- cross-posted to:
- technology@lemmy.world
- plex@lemmy.ca
- cross-posted to:
- technology@lemmy.world
- plex@lemmy.ca
You must log in or register to comment.
Glad I started out with Jellyfin
Went there to update my password but got reminded what a horrible experience Plex is these days, so deleted my account instead.
I’ll probably get the lifetime pass after seeing how cumbersome setting up jellyfin is.
It takes fairly little effort to set up Jellyfin. I think there’s scripts these days that set up the entire arr stack for you in a matter of minutes.
:D
Should have been put in the OP because people are going to jump the gun:
While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party.
Still, always good practice to change your password after this sort of leak. However unlikely it is that someone could access your account, it’s never a bad idea.
If you use a unique password and have 2FA on there’s no real need, but yeah it can’t hurt.
Meanwhile I made a post asking if plex is bad now and most people on it said “no it’s great I paid for my lifetime pass years ago and its been the best!” Yeah, we know the truth now.
Jellyfin all the way.
Plex followed best practices and made sure that in the event of a data breach your accounts were safe, and alerted us promptly to the breach and reassured us that nothing private/of value was compromised.
JellyFin knowingly leaves multiple API endpoints with zero authentication.
I know which one I prefer, and it’s not the one with gaping security holes marked as “won’t fix”.
Seems unlikely that this happened. Most people on Lemmy despise Plex and forgive all the shortcomings of Jellyfin
Thats what I thought too. But I posted on ask lemmy, not here.
I’d love to switch. I would do it right now, but the problem is that Jellyfin’s security isn’t better if you open it up to the internet. For example, I’d have to set up a VPN for my remote users for proper security, and most of my users are in other states, not technically inclined, and watch on their TVs. I’d have to at least support a raspberry pi for them, or some sort of site to site VPN, and if it goes down, I’ll be expected to fix it. On top of that, if I do a simple raspberry pi based VPN, it would be made even more complicated since they’d want it to work with their smart TVs.
Again, I really want to switch. But Jellyfin needs to fix their security issues before I can. I’m also happy with the way Plex is reporting this, it’s above the standard “your data is lost” notifications.
Edit: here’s a link to the related GitHub issue I’ve been following: https://github.com/jellyfin/jellyfin/issues/5415
And @Saik0Shinigami@lemmy.saik0.com has a great thread explaining more: https://lemmy.today/comment/18923504
Jellyfin is great… As long as you’re the only one who needs to access the server. I’ve switched to using Jellyfin myself, but I still run Plex for others to access.
I’ve found that I get a smoother playback experience on Jellyfin, but even outside of potential security issues, there are a still couple of features I miss from Plex.
My big complaint with Jellyfin is that their documentation showed a “fast forward” hotkey that convinced me to switch from Plex, and when I started it up it was a misnamed “jump forward five seconds” button instead.
It’s still better for my needs, but I remain angry.
This is the same reason I haven’t switched. My parents use it to watch the local OTA channels and I have zero intention of supporting a site to site VPN on their home network and multiple mobile devices.
Most of these require some form of random id to exploit, which leaves you either brute forcing ids or brute forcing a user account
Again, its not random. It’s not a UUID. Its an md5 hash of the filepath. Which is easily guessable since most people have a very similar if not identical folder structure, especially since a lot have it managed by the *arr suite. take that plus the publicly available release names for movies and you’re done
If you hand wave those away then you can’t possibly have any issue with Plex.
I don’t have an issue with Plex. I don’t use it
I mean, that’s fine, but it’s still an issue and a risk that would cause me to want to use VPN for remote viewing. It doesn’t seem like security is Jellyfin’s priority at the moment, not that it’s Plex’s either, but it’s not to a place where it’s worth it to switch from a security standpoint, personally.
Plex has a whole team dedicated to security. It’s obviously not perfect and it is a larger attack surface than Jellyfin, but I’ll take that any day over devs who treat security as an afterthought
Thank you for that issues link. I keep trying jellyfin every now and then and I run into issues with general bugginess so I haven’t been able to switch. Seeing that it’s kinda full of security holes makes me even more reticent.
Plex can’t catch breaks recently.
Self hosting does come with risks though. People should be on notice.
In general, for self-hosting, we hardly rely on remote service/server. The whole idea of self-hosting is to shun dependency on external service/server, and run everything on your own hardware and network. So that every aspect of the service is in your control. I don’t think self-hosting comes with much risk, unless you make your service available on Internet.
Well plex can’t be run without it pinging the mother ship…
But I get your point. I don’t open shit up for remote use.
Which is exactly why I never installed Plex and went straight to Jellyfin
Plex has more apps support. But yeah I can’t wait for the day where I can move over.
Was on the fence for a long time, and I made the move just recently (after the pricing changes. Didn’t effect me since I was grandfathered in, but I saw it as a harbinger for worse things to come) With the creation of Wizarr, it solved my biggest problems with Jellyfin. I can just send an invite link, and it creates accounts for people on Jellyfin, Audiobookshelf, and Kavita, and lets me set up introductory guides for everything. Despite the menu UI/UX being significantly worse than Plex, playback is smoother, load times are shorter, and it can actually handle streaming to really slow internet speeds, something that Plex had a lot of trouble with.
The only app I noticed missing was the Tizen app, but they are working on getting it approved. I only had one family member using a Tizen TV, so I just gave them an old chromecast to run off of instead.
I am curious as to why people thing Plex is self hosting if Plex can change how your server functions? I have never personally considered it self hosting but do others still think it is?
Yes. It’s running on my server. That I host.
And you fully control the service?
Depends on how you use it. Doubtful anyone here has the Plex devs on payroll… Not any other self-hostable softwares devs … updates will come.
Because you are hosting the server software on your own hardware. That’s literally self-hosting. Plex provides a way to remotely access your server through their own network as well, which is optional.
The problem with Plex is it isn’t fully hosted. Plex controls user passwords. You can’t use it without logging into their servers.
You can access it through your local network without authentication. Add a vpn and you got the same setup Jellyfin fans will praise
On a side note: you can remotely access any service running on home network via Tailscale[1] / Cloudflare Tunnel. Your services are never exposed on Internet. Moreover, you don’t need to rely on Plex for that.
[1] https://tailscale.com/ [2] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/
Tailscale is going public, so I don’t really trust them anymore. I used Cloudflare tunnels for a while, but I strongly dislike being dependent on them for accessing my own network, and I don’t like how they recently clamped down on “anti-piracy”. There are some legitimate sites I still can’t access (dirtbike parts and whatnot) because Cloudflare straight up blocks access to them.
Tailscale is going public, so I don’t really trust them anymore
Even if the source code is open?
Android is open source and look what Google is trying to do with that.
By your logic the *arr suite isn’t self hosted either since they rely on metadata cache servers.
In fact Jellyfin relies on external services for their metadata too!
Plex is self hosting, the auth is not.
So is the auth needed to set up your plex in the first place? It has been forever sence I used it.
no, the auth to use it at all … internet goes down and you can’t watch your own movies on your own network. peak self hosting.
That’s simply not true. You can just set your local ip range as unauthenticated and use it to your hearts content without an internet connection.
You can add IPs that are allowed to use it without auth. The software itself is running on your own server.
Ok that is good to hear!
Actual answer.
Even though there are some cloud services like remote server management, proxies, and 3rd party integration, I do actually have to run the software myself on my hardware. Hence, self hosted.
why stop there! let’s do the same for all the “self-host” projects that use CDNs or remotely hosted resources.
it’s not self-hosted unless it’s 100% hosted locally.
Right, he who does not rely on someone elses DNS-server shall throw the first stone!
You are a bot? That’s what I’m seeing in Boost anyhow
Just asking a question looking for answers, not a not. Cheers mate.
How is that any different than any other software package? Unless you’re coding it yourself, things can be changed without your permission.
Jellyfin I don’t have to update if I don’t want to. Jellyfin can’t force me to update by taking a function I currently have away or force my to pay to keep using it the way I currently am. With open code I can fork it and keep it at the version I want if I choose.
At least for now. Jellyfin was spawned from Emby who also decided to go closed source at one point. You’re still at the whim of strangers and what they want to do with the product they developed.
Regardless, the debate isn’t about “Plex vs Emby,” it’s whether “Plex is self-hosting” or not.
And even if you do code it yourself, you may have dependencies that do undesirable things outside your control.
