`postinst` adds duplicate Spotify APT source when ...

ak1ra-komj · 2026-02-07

# Summary

When installing `spotify-client` using APT after configuring the Spotify repository according to the official instructions (deb822 `.sources` format), the package `postinst` script may still add `/etc/apt/sources.list.d/spotify.list`. This happens because the repository detection logic does not account for deb822 `.sources` files, resulting in duplicate repository definitions and APT warnings.

---

# Installation Method (Important)

This issue does **not** occur when installing the standalone `.deb` directly.

Steps used:

1. Followed the official Spotify Linux instructions to configure the APT repository using deb822 format.
2. Installed the package via APT:

```
apt install spotify-client
```

Relevant configuration already present *before* installing the package:

`/etc/apt/sources.list.d/spotify.sources`

```
Types: deb
URIs: https://repository.spotify.com
Suites: stable
Components: non-free
Architectures: amd64
Signed-By: /etc/apt/keyrings/spotify.asc
Enabled: yes
```

Spotify signing key (as documented):

```
/etc/apt/keyrings/spotify.asc
Fingerprint: E109 6BCB FF6D 4187 96DE 7851 5384 CE82 BA52 C83A
```

Optional but relevant policy configuration:

```
/etc/apt/preferences.d/90spotify
/etc/apt/apt.conf.d/90unattended-upgrades-spotify
```

---

# Problem Description

Despite the repository being correctly configured and active, the `postinst` script still attempts to add a legacy `.list` file:

```
/etc/apt/sources.list.d/spotify.list
```

This happens because the detection logic only scans:

* `/etc/apt/sources.list`
* `/etc/apt/sources.list.d/*.list`

```sh
find_sources() {
grep -v -E '^\s*#' /etc/apt/sources.list /etc/apt/sources.list.d/*.list 2>/dev/null
}
```

As a result:

* Existing deb822 (`.sources`) configurations are ignored
* `spotify.list` is created
* APT reports duplicate repository definitions for `https://repository.spotify.com`

This occurs even though the repository was configured explicitly, correctly, and in advance by the user using the official documentation.

---

# Why This Matters

* deb822 `.sources` is the modern, recommended APT source format
* Users following current best practices are penalized with warnings
* Duplicate sources can interfere with tooling, CI, unattended upgrades, and policy-based systems
* The behavior is surprising when installing a package *from* that same repository

---

# Policy and Design Considerations

From a Debian packaging perspective:

* Maintainer scripts should not modify global APT repository configuration, especially when the package is installed via APT itself
* The current behavior makes sense for standalone `.deb` installs, but is inappropriate when the package is already being managed by a configured repository
* Repository configuration should remain an explicit user decision

---

# Suggested Fixes

## Option 1 (Recommended, policy-aligned)

Do not add or modify APT repository configuration in `postinst` at all.

If the repository is missing, print an informational message pointing users to the official setup instructions.

## Option 2 (Minimal change)

If repository auto-detection remains:

* Update detection logic to handle deb822 `.sources` files
*or*
* Use APT-native mechanisms (e.g. `apt-cache policy`) instead of parsing source files

This would prevent duplicate entries regardless of source format.

---

# Conclusion

This is a real-world bug affecting users who follow the official Spotify Linux instructions and use modern APT features. It also exposes a broader design issue around repository manipulation in `postinst`.

Addressing this would improve correctness, reduce warnings, and better align the package with Debian and APT best practices.

Thank you for your consideration.

Help categories

Account & Payment

Using Spotify

Listen Everywhere