Chocolatey-coreteampackages: [Discussion] (spotify) Should we remove the checksums from the package?

Created on 4 May 2019  路  39Comments  路  Source: chocolatey-community/chocolatey-coreteampackages

I am opening this as a discussion.
For quite a long time now the spotify package have been failing with a checksum error, even right after a new version have been pushed.

This happens because the installer grabbed from the website is quite often not the same version as we got during update. (It randomly changes on almost each request).

While the optimal solution would be to be granted the ability to embed the package, I don't see this happen anytime soon.

Personally I am split in this decision, I see the need to keep the checksums, but also see the need to have a working package.

Please use reactions to vote whether we should remove the checksum or not.
:+1: = Remove the checksum.
:-1: = Keep the checksum.

I will let the discussion/voting go for a few weeks, before I will talk with the rest of the maintainers to find out the best way forward (Taking the voting into account of course).

Pending closure

Most helpful comment

If I remember correctly, this was attempted in the past (can not remember when), but there was no response at all from the owners of spotify.

Also, considering that their Terms of Service explicitly forbids redistribution(at least it was the last time I checked), and there have been linux distros trying to get permission to distribute the program through their official distro channel have been pretty much ignored for the past 2 years, this seems highly unlikely to get permission to redistribute spotify even if someone were to try contacting them again. (Even getting an answer seems unlikely).

All 39 comments

@AdmiringWorm I'm not sure which reaction to do, as they are both 馃憤

As a moderator I believe I should push back if there is no checksum is used in a package. Even if the source is an https url. I think removing the checksums is not an option.

/cc: @gep13 @pauby

@Technetium1 sorry, I was a little tired when I wrote this, I have updated with the correct reaction

Has there been any communication with the Spotify developers about this.

@zero77 @AdmiringWorm

@SpotifyPlatform @SpotifyEng @SpotifyCares @Spotify The way your Windows installer is distributed now, you don't consistently download the exact same installer. Where can we get a copy that will have a consistent checksums?

https://twitter.com/Compdude1/status/1124686623717851138

The problem is with how the package gets the file.
I modified my version of the Spotify package to use URL https://download.scdn.co/SpotifyFullSetup.exe
FYI: Domain scdn.co
The latest version of Spotify was released on 04/29/2019 with a checksum of
C4D64E5720CF895CA5A6DAADDCA8FE5E05CE9B86A24DF8F788F20FD7E38E6171E55D22344678847B003840192D7ED6C99C3661B30785BC140FF7D24899FBF0FF
I just double checked by downloading a fresh copy of the Spotify application, and the checksum matched.
My suggestion is to fix the update.ps1 file and the readme file to inform chocolatey users that they should be aware of the possibility of this package not installing. These conditions can be

  1. Spotify being installed via the windows app store
  2. Spotify being installed by Microsoft even on a fresh windows 10 install
  3. Spotify being installed/updated via other means other than chocolatey

While the optimal solution would be to be granted the ability to embed the package, I don't see this happen anytime soon.

Why not ? No distribution rights ?

IMO we should remove the package from this repository, find another maintainer on RFP and let him deal with it.

I think there are too many packages here to spend time on something this unusual (changing checksum on each request ? wtf...)

Or use redbarons idea, seems legit on the first look.

@RedBaron2 where did you find that URL? Is it linked from the main Spotify website? i.e. how do we know it is legitimate?

@mkevenaar said...
As a moderator I believe I should push back if there is no checksum is used in a package. Even if the source is an https url. I think removing the checksums is not an option.

As of right now, a checksum is only a requirement on a http URL. However, at some point, it is likely that checksums will be a requirement for all URL's.

@gep13
It is on the main download page. If you look at the file that is downloaded it comes from that domain.

I can confirm that this is indeed the case, I'll try changing the url in the update script (without any other changes), and we will see if it will continue to provide the same executable all the time (I may have to force a new update, we'll see).

@mkevenaar said...
As a moderator I believe I should push back if there is no checksum is used in a package. Even if the source is an https url. I think removing the checksums is not an option.

As long as it hasn't been made a requirement for https urls, it is a viable solution (although only temporarily, until checksums are a requirement).

I would like to keep the checksums, but only if it is still possible to reliably provide the package with them.

@RedBaron2 seems like appveyor was able to get the same checksum as you (with the same version as the one pushed to chocolatey the last time).

If everything works as expected on the automated tests run on chocolatey.org, I believe we can safely say that everything is fixed, and we can close this issue then.

Everything seem to be working correctly with that new url.
Thank you @RedBaron2

Let us leave this issue open for a little while though (over the weekend at least), in case the checksum issue resurfaces.

Just installed Chocolatey and tried installing Spotify now. Failed with a checksum mismatch.

C:\Windows\system32>choco install spotify --yes
Chocolatey v0.10.13
Installing the following packages:
spotify
By installing you accept licenses for the packages.
Progress: Downloading spotify 1.1.5.153... 100%

spotify v1.1.5.153 [Approved]
spotify package files install completed. Performing other installation steps.
Downloading spotify
from 'https://download.scdn.co/SpotifyFullSetup.exe'
Progress: 100% - Completed download of C:\Users\birge\AppData\Local\Temp\chocolatey\spotify\1.1.5.153\SpotifyFullSetup.exe (65.93 MB).
Download of SpotifyFullSetup.exe (65.93 MB) completed.
Error - hashes do not match. Actual value was 'FC8C0043245EE8401A89FFFDCB138C7B761048076FF3A112A73A5D41FB8135BDC88F4C2A14D9ABFE4DAAE1E12667E5219CAC50860741C8681D5BF4556CBECFB7'.
ERROR: Checksum for 'C:\Users\birge\AppData\Local\Temp\chocolatey\spotify\1.1.5.153\SpotifyFullSetup.exe' did not meet 'C4D64E5720CF895CA5A6DAADDCA8FE5E05CE9B86A24DF8F788F20FD7E38E6171E55D22344678847B003840192D7ED6C99C3661B30785BC140FF7D24899FBF0FF' for checksum type 'sha512'. Consider passing the actual checksums through with --checksum --checksum64 once you validate the checksums are appropriate. A less secure option is to pass --ignore-checksums if necessary.
The install of spotify was NOT successful.
Error while running 'C:\ProgramData\chocolatey\lib\spotify\tools\ChocolateyInstall.ps1'.
See log for details.

Chocolatey installed 0/1 packages. 1 packages failed.
See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Failures

  • spotify (exited -1) - Error while running 'C:\ProgramData\chocolatey\lib\spotify\tools\ChocolateyInstall.ps1'.
    See log for details.

@birgersp spotify has released a new version, that is why the checksum mismatch.
I'm triggering a new update now (seems the automatic schedule has stopped working).

@gep13 any change you could look into the scheduling no longer work (even for the old vm)?

@AdmiringWorm said...
@gep13 any change you could look into the scheduling no longer work (even for the old vm)?

Just seeing this now...

Are you saying that the AppVeyor cron task isn't working for this repository? When you say old vm what are you referring to?

@gep13 when I say the old vm, I am referring to the appveyor builds that was set up when this repository was still under the chocolatey user. Since AFAIK, this is the one that have cron jobs enabled, but the new one do not have it.

@AdmiringWorm this is very strange, as I did have the scheduled jobs enabled in AppVeyor, I raised a support ticket about it, and to the best of my knowledge, it was actioned. Let me follow up with that.

@AdmiringWorm the build schedule is set up:

image

@gep13 hmm, it is odd that the schedule doesn't run then.
I've been triggering it manually for the past few days because it didn't run.

@AdmiringWorm I have asked the question to the AppVeyor guys, and hopefully they can help.

@AdmiringWorm I heard back from the AppVeyor guys, and they stated that things should be running again now. Can you confirm?

@gep13 I triggered it manually an hour ago, before then it was 2 days before it had ran (and not automatically). So unfortunately, I can not confirm that.

Hence the 17 updated packages in the single run...

Please continue discussion about scheduler at #1284.

Regarding this issue, lets wait few days for confirmation about checksum (I can't confirm since spotify doesn't work in my country).

The checksum is currently failing again. Has anything new been discovered about getting Spotify to work in a more stable manner?

@ZiluckMichael I just tested the package, and got no checksum error.
Can you try again and see if you got one or not.

If you get a checksum error, can you navigate to %temp%\chocolatey\spotify\1.1.7.13766" and right click theSpotifyFullSetup.exe` file, select properties, then details. Make a note of the product version displayed there.

Has anything new been discovered about getting Spotify to work in a more stable manner?

Nothing new AFAIK.

@AdmiringWorm I have a checksum error as well. The file details show version 1.1.6.113.gb388fe17
I deleted the file and ran the update again. It downloaded again, but was version 1.1.6 again.

@joachimcarrein I took the assumption that you are located in Belgium (mentioned on your github profile), and connected to a belgium vpn.

This got me the same version as you did, as such I assume that they are lagging behind on cdn used for Belgian users.

Can you do me a favor, if you download the spotify installer from: https://www.spotify.com/no/download/windows/
What version do you get then?
I got the latest version then, but just want to make sure that I didn't get a cached version (since I had already downloaded it without the VPN).

@AdmiringWorm
Just checked the link you showed, it says 1.1.7.13766.gf9dc36904.
To be sure, I let choco download again, that one still says 1.1.6

The url used in the package is for the full (offline?) installer, while the one I provided you the link for is not.

I am guessing that the full installer is not a priority of being kept up to date (since I can't really find the download link for it anymore).

I will look into changing to the online installer of spotify, as this is more likely to be kept up to date everywhere (hopefully).

Can it be embedded and be done with it?

@majkinetor it can not, no license that would allow it, and no explicit permission from the developers.

Then perhaps somebody can ask, given the number of downloads on gallery...

If I remember correctly, this was attempted in the past (can not remember when), but there was no response at all from the owners of spotify.

Also, considering that their Terms of Service explicitly forbids redistribution(at least it was the last time I checked), and there have been linux distros trying to get permission to distribute the program through their official distro channel have been pretty much ignored for the past 2 years, this seems highly unlikely to get permission to redistribute spotify even if someone were to try contacting them again. (Even getting an answer seems unlikely).

@AdmiringWorm
I will look into changing to the online installer of spotify, as this is more likely to be kept up to date everywhere (hopefully).

I guess this is resolution of this discussion so I am closing this.

So, it looks like there's still issues with the checksum of this package and keeping it up-to-date. Maybe it's worth re-opening this to track progress? @AdmiringWorm @majkinetor

Yes, #1357

Was this page helpful?
0 / 5 - 0 ratings

Related issues

jbisson picture jbisson  路  6Comments

Foadsf picture Foadsf  路  4Comments

jerome-benoit picture jerome-benoit  路  5Comments

majkinetor picture majkinetor  路  4Comments

sc250024 picture sc250024  路  3Comments