you know it came from someone with the matching private key.)
Post edited December 30, 2014 by ssokolow
To be fair, I honestly would like the GOG installer to properly verify the authenticity of its content.

It'd mean that, if I miss the opportunity to buy something I want like XIII, I'd have the option of thumbing my nose at the meany-pants rightsholders by torrenting a discontinued GOG installer I could trust.

(Not that I would. I like taking the moral high ground, I own just under 1500 digital download games, and I've only beaten a tiny fraction of them... not counting the free stuff not tracked by IsThereAnyDeal.com or the stuff I haven't imported because I only own it on CD-ROM, floppy, or cartridge and it'd be too much hassle to do manually.)
Post edited December 30, 2014 by ssokolow
avatar
Gede: Personally I will allow GOG a few days to review their standing on this issue, and will then act accordingly. I don't expect them to come out crying "Sorry guys! Our bad! We're dumping the work we did last month and starting anew, using only DEBs and APT." But I believe we should manifest ourselves and show how disapointed we feel right now.
avatar
Gersen: Well Gowor said that he was open for suggestion so suggesting things is good, but personally, given the period of the year we are in, I wouldn't really expect anything before next week or the week after.
To be honest, I think running out of inertia on our part is a bigger danger.

Better for GOG to wind up with egg on their face and learn from it (and possibly formulate new company policy) than for us to risk giving them room to "let it blow over".

If Gowor can't fix things in time, then GOG can buy him time by promising on the record that he will.

UPDATE: I've done what I can on Twitter. Can someone with more time to compose a good message step up to start a discussion going on the gog.com subreddit?
Post edited December 30, 2014 by ssokolow
high rated
The reason I own 231 games from GOG is because I can get them to run in Wine on a Mac. It often takes me anywhere from five minutes to a week to get them running satisfactorily, but I do it because I quite literally cannot purchase Mac versions for the vast majority of the games I wish to enjoy. GOG installers have always been just that, installers. Installers that work really, really well in Wine. I have an 85% success rate so far and each time I get a little better at it. I have never asked for help from Support in my own personal game endeavors, I understand that I am tinkering with games that I have purchased and that I have no guarantee I will be able to play them. However, I also understood that I was purchasing installers that I could actually tinker with. To hear that you are actively seeking to impede users like myself is a severe slap in the face and I urge you to choose a better course of action.