https://community.spotify.com/t5/Desktop-Linux/APT-repository-fix-SSL-certificate/m-p/4421338#M15947 <P>We are aware of the problems of only GPG signing the repository metadata over plain http. We haven't spent enough time on fixing the cert problem on our current APT CDN mirror. We did spend some time to try to fix it and setup a new one a while ago:</P> <P>&nbsp;</P> <P><A href="https://repository.scdn.co" target="_blank">https://repository.scdn.co</A></P> <P>&nbsp;</P> <P>Domains that end with&nbsp;scdn.co are Spotify domains on one of our cdns, but you have to take my word for it here in the forum.</P> <P>&nbsp;</P> <P>We realized we had some cache issues with that that we haven't fixed yet, so we couldn't migrate away from our old CDN setup which doesn't handle https certs.</P> <P>&nbsp;</P> <P>Both repository.spotify.com and repository.scdn.co CDN caches use our web server cluster:</P> <P>&nbsp;</P> <P><A href="https://repository-origin.spotify.com/" target="_blank">https://repository-origin.spotify.com/</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>That one sits directly in one of our data centers (probably in London) and can handle pretty big load, but no way near what big CDN players can do.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Almost all of our new Linux users follow the download instructions on <A href="https://www.spotify.com/download/linux/" target="_blank">https://www.spotify.com/download/linux/</A> and install the snap package securily from Ubuntu Software. Most users who started using the Linux client before December 2017 however still use the debian package and since there is no obvious smooth migration plan, we will probably keep it around for a while.</P> <P>&nbsp;</P> <P>Since version 1.0.69, which was released in December 2017, Spotify depends on either&nbsp;libssl1.1, libssl1.0.2, libssl1.0.1 or libssl1.0.0 since 1.0.69 and dynamically links to the highest version it finds.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Because of how snap bundles dependencies, Spotify snap users don't have the libssl dependency problems (or the upcoming libcurl problem: see <A href="https://community.spotify.com/t5/Desktop-Linux/libcurl4/td-p/4411011" target="_blank">https://community.spotify.com/t5/Desktop-Linux/libcurl4/td-p/4411011</A> ). The trade-off is of course that they will need to wait for Spotify to send out an updated snap bundle in case of a security issue.</P> <P>&nbsp;</P> Thu, 15 Mar 2018 22:32:52 GMT jooon 2018-03-15T22:32:52Z https://community.spotify.com/t5/Desktop-Linux/APT-repository-fix-SSL-certificate/m-p/4420789#M15945 <P><A href="https://repository.spotify.com/" target="_blank">https://repository.spotify.com/</A> is served with an invalid SSL certificate, preventing its use with APT.&nbsp; Serving APT repositories without TLS/SSL is a known security risk:</P><P><A href="https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-repositories/" target="_blank">https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-repositories/</A></P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>--</P><P>&nbsp;</P><P>On an unrelated note: when will the Spotify client be built against a newer version of libssl?&nbsp; Debian no longer ships with libssl1.0.0.</P> Thu, 15 Mar 2018 15:46:11 GMT https://community.spotify.com/t5/Desktop-Linux/APT-repository-fix-SSL-certificate/m-p/4420789#M15945 reklipz 2018-03-15T15:46:11Z https://community.spotify.com/t5/Desktop-Linux/APT-repository-fix-SSL-certificate/m-p/4421338#M15947 <P>We are aware of the problems of only GPG signing the repository metadata over plain http. We haven't spent enough time on fixing the cert problem on our current APT CDN mirror. We did spend some time to try to fix it and setup a new one a while ago:</P> <P>&nbsp;</P> <P><A href="https://repository.scdn.co" target="_blank">https://repository.scdn.co</A></P> <P>&nbsp;</P> <P>Domains that end with&nbsp;scdn.co are Spotify domains on one of our cdns, but you have to take my word for it here in the forum.</P> <P>&nbsp;</P> <P>We realized we had some cache issues with that that we haven't fixed yet, so we couldn't migrate away from our old CDN setup which doesn't handle https certs.</P> <P>&nbsp;</P> <P>Both repository.spotify.com and repository.scdn.co CDN caches use our web server cluster:</P> <P>&nbsp;</P> <P><A href="https://repository-origin.spotify.com/" target="_blank">https://repository-origin.spotify.com/</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>That one sits directly in one of our data centers (probably in London) and can handle pretty big load, but no way near what big CDN players can do.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Almost all of our new Linux users follow the download instructions on <A href="https://www.spotify.com/download/linux/" target="_blank">https://www.spotify.com/download/linux/</A> and install the snap package securily from Ubuntu Software. Most users who started using the Linux client before December 2017 however still use the debian package and since there is no obvious smooth migration plan, we will probably keep it around for a while.</P> <P>&nbsp;</P> <P>Since version 1.0.69, which was released in December 2017, Spotify depends on either&nbsp;libssl1.1, libssl1.0.2, libssl1.0.1 or libssl1.0.0 since 1.0.69 and dynamically links to the highest version it finds.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Because of how snap bundles dependencies, Spotify snap users don't have the libssl dependency problems (or the upcoming libcurl problem: see <A href="https://community.spotify.com/t5/Desktop-Linux/libcurl4/td-p/4411011" target="_blank">https://community.spotify.com/t5/Desktop-Linux/libcurl4/td-p/4411011</A> ). The trade-off is of course that they will need to wait for Spotify to send out an updated snap bundle in case of a security issue.</P> <P>&nbsp;</P> Thu, 15 Mar 2018 22:32:52 GMT https://community.spotify.com/t5/Desktop-Linux/APT-repository-fix-SSL-certificate/m-p/4421338#M15947 jooon 2018-03-15T22:32:52Z https://community.spotify.com/t5/Desktop-Linux/APT-repository-fix-SSL-certificate/m-p/4421357#M15948 <P>Now that I read my own message, I wonder why we never just setup a temporary redirect from:</P> <P>&nbsp;</P> <P><A href="https://repository.spotify.com" target="_blank">https://repository.spotify.com</A></P> <P>&nbsp;</P> <P>to:</P> <P>&nbsp;</P> <P><A href="https://d2czmavkeme1ql.cloudfront.net/" target="_blank">https://d2czmavkeme1ql.cloudfront.net/</A></P> <P>&nbsp;</P> <P>I will investigate it again to see if we can fix it quickly before properly migrating to a better CDN setup.</P> Thu, 15 Mar 2018 22:45:42 GMT https://community.spotify.com/t5/Desktop-Linux/APT-repository-fix-SSL-certificate/m-p/4421357#M15948 jooon 2018-03-15T22:45:42Z