spotify missing libssl1.0.0

[Jjueh3]

Hi
I have a debian stretch system and I wanted to install spotify but it wants the ibssl1.0.0 package which isn't available in stretch.
I can download libssl1.0.0 package for jessie from https://packages.debian.org/jessie/libssl1.0.0 and install it with dpkg but is it safe or secure to do so?
I read that I should not mix packages from different debian relases.
If I install this package in this way it won't update automatically after an update is available to the jessie's libssl1.0.0 package, right?
How do I verify the downloaded .deb file? is comparing the checksum from the download site good enough? Will I have to manually check from time to time if there is a new version of this library for jessie?

[kopper]

A thing to consider about software relying on older package versions is that those packages won't be likely to get any updates. I.e. if there is a vulnerability found in the package, it's not likely to get security patch since it's not maintained by upstream or Debian security team. Someone could fix it of course, but that patch would also be unofficial and unsupported (and unlikely).

Mixing repos and distros is generally bad idea as you mentioned, although I don't think this qualifies as one (someone might slap me for this). libssl1.0.0 doesn't have any other dependencies and as far as I know, it's only odd dependency for Spotify client. I've had it installed since Jessie alongside with libssl1.1 and libssl1.0.2, and it hasn't caused me problem. If you decide to install it, do it with dpkg so you can remove it easily when needed. I have originally installed it via apt-get so your situation is a bit different.

To verify checksums, you could install debsums and use:

Code: Select all

debsums libssl1.0.0

If all this seems a hassle, Spotify has rather good web player you can use with your browser.

[Lysander]

One of the first things I did after installing Stretch was to put Spotify on. I downloaded the libssl1.0.0 package and installed with no issues, and it has been working fine.

Since the Debian wiki actually recommends installing the Jessie libssl1.0.0 package on Stretch to get it to work, I would go for it.

https://wiki.debian.org/spotify

NB you may also need

Code: Select all

sudo apt install dirmngr

to get it running.

[Jjueh3]

A thing to consider about software relying on older package versions is that those packages won't be likely to get any updates. I.e. if there is a vulnerability found in the package, it's not likely to get security patch since it's not maintained by upstream or Debian security team. Someone could fix it of course, but that patch would also be unofficial and unsupported (and unlikely).

Mixing repos and distros is generally bad idea as you mentioned, although I don't think this qualifies as one (someone might slap me for this). libssl1.0.0 doesn't have any other dependencies and as far as I know, it's only odd dependency for Spotify client. I've had it installed since Jessie alongside with libssl1.1 and libssl1.0.2, and it hasn't caused me problem. If you decide to install it, do it with dpkg so you can remove it easily when needed. I have originally installed it via apt-get so your situation is a bit different.

To verify checksums, you could install debsums and use:

Code: Select all

debsums libssl1.0.0

If all this seems a hassle, Spotify has rather good web player you can use with your browser.

I thought that since it is in jessie and jessie is still suporrted as an oldstable it would get security updates. Especially that I don't see any 1.1 version for jessie but only for stretch.
Jessie backports has a slightly newer version libssl1.0.0 (1.0.2l-1~bpo8+1) vs jessie's libssl1.0.0 (1.0.1t-1+deb8u6)
Are you saying that people on jessie who won't just take the stretch libssl1.1 package are screwed when it comes to security updates?
Also did you manage to get the web player working on firefox? or just on chrome?

[kopper]

I thought that since it is in jessie and jessie is still suporrted as an oldstable it would get security updates. Especially that I don't see any 1.1 version for jessie but only for stretch.
Jessie backports has a slightly newer version libssl1.0.0 (1.0.2l-1~bpo8+1) vs jessie's libssl1.0.0 (1.0.1t-1+deb8u6)
Are you saying that people on jessie who won't just take the stretch libssl1.1 package are screwed when it comes to security updates?
Also did you manage to get the web player working on firefox? or just on chrome?

No, I'm sorry that I was talking out of my backside. You are right, 1.1 and 1.0.2 versions seem to be for Stretch only. My bad for not checking that out in a hurry. And oldstable is supported by Debian security team, at least for time being. So what I said in my first post doesn't apply, at least not yet. Source: https://wiki.debian.org/DebianOldStable

Q) How long will security updates be provided?
The security team tries to support a stable distribution for about one year after the next stable distribution has been released, except when another stable distribution is released within this year. It is not possible to support three distributions; supporting two simultaneously is already difficult enough.

I've previously used web player in Chrome a while back. Worked just fine, started to use client since I moved to use Firefox.

[pylkko]

thre is also a package in the Debian repo called mopidy that can play spotify and can be controlled by any mpd client or a web browser.

[Lysander]

thre is also a package in the Debian repo called mopidy that can play spotify and can be controlled by any mpd client or a web browser.

Very useful information going forward, thanks for that.

If all this seems a hassle, Spotify has rather good web player you can use with your browser.

Sorry for you to be contradicted twice in the same thread kopper, but I would disagree that the web player is 'rather good'. It doesn't work properly for many users and seems to switch between Flash and HTML5.

Long list of woes on the Spotify forum.

Shame, because it has such potential, but it has always been glitchy at best.

[kopper]

Sorry for you to be contradicted twice in the same thread kopper, but I would disagree that the web player is 'rather good'. It doesn't work properly for many users and seems to switch between Flash and HTML5.
Shame, because it has such potential, but it has always been glitchy at best.

I don't mind being contradicted when it's due, and you too have a fair point. My suggestion about web player was, well, a "bit" optimistic. Truth to be told was pretty disappointed to not get it working with Firefox. About using the client and regarding OPs original question, I haven't had any issues with having libssl1.0.0 in Stretch, other than aptitude reporting it as obsolete. Maybe I should have led with that.