• 0 Posts
  • 386 Comments
Joined 3 years ago
cake
Cake day: June 9th, 2023

help-circle
  • Just because you do know any or that there are no know to the public does not mean it is secure. Do we know if the plex communication with your server is secure? No one cares, because no one is looking into it.

    The main issue, is that ita not that simple to get new versions on the closed eco systems on many smart TV, especially when you are just a single dev and no company who can throw money on the problem.

    As I said, the issue is not that big, and mainly an excuse for most ppl. The API break will come, hopefully sooner than later, but it needs to be carefully designed, to prevent issues in the future.

    But again, the current issue is not that much of a problem. I do not see the benefit of anyone to probe my server if i have certain media files on there. And i do not use the default paths.


  • I am saying that the mentioned security vulnerbility is not as big as ppm make it to be. The bad thing right now is that IF you know the exact path of a media item you can probe if its there. As soon as you varg your path by just single character from the default/guides that are out there, this is basically no longer practical.

    Is this ok? No. But to fix this, every Client would be broken.

    The current API dies not follow modern security practices since some are not or partially autheticated. Thats basically inherited by Emby.

    That is the current main issue and needs to be dealt with.

    I assume that after the last EFcore (database handling) this gets addressed since now the API can be designed around the standerized databade calls.

    Also overseer is also not saying “pls host on the public internet”. If you do so, you are on your own. Why jellyfin gets treaded different? I do not know.

    EDIT: I guess at least some ppl, use this as a comfortable excuse to stay on Plex. “But it is insecure… so i can not set it up”






  • And the memory leaks get closed one after another? Dont they? Just because there are still issues does not mean it gets improved upon.

    Media matching is no issue if you follow the naming sheme.

    I am not upset at all, not sure why you think that.

    Jellyfin will and connot be the replacement you wish it to be. Exposing something to the Internet is not a solution for the normal person. Heartbeat, Log4shell etc. etc. all of those are the reason why, not necessarily the service you are hosting by itself.

    Especially in an age where tailscale is available to install on every major smart TV or other devices i do not get why you even want to recommend ppl to expose it.



  • Once? No jellyfin has had about 4 major RCE issues since the fork. At least 4 that I’m aware of. Blaming it on the previous code only makes sense if the split is recent. They have had time to completely rewrite if they really want.

    It absolutely makes sense, otherwise they would have had to throw everything away.

    The EFcore refacotring was like 6 years in the making.

    And all that from just a few single ppl. Look at the ckntributer list, and how many contribution. Not many active devs are working on jellyfin on their free time. The problems that jellyfin has, is not from a lack of trying but a from a lack of finger and arms.

    And you need to take it like it is.




  • And Plex doesn’t require any. It’s okay to accept that one product can be more polished than the other, and Plex has a lot of stuff that “just works”

    And it is ok to accept that Plex is getting worse and worse. Only reason why ppl use it these days is because they still have an old lifetime pass. As soon as they take it away or introduce a new tier of features or even removing features of it, they will swarming away from Plex.

    And they will!

    OC never said anything to do with your comment, you seem to be really offended by recommending an alternative to a tool that you use.


  • As I said, when you know the exact path of a media item on the server then you can check if the item exists.

    If you choose a none standard filepath its not an issue.

    Should that be fixed yes.

    Whats the scenario? A law firm could brute force check all media items on open jellyfin servers? Highly illegal to exploit something like this in a lot of jurisdiction. And would also not proof the existence of the media on the server, just a file named like it.

    Mitigation? Just add another random letter in the docker-compose mount path.





  • I didn’t mean to put words in your mouth, but your replies are exhausting. Lighten up.

    I think you got my point. Not sure why you feel the need to try to discuss another discuasion topic with me.

    Apt could use some usability improvements, specifically around doing full upgrades. This isn’t a controversial take.

    No its not. And again, I never said apt is good or perfect or bad.

    Googling apt full upgrade CLI leads to various articles, all of which have a series of commands that are named orthogonally to this fairly common use case, and must be run in order, and sometimes repeated.

    I am fully aware, it is not like i ever had to dig down and resolve dependency hell.

    There’s good reasons it is the way it is, and it can certainly be improved.

    But it is something different if you say that tools could be made better, than writing a whole article with a click bait title on “How i ignored the output of my package manager”.




  • When a kernel update requires a change in dependencies, something Proxmox kernels do frequently, apt just quietly “keeps back” the package. It doesn’t fail, it doesn’t break the system, and it doesn’t trigger a rollback. It just waits for me to notice.

    This should save a click for hopefully everyone.

    Yes obviously, if you do not update the packages then they do not get updated.

    If you do not read the output of a command then you will not notuce that.