In todays episode of "Plex enshittifies" Plex employee breaks ToS.
Source: https://forums.plex.tv/t/fake-reviews-on-play-store-by-plex-staff/917736
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Leaving this completely unrelated link to a better alternative here: https://jellyfin.org/
Leaving this for people to realize that there's a literal chapter's worth of book of security issues that haven't been fixed and seems to keep getting the can kicked down the road... for over 4 years now.
https://github.com/jellyfin/jellyfin/issues/5415
I love Jellyfin... people need to implement it sensibly knowing the potential risks.
Edit: Ah yes! I MUST be a shill for saying "Implement it sensibly".
Here, let me "de-shill" myself.
You have several options to make Jellyfin serviceable to users outside of your literal LAN network.
If anything above fails... you're likely on the hook for support. Hope you plan for that!
/movies/title (year)/title.extto something like/9ZHBrvNH4dKQDYFa2parH32qqSFpjsWTataVkjy4NqPxpVktT55PkEee5YSVRvUQ/movies/title (year)/title.ext). MD5 is now much harder to generate/guess... pray that there isn't some other vulnerability. Gotta go back and reconfigure and organize your shit. Oh and make sure that your docker mounts aren't crushing the path!Am I still a Plex shill? BTW I run Jellyfin AND Plex. Literally side by side. Different uses for different cases because Jellyfin just can't compete with Plex for sharing with dumb-ass relatives.
If your use case is to have a nice media sever at home and while traveling (via tailscale or similar) without exposing your private data, Jellyfin is great.
If your use case is running a pirate tv service for other people, then you probably want something else.
If you're support ANYONE other than yourself who isn't technical, it's a hurdle. And likely a significant one.
I would not be able to educate my wife properly on the times when she would need to enable wireguard on her phone to use it properly (and when to disable it for other scenarios).
This has nothing to do with running a pirate service.
Seriously it baffles me how so many advocates of Jellyfin don’t recognize the huge gulf of technical knowledge needed to set up plex vs Jellyfin. It doesn’t even compare.
Seriously. Someone tried convincing me that it would be an easy lift to send my MIL across the country a preconfigured Pi so that she could have web browser access to Jellyfin. She only has a computer for doing taxes, and watches everything on her TV.
Not only would she get confused every step of the way, even if it was just plug & play, she would also blame me if ANYTHING happened on her network and want me to fly out to fix it.
I'm not about to take that responsibility just so she can watch the latest episode of 90 day fiance. I have enough pain when she needs to sign into Plex.
Yeah I did jellyfin for a while but last time the lifetime pass went on sale for Plex I just said "fuck it," bought it, bought a cheap beelink, booted elementary OS on it, and set several friends/family up on it. I check the beelink maybe once a month for updates/adding stuff. Easy peasy.
Setup a wireguard client so it’s always connected but is used only for a certain IP (the address of your server). If you’re interested, I can help you with that.
It's not me that's the problem. I have a permanent tunnel back to my house/infrastructure (straight wireguard). It's communicating how to use it to my users that the problem... I already do enough support that I'm just not opening that can of worms to non-tech people.
everybody downvoting your comment has zero experience being the go-to family tech guy for relatives in their 80s and 90s who can't reliably distinguish between windows, dialog boxes, menus, and buttons
Great!
How do I set up WireGuard specifically on my AppleTV? How about my Roku? My friend’s LG TV? My other friends Samsung TV?
I think they're meaning exposing it to the public for the pirate tv use case. In my personal experience (1 non savvy user using the roku app, no vpn), it's not much support. I had to talk them through initial sign on, and through re-sign-on after that latest update that forced it. Of course ymmv, but two 5 minute tech sessions with grandma over 2 years of consistent usage ain't that bad.
I've racked my brain to determine WHY that happened, but the only thing I can guess is Roku saw the channel differently because I packaged it instead of the previous person, so the config didn't port over /shrug
Never had that happen before.
My wife has no problem starting the tailscale app and then starting the jelkyfin app. Its really that simple.
She also uses the tailscale exit node I run whenever she is on a public wifi. Its really a well designed simple to use app.
Would you like to explain to my MIL about how to set up tailscale for her entire network so she can stream to her TV?
Awesome... cool for you. The average person doesn't even understand or even know what a VPN is.
I taught undergrad and grad college level IT courses. Many students there didn't even understand what a VPN actually is.
Edit: It works for you... great... it could even work for many... Awesome. There are legit use cases for the majority that VPN just doesn't work.
Jellyfin is a home media server. it is great for that use case. It is easy to setup and use. Most importantly its not sending data about everything we watch to some company.
Stick to plex if you want to run a free internet tv service for your cousin and their kids and whoever else and you aren't concerned with their or your privacy.
I'm into self-hosting because data privacy is my primary concern.
Me wondering how many security issues the completely proprietary Plex has that they won't tell us about.
Honestly this is something that needs to talked about more. I frequently see people roasting on foss but in reality the proprietary vendors have all sorts of dumb security issues.
Fair concern... But I can tell you unauthenticated endpoints aren't one. I haven't tested any others personally.
Unauthenticated endpoints aren't one as far as you can tell.
Without authentication; it's possible to randomly generate UUIDs and use them to retrieve media from a jellyfin server. That's about the only actually concerning issue on that list, and it's incredibly minor IMO.
With authentication, users (ie, the people you have trusted to access your server) can potentially attack each other, by changing each others settings and viewing each other's watch history/favorites/etc.
That's it. These issues aren't even worth talking about for 99.9% of jellyfin users.
Should they be fixed? Sure, eventually. But these issues aren't cause to yell about how insecure jellyfin is in every single conversation, and to go trying to scare everyone off of hosting it publicly. Stop spreading FUD.
It's not FUD if it's real. I could say the same shit for people screaming Jellyfin at literally every chance they get when the topic is Plex. Instead I further the discussion rather than telling other people they're spreading FUD.
It's an MD5 hash of the file path. Not randomly generated, and not a proper UUID.
Edit: for others that might not understand... Docker files will standardized the path side... *arr suites and general human nature will standardize the file name.
So a generally guessable file path exists for a LOT of users out there... It's absolutely possible to guess that many people running jellyfin would store their version of bigbucksbunny as /movies/bigbuckbunny (2008)/bigbuckbunny.mkv or similar conventions and I've probably already nailed the path to generate the MD5 for a lot of people running Jellyfin just now.
Imagine downvoting "Be careful what you expose to the internet". I thought I'd got away from Reddit.
The core message is (to me) fine.
What I kind of dislike is the delivery.
Btw: Can someone tell me why he path-guessing is so dangerous?
I don't care if someone can guess the path for
the.rise.of.the.linux.ISO.720p.DD.H264.mp4and wants to download it.Not like any damage or (interactive) intrusion was made into my network
Cause organizations like Sony have already done things like installed rootkits on people's computer. Now imagine they realize this is a flaw in some media setups the their legal departments start actioning on it. (generate a rainbow table of common names for files, and common paths used in linux/docker containers... running 10000 http requests on a server over a few minutes is child's play)
All it takes it one thing to parse on a list that never had a physical release and now your whole server will be subject to discovery at the court case.
If you have literally no illegal content on your server, no problem... other than that you'll be on the hook to provide proof of rights to have the content... and possibly at worst rights to distribute (they accessed it without authentication, so literally anyone else could have too).
Edit: Oh but hold on! I hear you say that it would be illegal for them to scan your computer like that...
Except it isn't. There's no law that says you can't try to navigate to a URL. There are laws that say that you can't bypass attempts to authenticate/protect content... but remember the endpoint isn't behind authentication.
This is why when people say that FOSS is more secure than closed source I always laugh. Those people seem to think that because it’s open source that not only has it been reviewed in depth by security experts who know every single possible vulnerability, but that they found every vulnerability, fixed them, put in PRs that were then approved by the creator, who then made a new release with those fixes……. every time a new potential vulnerability is discovered in the libraries etc that it’s using.
Often it just leads to situations like this - known big vulnerabilities that are just never fixed.
It cuts both ways... Closed source things can be hiding shit... or simply never testing/caring about it... Oftentimes a truly interested person can externally test it and find the flaw anyway... but not always.
Where open source can have a lot of people who care about it... but never have the manpower to fix it.
The best open source projects are the one that have closed source backing it seems. I've had my company throw in resources into open source projects before because we used them.
But jellyfin and the likes would be hard to get backing for
Am I correct that there is no first party Jellyfin app for AppleTV?
There is not, but Infuse is what the Jellyfin project officially recommends.
There is Jellyfin, Swiftfin, and Infuse - the latter being 3rd party, but its my favourite so far in terms of stability :)
It's plain deceitful to say jellyfin is simply better. It's simply less capable and less supported. I don't know if you're trying to deceive others or just yourself.
Here's the difference: With Plex it's trivial to invite other people to watch content from your server, they can view it on just about any device they have and it doesn't take any complicated networking setup to achieve. Likewise, just as you share your server, you can view content from other people's servers through the same interface. This is not a small feature it's the primary feature of Plex, it's what sets it apart from xbmc or any media center software.
I am totally on board with FOSS and I would absolutely use jellyfin in a second if it could do the things that Plex does. But it can't.
As a side note, this new interface for Plex on mobile is absolute shit, a big step backwards. If I had my way I'd still be using the Plex app from 2016.
The real problem with Plex is that it's a whole package, server and client. If it were instead a server and an open protocol, that anyone could make a client for, that would be vastly superior. I desperately want to use a more customizable 3rd party client with my Plex server.
Jellyfin really needs to work on security and server discovery.
As it is right now you have to manually input the server URL unless it's on the same physical network, discovery won't even work with broadcasts across VLANs, or over the internet.