spotify missing libssl1.0.0

Everything about X, Gnome, KDE, ... and everything running on it

spotify missing libssl1.0.0

Postby Jjueh3 » 2017-07-06 08:35

Hi
I have a debian stretch system and I wanted to install spotify but it wants the ibssl1.0.0 package which isn't available in stretch.
I can download libssl1.0.0 package for jessie from https://packages.debian.org/jessie/libssl1.0.0 and install it with dpkg but is it safe or secure to do so?
I read that I should not mix packages from different debian relases.
If I install this package in this way it won't update automatically after an update is available to the jessie's libssl1.0.0 package, right?
How do I verify the downloaded .deb file? is comparing the checksum from the download site good enough? Will I have to manually check from time to time if there is a new version of this library for jessie?
Jjueh3
 
Posts: 6
Joined: 2017-06-23 13:08

Re: spotify missing libssl1.0.0

Postby kopper » 2017-07-06 09:09

A thing to consider about software relying on older package versions is that those packages won't be likely to get any updates. I.e. if there is a vulnerability found in the package, it's not likely to get security patch since it's not maintained by upstream or Debian security team. Someone could fix it of course, but that patch would also be unofficial and unsupported (and unlikely).

Mixing repos and distros is generally bad idea as you mentioned, although I don't think this qualifies as one (someone might slap me for this). libssl1.0.0 doesn't have any other dependencies and as far as I know, it's only odd dependency for Spotify client. I've had it installed since Jessie alongside with libssl1.1 and libssl1.0.2, and it hasn't caused me problem. If you decide to install it, do it with dpkg so you can remove it easily when needed. I have originally installed it via apt-get so your situation is a bit different.

To verify checksums, you could install debsums and use:
Code: Select all
debsums libssl1.0.0


If all this seems a hassle, Spotify has rather good web player you can use with your browser.
Debian 9.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 70
Joined: 2016-09-30 14:30

Re: spotify missing libssl1.0.0

Postby Lysander » 2017-07-06 12:53

One of the first things I did after installing Stretch was to put Spotify on. I downloaded the libssl1.0.0 package and installed with no issues, and it has been working fine.

Since the Debian wiki actually recommends installing the Jessie libssl1.0.0 package on Stretch to get it to work, I would go for it.

https://wiki.debian.org/spotify

NB you may also need

Code: Select all
sudo apt install dirmngr


to get it running.
User avatar
Lysander
 
Posts: 348
Joined: 2017-02-23 10:07
Location: London

Re: spotify missing libssl1.0.0

Postby Jjueh3 » 2017-07-06 14:21

kopper wrote:A thing to consider about software relying on older package versions is that those packages won't be likely to get any updates. I.e. if there is a vulnerability found in the package, it's not likely to get security patch since it's not maintained by upstream or Debian security team. Someone could fix it of course, but that patch would also be unofficial and unsupported (and unlikely).

Mixing repos and distros is generally bad idea as you mentioned, although I don't think this qualifies as one (someone might slap me for this). libssl1.0.0 doesn't have any other dependencies and as far as I know, it's only odd dependency for Spotify client. I've had it installed since Jessie alongside with libssl1.1 and libssl1.0.2, and it hasn't caused me problem. If you decide to install it, do it with dpkg so you can remove it easily when needed. I have originally installed it via apt-get so your situation is a bit different.

To verify checksums, you could install debsums and use:
Code: Select all
debsums libssl1.0.0


If all this seems a hassle, Spotify has rather good web player you can use with your browser.


I thought that since it is in jessie and jessie is still suporrted as an oldstable it would get security updates. Especially that I don't see any 1.1 version for jessie but only for stretch.
Jessie backports has a slightly newer version libssl1.0.0 (1.0.2l-1~bpo8+1) vs jessie's libssl1.0.0 (1.0.1t-1+deb8u6)
Are you saying that people on jessie who won't just take the stretch libssl1.1 package are screwed when it comes to security updates?
Also did you manage to get the web player working on firefox? or just on chrome?
Jjueh3
 
Posts: 6
Joined: 2017-06-23 13:08

Re: spotify missing libssl1.0.0

Postby kopper » 2017-07-06 15:29

Jjueh3 wrote:I thought that since it is in jessie and jessie is still suporrted as an oldstable it would get security updates. Especially that I don't see any 1.1 version for jessie but only for stretch.
Jessie backports has a slightly newer version libssl1.0.0 (1.0.2l-1~bpo8+1) vs jessie's libssl1.0.0 (1.0.1t-1+deb8u6)
Are you saying that people on jessie who won't just take the stretch libssl1.1 package are screwed when it comes to security updates?
Also did you manage to get the web player working on firefox? or just on chrome?


No, I'm sorry that I was talking out of my backside. You are right, 1.1 and 1.0.2 versions seem to be for Stretch only. My bad for not checking that out in a hurry. And oldstable is supported by Debian security team, at least for time being. So what I said in my first post doesn't apply, at least not yet. Source: https://wiki.debian.org/DebianOldStable

Q) How long will security updates be provided?
The security team tries to support a stable distribution for about one year after the next stable distribution has been released, except when another stable distribution is released within this year. It is not possible to support three distributions; supporting two simultaneously is already difficult enough.


I've previously used web player in Chrome a while back. Worked just fine, started to use client since I moved to use Firefox.
Debian 9.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 70
Joined: 2016-09-30 14:30

Re: spotify missing libssl1.0.0

Postby pylkko » 2017-07-06 16:46

thre is also a package in the Debian repo called mopidy that can play spotify and can be controlled by any mpd client or a web browser.
User avatar
pylkko
 
Posts: 1177
Joined: 2014-11-06 19:02

Re: spotify missing libssl1.0.0

Postby Lysander » 2017-07-06 17:02

pylkko wrote:thre is also a package in the Debian repo called mopidy that can play spotify and can be controlled by any mpd client or a web browser.


Very useful information going forward, thanks for that.

kopper wrote:If all this seems a hassle, Spotify has rather good web player you can use with your browser.


Sorry for you to be contradicted twice in the same thread kopper, but I would disagree that the web player is 'rather good'. It doesn't work properly for many users and seems to switch between Flash and HTML5.

Long list of woes on the Spotify forum.

Shame, because it has such potential, but it has always been glitchy at best.
User avatar
Lysander
 
Posts: 348
Joined: 2017-02-23 10:07
Location: London

Re: spotify missing libssl1.0.0

Postby kopper » 2017-07-07 08:11

Lysander wrote:Sorry for you to be contradicted twice in the same thread kopper, but I would disagree that the web player is 'rather good'. It doesn't work properly for many users and seems to switch between Flash and HTML5.
Shame, because it has such potential, but it has always been glitchy at best.


I don't mind being contradicted when it's due, and you too have a fair point. My suggestion about web player was, well, a "bit" optimistic. Truth to be told was pretty disappointed to not get it working with Firefox. About using the client and regarding OPs original question, I haven't had any issues with having libssl1.0.0 in Stretch, other than aptitude reporting it as obsolete. Maybe I should have led with that. :roll:
Debian 9.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian
kopper
 
Posts: 70
Joined: 2016-09-30 14:30


Return to Desktop & Multimedia

Who is online

Users browsing this forum: No registered users and 10 guests

fashionable