We are aware of the problems of only GPG signing the repository metadata over plain http. We haven't spent enough time on fixing the cert problem on our current APT CDN mirror. We did spend some time to try to fix it and setup a new one a while ago:

https://repository.scdn.co

Domains that end with scdn.co are Spotify domains on one of our cdns, but you have to take my word for it here in the forum.

We realized we had some cache issues with that that we haven't fixed yet, so we couldn't migrate away from our old CDN setup which doesn't handle https certs.

Both repository.spotify.com and repository.scdn.co CDN caches use our web server cluster:

https://repository-origin.spotify.com/

That one sits directly in one of our data centers (probably in London) and can handle pretty big load, but no way near what big CDN players can do.

Almost all of our new Linux users follow the download instructions on https://www.spotify.com/download/linux/ and install the snap package securily from Ubuntu Software. Most users who started using the Linux client before December 2017 however still use the debian package and since there is no obvious smooth migration plan, we will probably keep it around for a while.

Since version 1.0.69, which was released in December 2017, Spotify depends on either libssl1.1, libssl1.0.2, libssl1.0.1 or libssl1.0.0 since 1.0.69 and dynamically links to the highest version it finds.

Because of how snap bundles dependencies, Spotify snap users don't have the libssl dependency problems (or the upcoming libcurl problem: see https://community.spotify.com/t5/Desktop-Linux/libcurl4/td-p/4411011 ). The trade-off is of course that they will need to wait for Spotify to send out an updated snap bundle in case of a security issue.