cross-posted from: https://poptalk.scrubbles.tech/post/2333639

I was just forwarded this someone in my household who watches our server. That’s it folks. I’ve been a hold out for a long time, but this is honestly it.

They want me to pay to stream content that I bought from my hardware transcoded also on my hardware.

I’ll say it. As of today, I say Plex is dead. Luckily I’ve been setting up Jellyfin, I guess it’s time to make it production ready.

Edit: I have a Plex Pass. More comments saying “Just buy a plex pass” are seriously not getting it. I have a Plex Pass and my users are still getting this.

And for the thousandth person who wants to say the same things to me:

  • YES I know I’m unaffected as a Plex Pass owner.
  • My users were immediately angry at it, which made me angry. Our users don’t understand what plex pass is, and they shouldn’t have to, that’s why I had it. The fact that they were pinged even though it should have kept working is horribly sloppy
  • Plex is still removing functionality. I don’t care that “People should pay their fair share”. If Plex wants to put every new feature behind a paywall, that’s completely okay. They are removing functionality.
    • “But they have cloud costs”. Remote streaming is negligible to them. It’s a dynamic DNS service. Plex client logs in, asks where server is, plex cloud responds with the IP and port of where server is located. That’s it.
    • “Good luck finding another remote streaming” - Again, Plex just opens up an IP and port. Jellyfin also just opens up an IP and port (Hold on jellyfin folks I know, security, that’s a separate conversation). All “remote streaming” is is their dynamic dns. Literal pennies to them. Know what actually is costing them money? Hosting all of that ad-supported “free” content that they’re probably losing money on.

In short, I don’t care how you justify it. Plex is doing something shitty. They’re removing functionality that has been free for years. I’m not responding to any more of your comments repeating the same arguments over and over.

  • legion02@lemmy.world
    link
    fedilink
    English
    arrow-up
    45
    arrow-down
    11
    ·
    6 months ago

    Doesn’t jellyfin just not do this at all? Like if you want to stream remotely you need to figure out a vpn solution to do it?

    • Semperverus@lemmy.world
      link
      fedilink
      English
      arrow-up
      25
      arrow-down
      1
      ·
      6 months ago

      You can stream remotely via jellyfin if you expose your server to the internet. VPN is safer but not the only option.

      • MaggiWuerze@feddit.org
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        6
        ·
        6 months ago

        Yeah, no way. Jellyfins Backend is like an open barn door. And with the kind of content most of us here offer through either Jellyfin or Plex, I wouldn’t want to open up like that.

        • NotSteve_@lemmy.ca
          link
          fedilink
          English
          arrow-up
          7
          ·
          6 months ago

          Anecdotal but I’ve run Jellyfin publicly without any issues for around 5 years. It even has its own domain name.

        • Dave@lemmy.nz
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          Isn’t there an assumption it would be behind a reverse proxy… At least I hope that’s the assumption.

            • Dave@lemmy.nz
              link
              fedilink
              English
              arrow-up
              3
              ·
              6 months ago

              What kids of things?

              I’ve never worried that much because it’s not critical data and it’s containerised in Docker, but I am curious about specifics because large numbers of people expose it to the internet (through reverse proxies).

                • Dave@lemmy.nz
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  6 months ago

                  Cheers for that. Many of these issues allow an authenticated user to do admin actions if they do the right things, so it seems you should never allow a user that you don’t fully trust to have an account.

                  But outside of this, there isn’t anything in there that on its own worries me given the nature of the platform (that is, that if it all burnt down I could retrieve all data from other sources). I’m no expert but a cursory look shows a bunch of potential issues that may be layered with other issues but no clear attack path except with prior knowledge.

                  These should obviously be fixed but there’s nothing that makes me want to rip my server off the open internet in a hurry.

                  • Zeoic@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    ·
                    6 months ago

                    Seems trivial to me for someone to guess file paths and use those to confirm if specific content is on a jellyfin server. With how prevalent things like docker and sonarr are, filepaths are pretty standardized these days. I wouldn’t trust JF without a VPN

      • CmdrShepard42@lemm.ee
        link
        fedilink
        English
        arrow-up
        12
        ·
        6 months ago

        “Very easy” assuming you aren’t trying to share with non-technical people or your elderly parents.

      • akilou@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        8
        ·
        6 months ago

        Dude how the hell am I supposed to walk my mom through setting up tailscale on her Roku?

        And what if you have multiple friends all sharing each others libraries?

        This is not a feasible solution let alone a “very easy” one.

        • fossilesque@mander.xyz
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          4
          ·
          edit-2
          6 months ago

          I was thinking a computer! Multiple people can connect to your tailscale and jellyfin at once. That’s not so much an issue. Other than that, there’s not so much more than installing the app and signing in with email or Google then sending them a link. I use a shared email and pass to speed up the process.

          • Nibodhika@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            6 months ago

            You completely ignored his question, Tailscale is not a valid solution for your mom’s Roku

      • legion02@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        5
        ·
        6 months ago

        Completely unreasonable to need to walk people through this. It’s OK to say jellyfin can’t do remote access.

        • fossilesque@mander.xyz
          link
          fedilink
          English
          arrow-up
          1
          ·
          6 months ago

          Well, I never said it did out of the box. I was giving people the example of how I did it, in case they wanted an easy option for PCs. No offence meant, my friend.

          • Nibodhika@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            6 months ago

            You’re replying to a message that literally says that, so it makes you sound like you think Tailscale is somewhat integrated into Jellyfin, because the message originally said exactly that you needed a third party app to solve this issue in Jellyfin

            • fossilesque@mander.xyz
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              6 months ago

              Mate chill, I already implied I misunderstood and apologised. I’m human and allowed to make mistakes.

    • charles@lemmy.ca
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      12
      ·
      6 months ago

      You’re 100% correct. I always find it funny how hardcore some people are with jellyfin vs Plex. I’ll probably end up getting downvotes on this but imo Plex is way simpler to setup and keep running, and as a lifetime pass owner, I’ve very rarely felt like my experience has been deteriorated by any of the changes that the jellyfin crowd freaks out about. Plus plexamp is honestly such a great music player. I’ll happily keep running Plex for the foreseeable future.

      • TeamAssimilation@infosec.pub
        link
        fedilink
        English
        arrow-up
        4
        ·
        6 months ago

        Plex is more polished, but I love Jellyfin’s subtitle search; it blows Plex’s socks away.

        Also, Jellyfin doesn’t nag me every effing time to enable DRM in Firefox for some unfathomable reason.

        But Plex definitely wins on performance, IMO.

        • charles@lemmy.ca
          link
          fedilink
          English
          arrow-up
          4
          ·
          6 months ago

          If you have music on your server, I’d strongly recommend checking it out. I believe it was started as a side project by the Plex devs and it’s a way better music player than the one built into the Plex apps.

          • TrickDacy@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            6 months ago

            I appreciate this recommendation. I’ve been trying it out for like 5 minutes and I’m very impressed! This could be life-changing and lead to me axing Spotify. Thank you kind stranger!

      • themachine@lemmy.world
        link
        fedilink
        English
        arrow-up
        18
        arrow-down
        5
        ·
        6 months ago

        That is not correct. A VPN would be one method but you can also just expose the service to the internet in a number of ways and accomplish the same thing Plex provides.

        • mobotsar@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          22
          ·
          6 months ago

          You probably shouldn’t just expose jellyfin to the internet quite yet though. There are some ongoing efforts to fix unauthenticated endpoint problems.

            • mobotsar@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              6 months ago

              To be fair, there has been very slow progress toward securing some endpoints. But yeah, I was probably being too charitable; the project places way too much emphasis on “backward compatibility” and not enough on security.

        • sudneo@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          6 months ago

          Not to be “achtuallying” bit VPN is not a way to remote stream, it’s a way to bring remote clients in the local network.

          Likewise exposing services on the internet…not really going to happen esepcially for people - like me - that run plex/jellyfin on their NAS.

          I don’t have a horse in this race, i don’t use remote streaming, I only ever streamed from my nas to my 2 TVs, and I am experimenting with jellyfin. But for those who do need remote streaming, jellyfin is going to be problematic.

    • CmdrShepard42@lemm.ee
      link
      fedilink
      English
      arrow-up
      7
      ·
      6 months ago

      Not necessarily a VPN but you’re 100% on your own for security. When i used to run Emby, I had a white-list IPs but this doesn’t work great since most ISPs rotate IPs over time and if you’re on wireless it could change all the time.

      • FreedomAdvocate@lemmy.net.au
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        6 months ago

        Yeah a VPN isn’t “necessary”, but it’s the most straightforward way. Unfortunately it’s not really at all feasible for many people who currently play from other peoples plex libraries.

    • merthyr1831@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      I use a non-rooted docker, reverse proxy, and cloudfare domain. I know Jellyfin has some API security issues but I’m still unconvinced that any of them can be used to escalate to any level that would threaten my server (or even my instance of Jellyfin).

      • MaggiWuerze@feddit.org
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        6 months ago

        They are not about escalating permissions but about unauthorized access to your library. As some living in a country with professional piracy lawyers, that go out and try to catch people in the act, I won’t open my server to that kind of risk.

        I like Jellyfin being open source and all, but the maintainers made it clear that they prefer backwards compatibility with clients over fixing these issues.

        • merthyr1831@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          Oh yeah I don’t buy the backwards compat stuff because you can version an API to preserve backwards compatibility to sensible ends.

          I’d be very interested to see cases of streaming or copyright lawyers essentially hacking users to litigate them. The only stuff Ive ever seen on snooping by corps on pirates it’s usually collecting PII from public sources like torrent clients without VPN coverage.

          • MaggiWuerze@feddit.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            6 months ago

            The alternative is that dey just don’t care or are not capable of fixing it, despite numerous suggestions in the github thread. Both don’t bode well for the project, especially seeing as that ticket has veen open and discussed for almost 5 years

    • themachine@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      6 months ago

      No. You have to expose your server to the internet in some way bit you don’t have to set up some sort of VPN. There are plenty of people who will tell you how awful of an idea it is but if you make smart choices it’s not a big deal.

      • sudneo@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        6 months ago

        Well, as an application it has a huge attack surface, it’s also able to download stuff from internet (e.g., subs) and many people run it on NAS. I run jellyfin in docker, I didn’t do a security assessment yet, but for sure it needs volume mounts, not sure about what capabilities it runs with (surely NET_BIND, and I think DAC_READ_SEARCH to avoid file ownership issues with downloaders?). Either way, I would never expose a service like that on the internet.

          • sudneo@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            6 months ago

            No that’s the thing. Plex can also use their infra as a tunneling system. You can have remote streaming without exposing Plex publicly and without VPN. It is slow though.

            • Nibodhika@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              6 months ago

              Plex doesn’t even work properly unless you set it up with network mode host, otherwise it always considers your service to be remote because they’re not on the same network as anything you try to watch it from. Jellyfin requires lots less access, and you’re so worried about it you can add a Tailscale mod to the container and isolate it completely so it’s only accessible via Tailscale similarly to what you think Plex is doing (which doesn’t harden security as much as you think)

              • sudneo@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                ·
                6 months ago

                I presume you mean running Plex in host namespace. I don’t do that as I run the synology package, but I can totally see the issue you mean.

                Running in host namespace is bad, not terrible, especially because my NAS in on a separate VLAN, so besides being able to reach other NAS local services, cannot do do much. Much much much less risk than exposing the service on the internet (which I also don’t).

                Also, this all is not a problem for me, I don’t use remote streaming at all, hence why I am also experimenting with jellyfin. If I were though, I would have only 2 options: expose jellyfin on the internet, maybe with some hacky IP whitelist, or expect my mom to understand VPNs for her TV.

                (which doesn’t harden security as much as you think)

                Would be nice to elaborate this. I think it reduces a lot of risk, compared to exposing the service publicly. Any vulnerability of the software can’t be directly exploited because the Plex server is not reachable, you need an intermediate point of compromise. Maybe Plex infra can be exploited, but that’s a massively different type of attack compared to the opportunities and no-cost “run shodab to check exposed Plex instances” attack.