Spotify Community

Hi,

The Linux Spotify .deb packages install an APT key in their postinst script (using a simple 'cp'.)  This is slightly problematic for a couple of reasons:

1. The APT key isn't removed again in the prerm script, so will be left behind indefinitely after package removal.  This doesn't seem like best practice, and may constitute a minor security bug.

2. I'd like to install Spotify system-wide on the managed Linux workstations I maintain, but can't (as a matter of policy) unless I can programatically prevent this repository key from being registered as trusted (and similarly avoid registering your repository in /etc/apt/sources.list.d/.)

This is because we use a private package repository, signed using our own keys, to distribute packages—so the addition of other repository signing keys on client machines isn't useful or permitted.


If you were to modify your packages so that they instead install your current repostiory key and sources list snippet as part of the package's main file manifest (ideally using predictable filenames!), then I could then use dpkg-divert to ensure that our local configuration takes precedence. (This would also fix problem #1 above!)

Would something like this be possible?

Kind regards,
—dwm