after almost 15yrs my plex server is no more. jellyfin behind nginx with authentik is running very nicely.

  • macstainless@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    5
    ·
    4 months ago

    I’ve heard jellyfin has a lot of security issues, which I don’t know if that’s accurate or not. But the BIGGEST issue is lack of a proper tvOS app. I really don’t feel like using Infuse or some other app just to use my library. Year after year I hear about people switching and yet, the gap is simply still there.

    • rumba@lemmy.zip
      link
      fedilink
      English
      arrow-up
      16
      ·
      4 months ago

      I’ve heard jellyfin has a lot of security issues

      The biggest known stuff I saw on their GitHub is that a number of the exposed service URLs under the hood don’t require auth. So, it’s open-source with known requirements, you can tell easily from the outside that it’s running, and you can cause it to activate a LOT of packages without logging in. That’s a zero-day in any package that can be passed a payload away from disaster.

      AS far as TVOS, I’m kinda surprised swiftfin doesn’t service you.

      • Lem453@lemmy.ca
        link
        fedilink
        English
        arrow-up
        7
        ·
        4 months ago

        Assuming this is all true, sure its not great but how much does it matter?

        Most have jellyfin in a docker. My jellyfin can’t only has read only accses to the media folder. Only the config folder has write access. Assuming the worst case scenario here, how much damage can than do?

        • rumba@lemmy.zip
          link
          fedilink
          English
          arrow-up
          7
          ·
          4 months ago

          A lot of neophyte self hosters Will try running the binary in Windows instead. Experienced self hosters will indeed use docker.

          Then out of the ones that are using docker some of them will set it up as privileged.

          And then how many of those people actually make read-only versus how many just add the path and don’t think about it.

          Don’t confuse your good practices with what the average person will do.

      • Pup Biru@aussie.zone
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        swiftfin is mostly there but doesn’t support media segments, which is a deal breaker for me

        really unfortunate since jellyfin media segments is a much better implementation of the concept than plex

        i’m watching the swiftfin issue for when it gets added and i’ll be all over compiling and testing it

      • macstainless@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        3
        ·
        4 months ago

        Yeah… that’s a non-starter for me. Not gonna risk my entire home lab when Plex doesn’t have any of that risk.

        Also, running in Docker is fantastic but I’ve found Docker to be unstable at times depending on the version.

        • rumba@lemmy.zip
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          2
          ·
          4 months ago

          Oh, Plex has the risk. A vulnerability in Plex is how LastPass lost all their source code. A vulnerability in Tautulli which he had ported outside surfaced his auth token, then he was able to use the auth token to get into Plex and they were able to hit an rce vulnerability and pull the entire git repo the guy had locally.

          The key difference is Plex at least has a security team and their name on the line with their investors.

          • FreedomAdvocate@lemmy.net.au
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            4 months ago

            That’s completely different. Every internet connected service has risks, but having known vulnerabilities that you just refuse to fix is different to someone figuring out a complex exploit.

    • Encrypt-Keeper@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      4 months ago

      I am also not up to date on Jellyfin security issues but the biggest one I care about is that its clients don’t support OIDC. There’s a neat plugin for OIDC, but without client support it only works with the web client and I’m not a fan of leaving login pages open to the internet.

      • meh@piefed.blahaj.zoneOP
        link
        fedilink
        English
        arrow-up
        6
        ·
        4 months ago

        if you use the oidc connection and apps that support quick connect you can do it. you basically end up doing things like the plex link process that got implemented when they forced everyone into their authentication service. i almost went that route but opted to leave the password auth from ldap in. its the kind of log in process most people are used too and i’ve got a few elderly users. i disabled password reset in authentik though and everyone gets a 3 word 24 char minimum password.

    • cantankerous_cashew@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      4 months ago

      To be fair there is a tvOS app in development but progress is slow because the whole project is maintained by a small handful of volunteers. They’ve put out a call for help and the maintainers post updates here

    • Jakeroxs@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 months ago

      Op already said they were behind authentik

      There also absolutely are apps for tv oses like Android, I use one daily.

      • Russ@bitforged.space
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        edit-2
        4 months ago

        I think they meant Apple’s “tvOS” - which powers the Apple TV set top box.

        There’s no client for it, if I had to take a guess it’s likely due to the costs of doing so.

        Edit: Whoops, it appears I’m a bit out of date on this.

          • Russ@bitforged.space
            link
            fedilink
            English
            arrow-up
            3
            ·
            4 months ago

            Oh interesting, it’s been a while since I have tried to use Apple TV (roughly 7 years or so - I don’t use any Apple devices anymore), this wasn’t available at the time so I’m glad to see there’s finally some native support.

            • meh@piefed.blahaj.zoneOP
              link
              fedilink
              English
              arrow-up
              3
              ·
              4 months ago

              there’s been a LOT of progress on jellyfin, especially the past year or so. i’ve been using plex since it forked from xbmc, it ran on the bottom half of a laptop connected to a mostly working projector, both rescued from a dumpster. it’s been a fantastic platform for a long time. but i’ve also wanted off plex since they rolled out the plex account req. jellyfin is finally there for me at least.

    • fmstrat@lemmy.nowsci.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      4 months ago

      I just validated that the latest version of the LDAP privilege escalation issue is not an issue anymore. The curl script is in the ticket.

      This was the one where a standard user could get plugin credentials, such as the LDAP bind user, and change the LDAP endpoint. I.E., bad.

      I chose this one because after going through all of them, it was the only one that allowed access to something that wasn’t just data in Jellyfin.

      So for me, security is less of an issue knowing that, as only family use the service, and the remaining issues all require a logged in user (hit admin endpoint with user token).

      Plus, I tried a few of those and they were also fixed, just not documented yet. I didn’t add to those tickets because I was not as formal with my testing.

      @[email protected]

    • mic_check_one_two@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      Yeah, Samsung TVs don’t have a native Jellyfin app either. You can sideload it, but good luck walking your “you touched my computer six months ago and now it’s broken. This is your fault” grandmother through that over the phone.

    • meh@piefed.blahaj.zoneOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      https://github.com/jellyfin/Swiftfin is available for tvOS. works great for me with one bug. since i have homepods connected to one of my apple tv’s as it’s speakers. i had to change the setting to use the native video player instead of vlc to avoid and audio delay bug. that cost me the auto play next episode function. i though not auto playing the next episode would annoy me, but it’s turned out to not be a issue at all. but infuse doesn’t include that bug if you want both homepod tv speakers and auto play next episode with jellyfin. as for security, since jellyfin is more modifiable it has a lot more room for misconfiguration for sure. plex had plenty of it’s own security issues, we just only heard about them when some security blogger discovered it.

      • Pup Biru@aussie.zone
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        misconfiguration here i think is a dangerous way to phrase it… it implies that there is a secure way to run jellyfin on its own. jellyfin, by itself, should never be exposed to the www. it is, no matter the configuration, insecure. to run jellyfin on the www you must put a VPN or other reverse proxy with auth over the top of it