blkbrdsr71: I don't see a problem here. It's nice to have all my games under one roof, instead of launching one game manager after another. I have 4 game managers Steam, GOG, Uplay, and Origin. Having the ability to play my games through one client is the best thing GOG has done.
Again, no one is saying there shouldn't be a unified launcher. It's like saying, "I like living in my house, I don't see why we need locks on the doors". Putting locks on the doors doesn't mean you can't live in a house.
To extend this analogy to an almost absurd degree, the situation is more like: you have a house and there ARE locks on the doors, but there's a guy blocking the door who presents you with a keyhole (the integration plugin). And when you put your key in you can't be sure if the keyhole goes directly to your door or to a fake doorknob that makes a copy of your key in the process (the login form is just some HTML that could be coming from a MITM attack). All I'm asking is that we add the ability to be sure it's actually your doorknob you're putting your key in (display that the TLS signature has been verified).
Your user experience wouldn't change at all except that there would be a little icon indicating that your GOG client has verified that the federated login form is actually coming from the site you think it is.
Edit: I've done enough experimenting locally that I'm convinced a MITM would be trivial and undetectable by the user. I hosted a copy of the steam login page on my own machine without any SSL/TLS cert, then changed 1 line in my steam plugin to direct there instead of the steam login page. I opened GOG2.0 and started the steam integration process and it hosted my fake page no questions asked. There is no indication that I'm on a fake login screen except for the fact that I edited the sign in button. At this point all my fake server would have to do is pass the login info on to steam using exactly the same code the plugin does and pretend nothing weird is happening.
So unless there's some rigorous security process that commits go through before being whitelisted for use by the GOG client, any one of the dozens of github integration maintainers could wake up one day and push a commit that starts logging people's info. Sure, they probably get caught, but only after how many victims have their accounts pwned? And it could all be avoided entirely if the GOG client validated certs.
I know the client is new, I know there are people working their asses off getting it working and stable, and I appreciate every second of their hard work. I just don't want to see one bad actor somewhere put GOG in headlines for bad security. That could ruin people's trust in the platform, and I desperately want to see it succeed.