It's possible, but if that's so, it's going to be horrendously abused.

That one seems to have been fixed.

Support messages don't stop bothering me. It always says that I have a new message, even though I already read them all.

wasn't that always the case? I kinda like that feature. you posted with your old ava and that ava should always be associated with your post.

Secure login is now no longer an option on the frontpage. I used to login secure by using the link.

Typing in https:// directly seems to work as expected, though.

Nope, that "feature" went away a long time ago. The only remaining traces of it were in old quoted messages, where the mini avatar would remain the old one, even though the original post would be updated with the new avatar.
Actually, secure login is no longer optional. If you check the site code, the login dialog is always calling https://www.gog.com/en/login.

It appears to have been fixed now.

However, I just discovered another "bug" involving the posting of links. Actually, it's most likely a feature, but I really liked it better before.

Now, when you mark some text in the post editor and click the link button, it not only puts URL tags around it, it also fille out the URL in the opening tag with the text that was marked. Which is fine, if the text you marked was actually a URL. Mostly when I post URLs however, I'm making the relevant bits of a sentence into a link, and so I have to mark those words again in order to paste the actual URL into the tag. I find this rather annoying.

I can't click the messages popup to read a reply from support, and even when I go into my account, open the email, pretend I'm going to reply, close it... the next time I click the suggestions category the message appears as new again so I can't get rid of the ribbon either.

Not bugs, but typos:
-The forum name, forum URL and game page URL for Total Annihilation is Total Anihilation (missing an N).
-The game page for M&M 6-Pack lists Might and Magic 4&5: World of Xee (missing an N).
-The M&M 6-Pack bonus adventure is written as Sword of Xeen, but it should be Swords of Xeen (plural).

Uh, BASS is already free to everyone...

I think they added the gifting ability to it as a means to get current user to invite their friends to join GOG.

I admit that I don't really know how to examine site code in the manner you're talking about. If the site is logging in securely behind the scenes, that's great; But for idiots like me, the page ought to be displayed as secure so we know what's going on.
For example, look at this screenshot of what I see when I try to log in to GOG. No https:// in the address bar, no lock displayed to indicate a secure connection. Lesson number one of safe browsing is to NEVER put your password into a page like this. Even if it's actually secure despite appearances, idiots like me won't trust it.

I know it is. It was a subtle way to indicate that gifting free games is possible now but wasn't before, as well as getting some fool happy that he managed to snag a code for a free game before anyone else (not realising it was free to begin with).

It seems broken though, as I only got a white page where I should have had the option to enter an e-mail address and other stuff.

That's because you are not putting your login into the main browser page, you are putting it into the login popup, which is like a separate browser window and does actually connect to the https URL. I agree, there should be some indicator within the popup, but the main browser window will never change. Rest assured, despite the lack of an indicator, you are getting a secure connection when you log in.

Anyone having random *EMPTY* pages on game cards?
And the occasional 500 when checking out through paypal, and then coming back?
A 500 response with exact 20 bytes just containing a html opening and then the closing of the head, body and html without opening. Seems the page already bugged out before rendering.
Or more clear:
A post to paypal results into a redirect to https: ...GOG en/paypal/<orderandid stuff>,
that one results into the *same* redirect without https, and then it redirects to en/checkout/<orderidandstuff>, and that one redirects to the *same* en/checkout WITH https, which serves a 500.
If you ask me: way too many redirects to the same parts to proces an order...


(Edited, because I just found it it is bouncing between ssl and non ssl for no *good* reason. Of course there are reasons, but they are NOT good :-) )