Brother we have the opposite problem. You are not putting yourself in my shoes, or other people like me.

Bold claim. But no i am putting myself in your shoes and yes there was also a time were i tried to work around to host mail myself. But its easy and no headache to set up.

None of those things are necessary. Like I don’t even have email configured on my server because I don’t need it at all except when the developer unnecessarily integrates it to the extent that it breaks it.

Depending on the view, a functioning service something like password reset is necessary. To design the software that it can ship without functioning password can or cannot make sense, depening on the design choices. Depending on what else got send via e-mail designing the software around that can be challenging and burdening for the future of developing.

If the setup required you to setup e-mail, the software and then also the developer can always assume there is a communication path to the individual user.

As i said, it can and cannot make sense, but saying

That makes no sense.

and not even trying to put yourself into other shoes just does not make sense.

Why wouldn’t you give users the option to not use it?

Since then you would need to have another way to achive the goals e-mail does. Like password resets, user invitations etc. Thats all software burden for that one user that does not want it.

Setting up email is a pain in the ass, costs money, is dependent on 3rd parties, violates privacy, and is just completely unnecessary.

None of these i would actually say. To work around it you can just simply set up local reachable postfix. Done. You can setup a complete local mail server, with a few clicks.

Choose the software you want to use wisely and dont jump to the first solution you find when you are that licky about your requirements. If you are ao reluctant about e-mail and the service requires it, then maybe the design goals of the software do not fit your goals.

They went with OpenDesk, which uses Nextcloud as Cloud System.

Where have you read that they are going to switch to OpenCloud?

Yes. There are enough signed and exploitable Windows Boot loader which you can use to boot anything you want.

And for containers auto updates once every day.

Got apticron set up on my servers or similar solutions to get notified when updates are available. Then usually, from time of notification +1 or 2 days.

Luckily thanks to their licensing model they basically cannot. Immich has according to github as of now 1606 contributors. Changing the license so that there could even be a proprietary fork would require basically the ok by every contributor (that made a relevant code contribution)

Be aware,

Jellyfin uses semantic versioning. All releases will have versions in the X.Y.Z format, starting from 10.0.0. Note however that the 10.Y.Z release chain represents the “cleanup” of the codebase, so it should be accepted that 10.Y.Z breaks all compatibility, at some point, with previous Emby-compatible interfaces, and may also break compatibility with previous 10.Y releases if required for later cleanup work

Yep, there even was a standard that would have been sufficient, Do Not Track. https://en.m.wikipedia.org/wiki/Do_Not_Track

I host my mail with mailcow and it is almost set and forget. I only had a couple issues with some mail providers, but a small email exchange with the admins cleared that up.

Have a handful of users, that have not complained about anything not working or spam or whatever 🤷‍♂️

Besides that, security by obscurity is the worst possible form and barely qualifies as security at all.

In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.

It’s also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.

Another place? What else? You mean setting up you own server? That is in fact your responsibility.

Lets not forget the BS when Shows are only partially available, like only Season 1-5,8-12 and so on. Not only is it expensive but also a shitty service with shitty quality and experience.

End-to-end encryption means the service provider can’t see your data even if they wanted to

Not necessarily. All it means is that intermediaries can’t see the data in transit. You need to trust that the data is handled properly at either end, and most service providers also make the apps that you run at either end.

This is incorrect. End-to-End is defined as from “User to User” and not “User to Service provider”. That would be just transport encryption.

https://en.m.wikipedia.org/wiki/End-to-end_encryption

I switched to adguard, yes. But you can just give pi-hole a dnsmasq config file. The underlying dns server Pi-Hole uses does support those.

Just mount the file via a docker volume. I will have to look up the exact paths. Config would look like

address=/domain.tld/192.168.0.1

I saw that they are working on big refactoring to use EFCore instead of doing direct SQL queries. I actually was surprised when they were saying that the migration will take days for some, and you shouldn’t interrupt it.

That you should not interrupt a database migration is really standard procedure. If it takes days is unfortunate, but what should the devs do? Create a migration process with weeks and months of testing that can recover after a interruption, for those 3 ppl that run on slow hardware?

Pls do not get me wrong, that the database and everything related to it is slow and basically legacy code is not good, but exactly that is beeing worked on right now, instead of continuously pumping out new features. Complaining about the exact thing that is currently in the works feels very disingenuous.

Based on you screenshot from the NPM Dashboard there seems to be something wrong. In the setup window you show that you forward the traffic with http and port 80, in the dashboard screenshot you forward the traffic with https and port 80.

Just skip http and self signed certificates all together. Modern Browsers make it a pain to use non https sites. A simple domain setup with dns acme challenge is a little bit of a hassle but worth the hour(s) of invested time. Especially with npm were it is a set and forget option.

Does pihole support wildcard dns entries yet? To my knowledge the gui only supports single entries so that you have to enter every subdomain manually in pihole that you want to have forwarded. Workaround would be to use a dnsmasq config file or use something else like addguard.

I know that the project is done by volunteers but I was just wondering whatever I should invest more time on trying to resolve the issues. Maybe my server specs are just not ideal for Jellyfin.

Why do you think they do not?

If you would look up what they are actually doing, you woulf realize that a lot of work is done to improve the underlying quality of code to make it easier to do major changes to core functionality. Quick and dirty fixes by the previously project, emby, has led to a very shitty code base that makes changes hard.

It usually is the directory where you execute the docker compose command.

And which one of those are actually vulnerabilities that are exploitable? First, yes ofc unauthenticated endpoints should be fixed, but with those there is no real damage to be done.

If you know the media path then you can request a playback, and if you get the user ids then you can get all users. That’s more or less it.

Good? No. But far from making it a poor choice exposing it.