I was about to post this too.

That's not an accurate description of events at all. That quoted statement makes it sound like the devs are big winners here who have come out ahead. But no they aren't, and no they didn't.

Their game has been successfully banished off of all platforms that 99%+ of gamers would ever buy PC Games from, those being Steam first and foremost, and then EGS far behind Steam and perhaps tied with the other publisher-exclusive DRM stores, and at a huge distant last place, GOG (but even with that being so... GOG still has vastly more customers than the Red Candle games store ever will).

Yes the Devotion debacle did give huge publicity to the game, but from that, it does not follow (yet your statement heavily implies that it does) that that means all the people who ever heard about the story are all going to flock to the tiny, obscure, totally unknown new Red Candle store and buy the game by the millions.

In reality, that is not going to happen. The reality is that Devotion's sales will forever be severely hamstrung, and consequently very low, by way of it having been relegated exclusively to an obscure unknown platform that almost nobody knows or cares about, other than perhaps a couple dozens or a few hundred die-hard fans...which certainly aren't enough to make a game or a store be financially viable.

The good reason to keep this thread going is not "for the sake of it," but rather, because the devs are still getting shafted by way of GOG having banned the game. The devs having released it via their own website doesn't change that fact one iota.

Since you claim to aim for accuracy surely you won't mind this obvious correction attempt.
What you said here is heavily inaccurate.
There is a VERY sharp difference between platform making a promise, signing a contract and then the platform backing off (this would be GOG),
versus
developer successfully signing a contract with a platform (Steam), the platform fulfilling it and actually hosting the game, and then the developer deciding to pull out from the store for their own reasons, btw stated publicly, with official statement:
https://steamcommunity.com/app/1006510/discussions/0/1796278072845376475/

Ergo:
You shouldn't actually mix Steam with mud since Steam actually released the game in original state, and it was NOT STEAM who pulled it out.
We also don't know if the game wouldn't perhaps reappear on Steam in the future since Valve didn't actually cut business relations with Red Candle Games and their other game, Detention, is still sold there.

This can be proven as evidence is public and also archived (both tweets, and briefly live GOG product card are archived at the very least on webarchive [archive org]).

While this is just pure speculation unless you have actual official public info to back this statement.

That is 100% irrelevant to potential sales of the game considering the game is not available on GOG atm (no "2 different stores having 2 different userbases while selling THE SAME GAME therefore getting different sales" argument, the game is on only 1 store atm, so this argument is not applicable AT ALL).

I don't know if I should call what you just said hypocrisy or just plain misunderstanding.
The RC store isn't meant for the sake of distributing broader selection of games.
Don't misunderstand.
It's sole purpose is to sell RC creations.
And that's it. It's yet another developer-owned site dedicated to self-publishing. Nothing more, nothing less.
Your words really make it sound like this concept is new to you :S

"nobody knows or cares"?
Actually, RC creations' fans will find the place eventually. Those who care about specificly RC creations were and are seeking ways of buying it so sooner or later they will arrive at the RC store.
Anybody else who doesn't know about the game while being potential customer may still find it through various influencers (I'm pretty sure now that the game is actually available those influencers who cover the case would now start saying "you can get it there") when browsing for similar content (say, horror games).
The only group of customers that really gets cut off as potential profit is those who would otherwise find this game "by accident" on Steam (or other platform) through for example discovery queue or random store widgets.

I think you have misconstrued what I said. In that statement I was talking about publicity - I didn't say anything at all about sales. And in your post, you effectively agreed with me:

Yes, it's seems clear that Red Candle have gained a huge amount of publicity from the censorship debacle, which they wouldn't have had otherwise and it is ironic (imo). Publicity is very important for a game. I wonder how many millions CDPR spent on marketing for Cyberpunk? There is a reason those millions get spent.

As far as sales, I don't think either of us know enough to say whether their sales of the game will end up being higher, compared to if they had released the game on Steam and the 'many gamers' had just ignored it. Being on Steam isn't the be-all-and-end-all. Many games released on Steam go almost totally unnoticed, because they get lost amidst the vast ocean of garbage they have on there. Also, there are examples of games that have become popular that are not on Steam (or at least weren't for many years): Dwarf Fortress, Cataclysm: Dark Days Ahead, Nethack. Games such as Minecraft and many games by Blizzard and EA (e.g. Mass Effect) grew popular despite not being on Steam (at least initially).

But I agree with your points: just because Red Candle are now selling their games directly doesn't necessarily mean they are going to be ok financially. Which is why we need to keep pushing for GOG to host their games and not let them off the hook.

Good point, the checksums could be on different servers/platforms. Kinda convoluted for the end user, but plausible.

Most importantly, a verification key need not be distributed from the same location as the thing being distributed, although it becomes really important that, if using something like md5, that you keep your versions straight. Version 1.01b and 1.01c are going to have 2 different md5s.

You should never use md5 for anything important.
It's utterly worthless. Proven broken. Doesn't actually protect from collisions.
There's a reason it calculates so fast (takes shorter than it would take for your storage device to actually read entire file range, this is direct evidence it doesn't actually calculate hash from ENTIRE file just select few parts of it).
It's a worthless alg for ANY backups.
It's in the process of being replaced in any place that has sane procedures and actual standards.
Unfortunatelly it's still being perceived as "valid" by many in IT world as well as whole ocean of uninformed private people.
You should use something like sha256. Or sha512.
Or use both - this way you actually are reducing risk of collision or rouge change to an absolute minimum - at the moment it would be near impossible to make 2 different (high complexity and not proven broken) algs collide sums at once.
And if you cannot be bothered with time then use at the VERY LEAST sha1.

I'm a bit more aware than you realize. However, good luck getting better than md5 from anyone. I used sha1 for a little thing that pulls naughty images out of spam emails i get (for an experiment), to reduce the frequency of duplicate images. It wasn't perfect: duplicates managed to get though on rare occasions.

For cryptography and collision protection... You should beware taking any particular hash seriously. The very nature of hashing increases chances of collision (as opposed to multiple redundant stores), by virtue of being irreversible. This is fundamental to understanding hashes, and failure to understand it will only lead to disappointment. For storage and integrity, we need triple redundancy at the bare minium.

We are talking about 2 entirely different issues - you are talking about data retention - meanwhile I am talking about verifying usefulness of the retained data, which is entirely different problem.
You use Z copies for data retention, better redundancy means higher chances your data is going to be retained in the longterm.
Meanwhile you use checksums to verify if your retained copy Z_number is usable AT ALL (ergo if it was not modified through ANY means, such as corruption, or perhaps malicious actor involvement).
The two aren't competetive means to achieve the same. The two are 2 different matters entirely.
They should be used in conjunction with each other and NOT exclusively.

And IMO I wouldn't call making a backup of exact copies on 3 drives of the same model manufactured in the same batch a "proper" backup by any means.
It's more of a "happy go lucky, wishful thinking based HOPING that they will not start to crap out all at the same time".

Ideally we would have a storage solution that would be impossible to be affected by environmental factors.
A master copy from a material that is virtually indestructible, not affected by ANY magnetic fields (including visual radiation, such as sunlight), nor temperature (something that could easily withstand 3 k degree C for "reasons" [mostly deliberate attempts at sabotaging it by rouge personel but not actually limited to that, say fires, or maybe you dropped your backup into a volcano to give a more abstract example) and sturdy enough to not get altered with even formidable force.
Something like a block made of material-better-than-titanium in which data would be physically engraved *.
With compression obviously, as raw binary representation would not be very density effective.
So a coded representation naturally, with dictionary added somewhere on the device itself (for avoiding "we have the backup but the dictionary was forever lost somewhere in the archives so we cannot read this thing" situations).
A "data block" if you will.
Unfortunatelly we do not have such a storage facilitator right now, but few people worldwide are trying to cook up something like that.

* this is actually just like optical media (pressed anyway) on a concept level. Just far more sturdy and environmental factors resilient.
The closest to that we got so far is M-disc which is based on basically stone layer (versus more or less organic and / or "chemically reactive" data layers used in "conventional" pressed optical media) which makes it far less suspectible to all sorts of factors, including higher resistance to temperature.
And in-before someone goes all "but it wasn't proven".
To those people:
shut up and at least make an ATTEMPT at understanding.
Synthetic tests.
Nobody makes realtime tests anymore. Technology used would be obsolete by the time the test would end.
Synthetic tests are designed to simulate realtime workload while performing drastically time-reduced test.
They are based on complex scientific calculations.
Almost everything is tested like that nowadays, including things like longetivity of car suspension in a 4x4 car.
Maybe it (M-disc) will not last advertised ~1000 years. But if the test methodology was proper and the tests were done ok (I am suspecting they were at least proper-ish [if not better] considering military testing was involved) it should definitely last for at least few DECADES. Which is considerably longer than for example what VerbatimE or Taiyo Yuden (the original, not the "chinese ripoff after assets purge", also I'm talking about RECORDABLE ones and NOT pressed ones) is rated at (which are ALREADY "higher end than what most people would use").

Ultra-long-term data retention is a fascinating case. One I am particularly personally interested in (I am also interested in non-storage hardware that could work for more than a decade without failing in any way - something humanity doesn't consistently have atm - and it's somewhat infuriating for me personally how humanity still goes for profit over quality to this day, prioritizing designing stuff with repeated purchase [ergo income] in mind versus superior quality that would last for at least decades - this is something that has to change FAST - otherwise we could start drowning in ELECTRONIC trash in few decades, not to mention most of the infrastructure working state is based almost entirely on luck and hoping nothing BS will happen).
I could go on about this case for ages. But unless you want me to start writing a book here I will just not drag this off-topic too far.
So if you excuse me, we can continue this conversation (should you be interested) in private message at some point (keep in mind I'm highly busy within next 1,5 month and may respond with huge delays).

I have to admit, yesterday's little episode with the Cyberpunk news post gave me little hope for gog. These people don't even have the guts to shill for their own game (ill-advised as it may be at this point), it would be foolish to think they'd stand up for anybody else's game. They just cave in at the first sign of resistance. Sad.

They're actually a bit more similar than you realize (replace "hard drives" with "download sources," for example). I'm talking about absolutes here (for the purpose of making a point). On that same token, the best encryption algorithm is an xor key of data size equal to the file being sent that is generated entirely by picking numbered beans out of a jar (and used only that one time). At the end of the day, the question is just how far is too far, and how little is too little, and that varies from person to person. To see any algorithm as absolutely reliable for any particular purpose is insanity. This is why games are downloaded over SSL from sites like GOG. SSL is the industry standard, right now, no matter what we like. I don't know with 100% certainty since i didn't get too deep into the algorithms, but I do believe SSL has a built in data integrity check, which might be why GOG isn't even reliably providing MD5s anymore.

Hashing algorithms in particular are important, but there's a tradeoff. If the algorithm handles birthdays too well, it becomes conceiveable to reverse the password from the hash. This is a dichotomous tradeoff that must always be balanced.

(And, no, I get what all of what you're saying, but i'm keeping my reply simple so I can keep to the big point, because this is something i think you're really missing, which is typical of people in the industry when they become too abstracted from the bare field, which almost always happens to everyone in it, for the "testing" reasons you mention, which is why each hashing algorithm "getting cracked" comes as such a hard shock, because we want to believe so badly that we fail to understand these fundamentals: there is no subsitute for a large base set of true random [not extrapolated from random] values.)

EDIT: The thing is, the guy who made a big stink to make sure this was abundantly clear to me about encryption fell victim to this very thing himself not long before when discussing a presumed perfect encryption algorithm, and quantum computing, and a few other things. I wonder now how he feels knowing that, while he was right about some things and i was therefore wrong, I was still right about his over-investment (he became an investor) in things like quantum computer, which was ultimately the big picture of why he was talking to me (he wanted my help, in addition to passing his knowledge on).

If by any chance you are talking to me specificly then I feel entitled to craft a response but as I said earlier I have no desire to drag this off topic into great lengths until there is nothing more to say. I would prefer to refrain from being dragged into doing so.

You are mixing up apples and oranges SO HARD that I am not sure if it is even worth it to attempt to correct you.
SSL "used" on GOG is tied to HTTPS and has NOTHING to do with data integrity.

You also don't use exact same algorithms for data encryption (for example password hashing in database, or connection encryption in HTTPS) and data checksumming (data integrity checking).
You use different for each as the premises of usage and general goals are completely different.
Due to what I have just said the info you outlined in the post I am responding to is mostly nonsense.
Please learn the difference, research a bit maybe, or if you happen to know the difference then don't treat random people on the internet as "definitely newcomers" and actually be precise as what you wrote is so far off the mark it's laughably inaccurate.
No offense. And nothing personal. But you are mixing stuff up so much I don't know if I should cringe, laugh or just ignore it and not bother myself with attempts at correcting this obvious bamboozlement.

"SSL is industry standard"
It's not. It WAS. But no more.
It's deprecated by RFC for years now.

Also I don't know what realm you live in but at least for me connection with GOG is encrypted with TLS (on the browser I used a moment ago it was 1.2).
But C- for an attempt.
It was worth a laugh.

edit:
corrected some punctuation

Hey remember when GOG removed a Taiwanese game from the store because China pressured them into doing it?

Only six months left. I´m so excited!

yep + 2 days
cant wait to get this game here, beacon of freedom