cross-posted from: https://poptalk.scrubbles.tech/post/2333639
I was just forwarded this someone in my household who watches our server. That's it folks. I've been a hold out for a long time, but this is honestly it.
They want me to pay to stream content that I bought from my hardware transcoded also on my hardware.
I'll say it. As of today, I say Plex is dead. Luckily I've been setting up Jellyfin, I guess it's time to make it production ready.
Edit: I have a Plex Pass. More comments saying “Just buy a plex pass” are seriously not getting it. I have a Plex Pass and my users are still getting this.
And for the thousandth person who wants to say the same things to me:
- YES I know I'm unaffected as a Plex Pass owner.
- My users were immediately angry at it, which made me angry. Our users don't understand what plex pass is, and they shouldn't have to, that's why I had it. The fact that they were pinged even though it should have kept working is horribly sloppy
- Plex is still removing functionality. I don't care that "People should pay their fair share". If Plex wants to put every new feature behind a paywall, that's completely okay. They are removing functionality.
- "But they have cloud costs". Remote streaming is negligible to them. It's a dynamic DNS service. Plex client logs in, asks where server is, plex cloud responds with the IP and port of where server is located. That's it.
- "Good luck finding another remote streaming" - Again, Plex just opens up an IP and port. Jellyfin also just opens up an IP and port (Hold on jellyfin folks I know, security, that's a separate conversation). All "remote streaming" is is their dynamic dns. Literal pennies to them. Know what actually is costing them money? Hosting all of that ad-supported "free" content that they're probably losing money on.
In short, I don't care how you justify it. Plex is doing something shitty. They're removing functionality that has been free for years. I'm not responding to any more of your comments repeating the same arguments over and over.
Isn't there an assumption it would be behind a reverse proxy... At least I hope that's the assumption.
Doesn't do shit when large parts of the Backend are not authenticated
What kids of things?
I've never worried that much because it's not critical data and it's containerised in Docker, but I am curious about specifics because large numbers of people expose it to the internet (through reverse proxies).
https://github.com/jellyfin/jellyfin/issues/5415
Cheers for that. Many of these issues allow an authenticated user to do admin actions if they do the right things, so it seems you should never allow a user that you don't fully trust to have an account.
But outside of this, there isn't anything in there that on its own worries me given the nature of the platform (that is, that if it all burnt down I could retrieve all data from other sources). I'm no expert but a cursory look shows a bunch of potential issues that may be layered with other issues but no clear attack path except with prior knowledge.
These should obviously be fixed but there's nothing that makes me want to rip my server off the open internet in a hurry.
Seems trivial to me for someone to guess file paths and use those to confirm if specific content is on a jellyfin server. With how prevalent things like docker and sonarr are, filepaths are pretty standardized these days. I wouldn't trust JF without a VPN
I guess my position is that I am not worried about someone confirming content exists on my server. But I don't live in the US, if I did I might be more worried. I also geofence to my country to limit exposure.