Hi
I have a debian stretch system and I wanted to install spotify but it wants the ibssl1.0.0 package which isn't available in stretch.
I can download libssl1.0.0 package for jessie from https://packages.debian.org/jessie/libssl1.0.0 and install it with dpkg but is it safe or secure to do so?
I read that I should not mix packages from different debian relases.
If I install this package in this way it won't update automatically after an update is available to the jessie's libssl1.0.0 package, right?
How do I verify the downloaded .deb file? is comparing the checksum from the download site good enough? Will I have to manually check from time to time if there is a new version of this library for jessie?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
spotify missing libssl1.0.0
Re: spotify missing libssl1.0.0
A thing to consider about software relying on older package versions is that those packages won't be likely to get any updates. I.e. if there is a vulnerability found in the package, it's not likely to get security patch since it's not maintained by upstream or Debian security team. Someone could fix it of course, but that patch would also be unofficial and unsupported (and unlikely).
Mixing repos and distros is generally bad idea as you mentioned, although I don't think this qualifies as one (someone might slap me for this). libssl1.0.0 doesn't have any other dependencies and as far as I know, it's only odd dependency for Spotify client. I've had it installed since Jessie alongside with libssl1.1 and libssl1.0.2, and it hasn't caused me problem. If you decide to install it, do it with dpkg so you can remove it easily when needed. I have originally installed it via apt-get so your situation is a bit different.
To verify checksums, you could install debsums and use:
If all this seems a hassle, Spotify has rather good web player you can use with your browser.
Mixing repos and distros is generally bad idea as you mentioned, although I don't think this qualifies as one (someone might slap me for this). libssl1.0.0 doesn't have any other dependencies and as far as I know, it's only odd dependency for Spotify client. I've had it installed since Jessie alongside with libssl1.1 and libssl1.0.2, and it hasn't caused me problem. If you decide to install it, do it with dpkg so you can remove it easily when needed. I have originally installed it via apt-get so your situation is a bit different.
To verify checksums, you could install debsums and use:
Code: Select all
debsums libssl1.0.0
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
Re: spotify missing libssl1.0.0
One of the first things I did after installing Stretch was to put Spotify on. I downloaded the libssl1.0.0 package and installed with no issues, and it has been working fine.
Since the Debian wiki actually recommends installing the Jessie libssl1.0.0 package on Stretch to get it to work, I would go for it.
https://wiki.debian.org/spotify
NB you may also need
to get it running.
Since the Debian wiki actually recommends installing the Jessie libssl1.0.0 package on Stretch to get it to work, I would go for it.
https://wiki.debian.org/spotify
NB you may also need
Code: Select all
sudo apt install dirmngr
to get it running.
Re: spotify missing libssl1.0.0
I thought that since it is in jessie and jessie is still suporrted as an oldstable it would get security updates. Especially that I don't see any 1.1 version for jessie but only for stretch.kopper wrote:A thing to consider about software relying on older package versions is that those packages won't be likely to get any updates. I.e. if there is a vulnerability found in the package, it's not likely to get security patch since it's not maintained by upstream or Debian security team. Someone could fix it of course, but that patch would also be unofficial and unsupported (and unlikely).
Mixing repos and distros is generally bad idea as you mentioned, although I don't think this qualifies as one (someone might slap me for this). libssl1.0.0 doesn't have any other dependencies and as far as I know, it's only odd dependency for Spotify client. I've had it installed since Jessie alongside with libssl1.1 and libssl1.0.2, and it hasn't caused me problem. If you decide to install it, do it with dpkg so you can remove it easily when needed. I have originally installed it via apt-get so your situation is a bit different.
To verify checksums, you could install debsums and use:If all this seems a hassle, Spotify has rather good web player you can use with your browser.Code: Select all
debsums libssl1.0.0
Jessie backports has a slightly newer version libssl1.0.0 (1.0.2l-1~bpo8+1) vs jessie's libssl1.0.0 (1.0.1t-1+deb8u6)
Are you saying that people on jessie who won't just take the stretch libssl1.1 package are screwed when it comes to security updates?
Also did you manage to get the web player working on firefox? or just on chrome?
Re: spotify missing libssl1.0.0
No, I'm sorry that I was talking out of my backside. You are right, 1.1 and 1.0.2 versions seem to be for Stretch only. My bad for not checking that out in a hurry. And oldstable is supported by Debian security team, at least for time being. So what I said in my first post doesn't apply, at least not yet. Source: https://wiki.debian.org/DebianOldStableJjueh3 wrote: I thought that since it is in jessie and jessie is still suporrted as an oldstable it would get security updates. Especially that I don't see any 1.1 version for jessie but only for stretch.
Jessie backports has a slightly newer version libssl1.0.0 (1.0.2l-1~bpo8+1) vs jessie's libssl1.0.0 (1.0.1t-1+deb8u6)
Are you saying that people on jessie who won't just take the stretch libssl1.1 package are screwed when it comes to security updates?
Also did you manage to get the web player working on firefox? or just on chrome?
Q) How long will security updates be provided?
The security team tries to support a stable distribution for about one year after the next stable distribution has been released, except when another stable distribution is released within this year. It is not possible to support three distributions; supporting two simultaneously is already difficult enough.
I've previously used web player in Chrome a while back. Worked just fine, started to use client since I moved to use Firefox.
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
Re: spotify missing libssl1.0.0
thre is also a package in the Debian repo called mopidy that can play spotify and can be controlled by any mpd client or a web browser.
Re: spotify missing libssl1.0.0
Very useful information going forward, thanks for that.pylkko wrote:thre is also a package in the Debian repo called mopidy that can play spotify and can be controlled by any mpd client or a web browser.
Sorry for you to be contradicted twice in the same thread kopper, but I would disagree that the web player is 'rather good'. It doesn't work properly for many users and seems to switch between Flash and HTML5.kopper wrote: If all this seems a hassle, Spotify has rather good web player you can use with your browser.
Long list of woes on the Spotify forum.
Shame, because it has such potential, but it has always been glitchy at best.
Re: spotify missing libssl1.0.0
I don't mind being contradicted when it's due, and you too have a fair point. My suggestion about web player was, well, a "bit" optimistic. Truth to be told was pretty disappointed to not get it working with Firefox. About using the client and regarding OPs original question, I haven't had any issues with having libssl1.0.0 in Stretch, other than aptitude reporting it as obsolete. Maybe I should have led with that.Lysander wrote: Sorry for you to be contradicted twice in the same thread kopper, but I would disagree that the web player is 'rather good'. It doesn't work properly for many users and seems to switch between Flash and HTML5.
Shame, because it has such potential, but it has always been glitchy at best.
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian