Leaving this completely unrelated link to a better alternative here: https://jellyfin.org/
Leaving this for people to realize that there's a literal chapter's worth of book of security issues that haven't been fixed and seems to keep getting the can kicked down the road... for over 4 years now.
https://github.com/jellyfin/jellyfin/issues/5415
I love Jellyfin... people need to implement it sensibly knowing the potential risks.
Edit: Ah yes! I MUST be a shill for saying "Implement it sensibly".
Here, let me "de-shill" myself.
You have several options to make Jellyfin serviceable to users outside of your literal LAN network.
- setup a VPN. Pray you don't have a user on a device that doesn't have a VPN app that you can work with.
- setup whitelisting on your server. Pray that IP addresses don't change.
- setup fail2ban or crowdsec. Pray that you users don't piss off either by doing user things and getting locked out.
If anything above fails... you're likely on the hook for support. Hope you plan for that!
- Obfuscate your paths (change
/movies/title (year)/title.extto something like/9ZHBrvNH4dKQDYFa2parH32qqSFpjsWTataVkjy4NqPxpVktT55PkEee5YSVRvUQ/movies/title (year)/title.ext). MD5 is now much harder to generate/guess... pray that there isn't some other vulnerability. Gotta go back and reconfigure and organize your shit. Oh and make sure that your docker mounts aren't crushing the path!
Am I still a Plex shill? BTW I run Jellyfin AND Plex. Literally side by side. Different uses for different cases because Jellyfin just can't compete with Plex for sharing with dumb-ass relatives.
If your use case is to have a nice media sever at home and while traveling (via tailscale or similar) without exposing your private data, Jellyfin is great.
If your use case is running a pirate tv service for other people, then you probably want something else.
If you're support ANYONE other than yourself who isn't technical, it's a hurdle. And likely a significant one.
I would not be able to educate my wife properly on the times when she would need to enable wireguard on her phone to use it properly (and when to disable it for other scenarios).
This has nothing to do with running a pirate service.
Seriously. Someone tried convincing me that it would be an easy lift to send my MIL across the country a preconfigured Pi so that she could have web browser access to Jellyfin. She only has a computer for doing taxes, and watches everything on her TV.
Not only would she get confused every step of the way, even if it was just plug & play, she would also blame me if ANYTHING happened on her network and want me to fly out to fix it.
I'm not about to take that responsibility just so she can watch the latest episode of 90 day fiance. I have enough pain when she needs to sign into Plex.
I actually kinda did that. Sent a preconfigured thinkcentre to my mum that boots into the jellyfin media player, connects to my server via tailscale. Just had to plug it into power, lan, hdmi. Immutable, atomic system that looks for updates on boot, applies them on next reboot, and does a rollback and ping me if the update fails.
I have ssh access, and my brother lives nearby in case everything fails, that makes things easier.
I'm convinced 90% of them have never run either and just like to complain about stuff.
Setup a wireguard client so it’s always connected but is used only for a certain IP (the address of your server). If you’re interested, I can help you with that.
It's not me that's the problem. I have a permanent tunnel back to my house/infrastructure (straight wireguard). It's communicating how to use it to my users that the problem... I already do enough support that I'm just not opening that can of worms to non-tech people.
everybody downvoting your comment has zero experience being the go-to family tech guy for relatives in their 80s and 90s who can't reliably distinguish between windows, dialog boxes, menus, and buttons
Great!
How do I set up WireGuard specifically on my AppleTV? How about my Roku? My friend’s LG TV? My other friends Samsung TV?
I feel like you’re not asking for help, but rather trying to prove a point. I get it, but for Apple TV you can use https://passepartoutvpn.app/,for others, I don’t know, I have no experience.
I think they're meaning exposing it to the public for the pirate tv use case. In my personal experience (1 non savvy user using the roku app, no vpn), it's not much support. I had to talk them through initial sign on, and through re-sign-on after that latest update that forced it. Of course ymmv, but two 5 minute tech sessions with grandma over 2 years of consistent usage ain't that bad.
through re-sign-on after that latest update that forced it
I've racked my brain to determine WHY that happened, but the only thing I can guess is Roku saw the channel differently because I packaged it instead of the previous person, so the config didn't port over /shrug
Never had that happen before.
I figured it was the enforcing of the trusted proxy mechanism mentioned in the release notes (only noticed because of an earlier thread here, thanks!). Once I updated my server and set the proxy settings all my clients needed to be signed again.
And I'm talking about the reverse problem. That you would need to expose it in order for it to work with other users... OTHERWISE be on the hook to support users via VPN + Jellyfin, or in the case of TV apps, Router+VPN+Jellyfin. That doesn't scale up well the moment you have someone not in your house that uses your stuff. It doesn't have to be pirate TV. Could just be a kid at college.
Yeah I don't think anyone sane would disagree. That's what forced the decision for me, to expose or not. I was not going to try talking anyone through VPN setup, so exposure + whatever hardening practice could be applied. I wouldn't really advocate for this route, but I like hearing from others doing it because sometimes a useful bit of info or shared experience pops up. The folder path explanation is news to me; time to obfuscate the hell out of that.
Yeah I don’t think anyone sane would disagree.
Exactly... But I get chastised for pointing the problem out. Called a shill because I care about security.
I RUN JELLYFIN. I HAVE IT RUNNING. Others you recommend it to should be made aware of the risks that's all I'm trying to point out.
The folder path explanation is news to me; time to obfuscate the hell out of that.
You can get around the MD5 issue (a bit) by obfuscating your path. Instead of /movies/title (year)/title.ext... make it /mnt/MHhzTiM57Fv4wWQmkmb4DLDwVKoB628KBQzhBHQjGQVtsjhwRrFNU2NtRGJ4dUpg/movies/title (year)/title.ext and you'll probably be pretty damn immune to the problem as it stands now... But just blatantly telling people to use Jellyfin isn't a good answer here without that background.
Awesome, thank you, this is exactly what I was thinking when you mentioned it earlier.
My wife has no problem starting the tailscale app and then starting the jelkyfin app. Its really that simple.
She also uses the tailscale exit node I run whenever she is on a public wifi. Its really a well designed simple to use app.
Would you like to explain to my MIL about how to set up tailscale for her entire network so she can stream to her TV?
Yep, tell her to call you over to set it up and phone you anytime 24/7 if it breaks
Download file from Google Drive link
Download OpenVPN app
Pick file in OpenVPN app
Enter password
Share WiFi from phone to TV
Done
Too hard, she can't even open a PDF file on her own.
Does she drive or open bank accounts?
If the answer is yes, why is that so much harder?
And I work in tech support. With medical non-technical folks. Guiding them through the control panel oblindly on the phone.
I know what I am dealing with on the regular!
If the answer is yes, why is that so much harder?
Because computers (to older folks) are a magical black box that they’re afraid to break but still manage to do so.
Can you wire a network cable? If the answer is yes, why can’t you build a night table from scrap wood?
You can’t because having proficiency in one area doesn’t translate to proficiency in another.
Good question, I'm also in tech. She does drive and of course opens bank accounts, but it's like it all goes out the window when she needs to do anything remotely technical. I would say that most of the users I've encountered are not that bad, but she is unique in that way.
You want to run an internet tv service for your MIL then do it. Thats just not want Jellyfin is for. Its a home media server.
Is this that hard to understand?
Then it's not a drop in replacement for Plex, is it?
No shit. Is that not exactly what I have been saying over and over?
My first comment in this thread says clearly that if you want to run a pirate tv service for other people then you'll want something other than Jellyfin.
You replied to someone and said "my wife has no problem using tailscale". Is your wife not another person? Sure, same household, but if you're not running a pirate TV service, why does she need tailscale, and how is that different than sharing with my MIL?
Also, why do you keep using the terminology of "pirate tv service"? Why is it suddenly not a home media server if I want my mother in law to be able to use it? I don't share with people outside of my family.
You seem to think that because you're using Jellyfin, it's automatically not piracy. But you certainly can do piracy with it, it has tools purpose built for it like Jellyseerr. So how is that not a "pirate tv service"?
Do you not know that you can also upload your own media rips to Plex? Is that still a "pirate tv service"? At what point do you assign the (fairly negative, at least legally) connotation of piracy to a service someone is hosting out of their homelab?
My wife and I hardly ever watch TV outside the home. Certainly not with our phones. The only time is when we travel However she does use tailscale daily. That was my point, that tailscale is easy for non-tech people. Sorry if that is confusing.
Awesome... cool for you. The average person doesn't even understand or even know what a VPN is.
I taught undergrad and grad college level IT courses. Many students there didn't even understand what a VPN actually is.
Edit: It works for you... great... it could even work for many... Awesome. There are legit use cases for the majority that VPN just doesn't work.
Jellyfin is a home media server. it is great for that use case. It is easy to setup and use. Most importantly its not sending data about everything we watch to some company.
Stick to plex if you want to run a free internet tv service for your cousin and their kids and whoever else and you aren't concerned with their or your privacy.
I'm into self-hosting because data privacy is my primary concern.
Jellyfin is a home media server.
Ok, then why do they offer remote connectivity?
Stick to plex if you want to run a free internet tv service for your cousin and their kids and whoever else and you aren’t concerned with their or your privacy.
What evidence of privacy problems do you have against Plex?
I've wiresharked, splunked, checked literally everything that I sent to Plex not all that long ago... Turns out it a whole fuckton of nothing and generic metadata pulled from the media agent. Turns out that as long as you turn off the dumb features, you're not sending all that much. It's much easier for me to tell people to turn that shit off than it is to convince them to install apps and configure everything.
I’m into self-hosting because data privacy is my primary concern.
Privacy won't matter if a major studio catches wind of this type of vulnerability and decides to start scanning for jellyfin instances. The subpoenas will come shortly after.
What evidence of privacy problems do you have against Plex?
Well there was that one time that Plex emailed your friends and shared your viewing habits.
Turns out that as long as you turn off the dumb features, you’re not sending all that much.
Those users kept the feature turned on. I spoke out against that shit when it happened on Reddit. But turns out users who disabled the dumb features in their profile never had those emails sent. I never saw the email as an example... and my subset of 5-6 users that I think I had at the time... I distinctly remember 2 of them talking about how they never got one either... Turns out that I could reliably use that email to show the other 2-3 users that they need to turn off those flags.
and
Were the big sections I believe... But that was a couple years ago at this point and I might be misremembering.
I’d still say it qualifies as a huge example of “evidence of privacy problems with Plex.” It certainly informs the community on Plex the company’s perspective on privacy and what a user’s expectations should be.
They chose to make that email and feature opt-out and after the fact.
I understand and agree.
However it's far easier for me to tell people how to setup their plex profile than it is for me to support infrastructure that they'd have to use to access jellyfin securely.
But to be frank on both jellyfin and plex, the end user never had privacy from the server owner. So talking about user's expectations is completely different world of discussion than a server owners expectation of privacy.
I was only speaking to your question upthread. It sounds like you do agree with me that Plex does have a history of concerning privacy decisions. This one even directly affected users sharing your library.
As to the rest I’m not here to sell you on Jellyfin. It’s the right platform for my needs and I’m very happy with it. I’m not one of the “run a pirate tv server for a group of my friends” users, so I don’t place any value on the features that keep you on plex.
Open source will keep being open source. Every year seems to bring improvements to vpn technology and general consumer awareness of them. I have no doubt that Jellyfin will continue to close the gap, by all measures it is a popular and growing project. One day it may even be suitable for you.
I’m not one of the “run a pirate tv server for a group of my friends” users
I hate this distinction... If you have jellyfin exposed without some other form of auth in front of it is the problem. It has nothing to do with friends or other users.
Friends and other users make it hard to implement anything reasonable. If you're running it strictly for yourself and have a vpn. Great. More power to you. But dropping Leaving this completely unrelated link to a better alternative here: https://jellyfin.org/ with no caveats as if it is a complete replacement for Plex is not the answer. Then when someone comes along and specifies why it's not a good answer I get mobbed by the lemmy mob for pointing out why jellyfin is not as advertised (literally).
I hate this distinction… If you have jellyfin exposed without some other form of auth in front of it is the problem. It has nothing to do with friends or other users.
Right. I don't have Jellyfin exposed. Because I'm not trying to share its contents with anyone. That's the distinction.
Okay... so you're visiting family. And you want to watch something on their LG tv. What do you do?
That's not a situation I've ever faced, but imagining the hypothetical, I'd play it on my iPad and airplay/stream that to the TV.
The iPad will last a whole movies worth of time streaming a screen mirror? That's impressive I guess.
Edit: Thinking about it... wouldn't you have problems connecting to the tv over the wifi if you have VPN active?
The iPad will last a whole movies worth of time streaming a screen mirror? That’s impressive I guess.
I'm struggling to figure out what you're trying to communicate here. I mean, yeah, probably. The iPad is notorious for its class-leading battery life under real usage. But you know, it can also be plugged into the wall with any USB-C charger. It's weird to me that you'd even bring this up.
I've seen you mention in several posts that you're frustrated by the unfriendly response you perceive from this community. Have you ever considered that it might be your personality and not your views that's causing it?
Edit: No, I have no difficulties reaching local devices while connected to my VPN.
Sorry but I edited my post seconds after you responded. My bad. Didn't mean to edit under you.
Thinking about it… wouldn’t you have problems connecting to the tv over the wifi if you have VPN active?
Have you ever considered that it might be your personality
Nah, nobody here "knows" me. And you can't discern "personality" traits in 3 sentences of text.
. . . you can’t discern “personality” traits in 3 sentences of text.
I've definitely formed an opinion based on our brief interaction. Is it hard to believe that others might have also done so?
Can't stop you from doing whatever you want in your own head though can I? If you think you have the breadth of someones personality and thoughts after just one conversation... Then honestly I don't really care about what you think. People aren't that simple, issues usually aren't that simple.
The lemmy mob I'm referencing is actually more of a downvote campaign... it's the same group of people nearly every time.
I never said I have the breadth of your personality. But I sure as shit have some opinions at this point about what it's like to interact with you online.
Then honestly I don’t really care about what you think.
Perhaps not me personally but you've expressed elsewhere in the comments that you do care about the reaction you've received from this community. You've expressed frustration at the replies and downvotes you've received.
The lemmy mob I’m referencing is actually more of a downvote campaign… it’s the same group of people nearly every time.
I'm suggesting that it might not be about your views specifically and more about how you choose to interact with the other people here.
I’m suggesting that it might not be about your views specifically and more about how you choose to interact with the other people here.
I can see upvotes as an instance admin. I'm specifically talking about what I said I'm talking about... which is a group of people that always show up in the downvote list.
I'm sure I rub many people the wrong way, the happenstance bystander will downvote... however there's a group of a few people that will always downvote me. That's what I'm referencing with that comment.
The frustration is literally what I'm referencing as the lemmy mob.
Yeah I get what you’re saying. I don’t think you’re hearing me, though.
Best of luck.
Plex clearly scans your media collection and does upload the metadata and they can add more data collection any time they want.
Privacy won't matter if a major studio catches wind of this type of vulnerability and decides to start scanning for jellyfin instances. The subpoenas will come shortly after.
How are they going to scan a server on my network thats behind my firewall with nothing open to the internet?
Plex clearly scans your media collection and does upload the metadata and they can add more data collection any time they want.
No. The local metadata agent requests the data, it doesn't upload a list of what you have but requests the metadata it's missing. And you could say that a log collection of what data it retrieves is risky... except now they cram so much nonsense on the home page that all of that is fluff that would obfuscate that heavily...
But you can configure the meta-agent. You can not request it at all.
How are they going to scan a server on my network thats behind my firewall with nothing open to the internet?
So then you agree with my initial statement that I start with of "people need to implement it sensibly knowing the potential risks."?
If so... then why get into a hissy fit over this when my statement was clear? People shouldn't implement Jellyfin without understanding the risks... it's not innately secure and requires additional solutions to make it use-able. And thus, should be recommended only when that is disclosed.
Where did I disagree with you?
I've repeatedly pointed out that Jellyfin is great for a self-hosted home media server. If you use it as intended then its security is not an issue.
Its not for running an internet tv service for others.
I don't really understand why this causes some people to go off on a rant about how hard it is to explain a vpn to their grandmother. That's not something I've ever suggested.
Its not for running an internet tv service for others.
Because you keep missing the point that spouse or others that live with you but aren't literally at the house are also "remote" users who are part of the same home.
If you use it as intended
I've never seen any Jellyfin document claim that it's intended to be used behind a VPN or strictly in LAN operations. And actually have seen it directly advertise itself as something to share with others.
Would be hard to share with family and syncplay if we're only talking about LAN access.
It is an alternative to the proprietary Emby and Plex
Comparing themselves to Plex directly in usage.
https://jellyfin.org/docs/general/post-install/setup-wizard/
Some basic options for networking can be set on this page. For most users, it is recommended to enable the "Allow remote access to this server" option
Not needed if this is a local only server. default configuration guide...
Lets ignored the "networking" section all together... Nearly all of that is only relevant if your exposing it to the internet directly but if outs itself as "This document aims to provide an administrator" so not meant for the typical user.
So are you right that it's meant to be local only? Or the creators themselves that run the website and advertise it for sharing and external connecting?
I'm mildly confused... Am I the troll or them?
I legitimately think that they believe the service is "meant" to be use local only... but the product page doesn't lead me to believe the same thing... While I'm likely going about it in a bit of an asshole way, I'm trying to figure out which of us is "correct" here. If there's a disconnect I want to rectify it... if there's a clear disagreement, then I can understand and take that... I'm just trying to hash it out.
Them.
You’re right that if it was supposed to be run in local only mode there wouldn’t be a streaming over the internet option.
I'm going to be mildly honest here...
I did troll a little... In that I kept this one in the back pocket waiting for a rebuttal..
Why set port on UPnP router/firewall if you don't want it accessible to the internet...
So maybe we're both trolls in this specific chain? But I guess I was hoping that there was some common ground to find. I don't know.
Edit: Oh and this one...
Edit2: Decided to gif it because it's an opportunity to rick roll someone...https://lemmy.saik0.com/comment/4667902
Some basic options for networking can be set on this page. For most users, it is recommended to enable the "Allow remote access to this server" option
Not needed if this is a local only server. default configuration guide...
Yes it is if you want to use it from any other computer on your lan.
It's working fine for me with it unchecked... Okay fine, let's say I did something nonstandard.
What about the other items? The hundreds of references by their dev team about exposure to the internet in the git? the dozens of others on the site?
Edit: My point is made even if we sans one specific one...
Edit2: or how about this... let's replace that one with this one?
What's the point of this checkbox if not for attempting to get the server directly internet accessible?
Edit3: Just so we're on the same page that you're wrong though...
Ok, so maybe I was mistaken, maybe it's using the already established session you have open, or maybe it takes a restart for that setting to take effect. It's hard to tell from one gif. I remembered it not working when I had that unchecked.
Good job being a complete shitheel about it though. And you wonder why people think you're a troll and/or shill?
Sorry, but nothing uncivil about it. Funny thing though I never called you a shill, troll, shitheel nothing... I just presented a simple rebuttal to your argument... but because it hurts your feelings to be wrong... now I'm all these names. Crazy!
Me wondering how many security issues the completely proprietary Plex has that they won't tell us about.
Honestly this is something that needs to talked about more. I frequently see people roasting on foss but in reality the proprietary vendors have all sorts of dumb security issues.
The difference being, that the Plex devs weren't confronted with a list of security issues and basically shrugged and dragged their feet for 5 years
How do you know that? Development happens behind closed doors.
The Jellyfin devs are "dragging their feet" because they do not want to break existing clients.
There are a number of ways to do that without breaking clients. They could add a api/v2 with the option to disable the old one and clients could choose to support the new one, with the old one being set to deprecated
Fair concern... But I can tell you unauthenticated endpoints aren't one. I haven't tested any others personally.
Unauthenticated endpoints aren't one as far as you can tell.
Just the same that we don't know if the jellyfin ones don't have further issues that people just haven't found yet. What's your point? One is known for 4+ years now and is a wontfix... the other is unknown and no evidence to suggest otherwise.
Without authentication; it's possible to randomly generate UUIDs and use them to retrieve media from a jellyfin server. That's about the only actually concerning issue on that list, and it's incredibly minor IMO.
With authentication, users (ie, the people you have trusted to access your server) can potentially attack each other, by changing each others settings and viewing each other's watch history/favorites/etc.
That's it. These issues aren't even worth talking about for 99.9% of jellyfin users.
Should they be fixed? Sure, eventually. But these issues aren't cause to yell about how insecure jellyfin is in every single conversation, and to go trying to scare everyone off of hosting it publicly. Stop spreading FUD.
<admits there are problems>
<Stop spreading FUD>
It's not FUD if it's real. I could say the same shit for people screaming Jellyfin at literally every chance they get when the topic is Plex. Instead I further the discussion rather than telling other people they're spreading FUD.
it’s possible to randomly generate UUIDs
It's an MD5 hash of the file path. Not randomly generated, and not a proper UUID.
Edit: for others that might not understand... Docker files will standardized the path side... *arr suites and general human nature will standardize the file name.
So a generally guessable file path exists for a LOT of users out there... It's absolutely possible to guess that many people running jellyfin would store their version of bigbucksbunny as /movies/bigbuckbunny (2008)/bigbuckbunny.mkv or similar conventions and I've probably already nailed the path to generate the MD5 for a lot of people running Jellyfin just now.
You shouldn't expose it publicly
There are better ways to do things in 2025
Imagine downvoting "Be careful what you expose to the internet". I thought I'd got away from Reddit.
The core message is (to me) fine.
What I kind of dislike is the delivery.
Btw: Can someone tell me why he path-guessing is so dangerous?
I don't care if someone can guess the path for the.rise.of.the.linux.ISO.720p.DD.H264.mp4 and wants to download it.
Not like any damage or (interactive) intrusion was made into my network
Btw: Can someone tell me why he path-guessing is so dangerous?
Cause organizations like Sony have already done things like installed rootkits on people's computer. Now imagine they realize this is a flaw in some media setups the their legal departments start actioning on it. (generate a rainbow table of common names for files, and common paths used in linux/docker containers... running 10000 http requests on a server over a few minutes is child's play)
All it takes it one thing to parse on a list that never had a physical release and now your whole server will be subject to discovery at the court case.
If you have literally no illegal content on your server, no problem... other than that you'll be on the hook to provide proof of rights to have the content... and possibly at worst rights to distribute (they accessed it without authentication, so literally anyone else could have too).
Edit: Oh but hold on! I hear you say that it would be illegal for them to scan your computer like that...
Except it isn't. There's no law that says you can't try to navigate to a URL. There are laws that say that you can't bypass attempts to authenticate/protect content... but remember the endpoint isn't behind authentication.
Except it isn't. There's no law that says you can't try to navigate to a URL. There are laws that say that you can't bypass attempts to authenticate/protect content... but remember the endpoint isn't behind authentication.
Assuming I am from the US?
Because if so, it doesn't apply
But I appreciate your time for the explanation.
Assuming I am from the US?
I mean... I'd like to see any law that can be construed that directly accessing a URL that's unprotected is illegal. I'm not an expert in EU law on this for sure... but I've read many things pertaining to EU law and never found one that would lead me to believe otherwise.
Did you read them? somebody is spreading fear for no reason. It almost feels like they want people to use something else.
I'm betting most of it is because some terminally online folks here have seen me post similar things before (the last time was like a month ago though... so I dunno)... So they think I'm some misinformation campaign or something. I don't know. Anywhere I go on the internet it seems I trigger people by pointing out obvious things regularly. I just accept that society is fucked at this point.
Edit: Yup, went and doublechecked. Last post I posted about plex in was 1 month and 5 days ago... https://lemmy.ml/post/28376589
The before that...
https://beehaw.org/post/19228632
https://beehaw.org/post/19211350
All over a month ago... So I guess I must be a super shill to not even talk about plex for a whole month! I hope they don't cancel my checks.
That's based on the assumption that's your only account, though. Not that I'm calling you a shill, just pointing out the obvious flaw in your logic. Any actual shill would have sockpuppets to spread out their comments and hide their history.
... Check my instance... Would be weird for me to shill for someone on my own instance that I'm an admin for, no? Wouldn't I not shill for something directly on my admin profile? Also I think there's one other mildly active user on my instance... Nobody else here to shill with.
I suppose I could make accounts on other instances... Nothing I could do to prove that isn't the case... Just like I could say the same that all of lemmy is tankie bots.
You're just ignoring the point - we wouldn't know that without doing some work, and it still doesn't mean it isn't being done.
I believe you when you say you aren't doing it, but just like the issues with this reviewer, we just don't know the extent.
Well then the obvious answer would be that if I had all these sock puppets... wouldn't I just also upvote myself? Wouldn't that make a malicious intent much more effective?
What the other guy said. I repeat, I'm not actually calling you a shill. I even agree with your point about JF, I'm just pointing out your logic is faulty.
This is why when people say that FOSS is more secure than closed source I always laugh. Those people seem to think that because it’s open source that not only has it been reviewed in depth by security experts who know every single possible vulnerability, but that they found every vulnerability, fixed them, put in PRs that were then approved by the creator, who then made a new release with those fixes……. every time a new potential vulnerability is discovered in the libraries etc that it’s using.
Often it just leads to situations like this - known big vulnerabilities that are just never fixed.
It cuts both ways... Closed source things can be hiding shit... or simply never testing/caring about it... Oftentimes a truly interested person can externally test it and find the flaw anyway... but not always.
Where open source can have a lot of people who care about it... but never have the manpower to fix it.
The best open source projects are the one that have closed source backing it seems. I've had my company throw in resources into open source projects before because we used them.
But jellyfin and the likes would be hard to get backing for
FOSS isn't always more secure than closed-source, but it absolutely can be.
It depends on the priorities of the maintainers. It seems like Jellyfin's maintainers might not be putting a huge emphasis on security, which is very disappointing, but they are volunteers at the end of the day.
My assumption isn't that they're all fixed, it's that any particularly bad ones would be known about so I know to avoid it or not. Which appears to be the case.
Honestly it's news to me but having read through those most of them are not an issue.
setup a VPN. Pray you don't have a user on a device that doesn't have a VPN app that you can work with.
Dafuck kind of a nitpick is this? In what world does OpenVPN not have an application for every device and OS combo out there fully supported? You tryna watch it on a VCR or smth?
LG tvs and rokus I know for a fact don't have vpn apps available. And I'm sure there are plenty more.
Neither do Samsung, the jellyfin app works great on Samsung after the annoying process of installing it, but can't put a VPN on it that I'm aware of.
WireGuard doesn’t work on AppleTV
Products like Netbird and Tailscale have the ability to act as an ingress node on the network.
Alternatively you could setup Wireguard and a simple http proxy like Caddy. Just give your relatives a box to plug into Ethernet. You could even use it as a backup target.
For people who can't or don't want to run a VPN app, Tailscale has the Funnel feature, which can... Funnel traffic into your Tailscale net.
I've only used it for light stuff so not sure how well it will work for video.
There are other Mesh VPN solutions out there - I've used Hamachi for close to 20 years on Windows, and it just works. There's a Linux client too, though I haven't worked with it in years.
Alternatively, you can setup a Raspberry Pi just for the Tailscale/Wireguard VPN, for say at your parents/friends houses. Cheap, simple solution, and it'll handle DNS for the devices in the Tailscale mesh. This is something I'm doing for family/friends for unrelated/slightly related reasons (I'm reproducing the Backup to Friends feature that Crashplan used to have, so all of us can have multiple backups in our own "cloud") , but they'll get the side benefit of video, which won't get backed up, just duplicated everywhere.
Don't you need to set a static route in your router for that to work?
Hamachi definitely doesn't work on TVs...
This past week I switched my server to Jellyfin and migrated all my users over to it after I just happened across a thread a month ago about Plex charging for remote streaming on the 29th of April.
I never got an email from Plex about the change until April 29th... Scummy behaviour and I'm sure a lot of users and server owners bought their product in a panic as a result.
So far Jellyfin works perfectly, all my users are on Rokus and the app works perfectly on there.
Plex will only continue to get worse so I'm glad I made the jump.
So far Jellyfin works perfectly, all my users are on Rokus and the app works perfectly on there.
Considering that Roku doesn't have a VPN option... Then I hope you've at least obfuscated your media paths so it's not easily guessable on the complete unauthenticated endpoints for people to abuse/probe your server.
I keep an eye on my server and trust issues will be fixed in time as more and more users dump Plex.
Who knows what security issues Plex had and I ran that without issue. At least Jellyfin's aren't hidden.
If anything above fails... you're likely on the hook for support. Hope you plan for that!
It's a self-hosted service so... Duh?
Not that they're really an issue unless you are exposing your server to untrusted clients. You shouldn't be putting your servers on the Internet anyway, use a VPN.
use a VPN
No VPN apps for TVs. You know, the most likely thing older people would want to use to access your server to watch movies with.
Edit:
Not that they’re really an issue unless you are exposing your server to untrusted clients.
And the fact that many endpoints are completely unauthed...
My router (more accurately its software) has VPN support, using it for the whole network. You might be able to find one
Sure... but now you're supporting their whole network because you need the vpn in place. It quickly becomes a whole thing of support just to let your cousin's kid watch some old shows you have in your library.
Or if the my Internet goes down, now my relative’s Internet 7 states over stops working.
Well I was taking it gracefully as a split-vpn. But yeah it's a fair question to have if it's misconfigured, or relying on something in your network (Eg, maybe you also setup a pihole and they lost DNS resolution due to vpn going down.) God knows with these random half-features that many consumer "routers" that are out there.
Depending on their router and how much IT labor you care to do for these people you can actually configure a site to site VPN tunnel. All traffic for a particular address range will get routed through the VPN automatically.
It used to be a high end feature but it's made it's way into general routers since it doesn't really require many resources and it lets you label it as having more home office features.
I do NOT want to support my MIL's network which is 3000 miles away. It simply will not happen or work for either of us. Until Jellyfin has a decent way to support remote users, I simply cannot change her over.
If Plex folded or somehow forced my hand, I would just kick off all of my family and use Jellyfin on my local network. They'd hate losing access, and I'd hate them paying $$$ for a thousand streaming services, but at this point, that's what would happen.
Amen.
Honestly, you're supporting a chunk of her network by being a media provider in the first place. "It won't play" doesn't usually come with an assurance that it's not a device or network issue.
Neither plex nor jellyfin seem remotely worth the effort to provide to others in my opinion, I just felt like sharing that there are ways to afford network protection to locked down devices.
It's much easier for me to manage if it's a file issue though. It's much more difficult to manage an actual network 3000 miles away, especially if something actually goes wrong. Basically, "it won't play" can be checked locally. If it doesn't play locally, I'm happy to fix it. But I'm not about to troubleshoot her network issues for her.
Saying I'm "supporting a chunk of her network" is like saying Netflix supports a chunk of their users' networks. It's just not true.
Okay. You're still doing tech support either way. I have no way of knowing how much free tech support you're willing to give, hence my caveat of how much you're willing to support them.
Netflix would disagree. People feel like they're supposed to be getting access to a service, and if they're not getting it they'll complain to the nearest party to what isn't working. In this case that's you or Netflix being asked questions about why the router isn't working.
That it's wrong or irrational has nothing to do with who's getting asked the question, and who's the first line of troubleshooting when the service doesn't work.
If people didn't ask the wrong people questions, Netflix wouldn't need support articles on how to reset your router.
Yup already addressed this in another thread.
You have to take on supporting them now... supporting family is just like loaning money to family... or renting to family... or anything else with family. Stressful.
But even silly problems like what happens when their wireguarded phone connect to the wireguarded home wifi vpn... I can't imagine that it wouldn't cause problems that you're going to get blamed for.
But even then this is still jellyfins problem. It's clear the platform is MEANT to be public, otherwise there would be some integration with these other features that just don't exist.
I've got no real care for jellyfin one way or another, just sharing that there's ways to make the network obey.
I think giving people access to my media server is asking for too much trouble personally. Now you're dealing with forgotten passwords, people using your bandwidth at weird hours, and you basically become the media fairy, responsible for finding whatever it is people want, and then dealing with their issues when their device can't codec at it for whatever janky reason.
I'm good at setting boundaries with family so it's not stressful, just more annoying than I want to deal with.
I see this so often and nobody ever seems to realize that local/home VPNs use upload bandwidth, which for some is in dire low supply. I can't have 4 full-time users using my upload connection routing through wireguard, when all 4 stream videos throughout the day. And that's just 3rd party services like YouTube and Twitch, not plex. Then you add in two additional, off-site users who want to watch something with me on plex, and we are all given ~1.5 megabits a piece of a 10meg upload pipe over here. Mmmm, crispy pixels. 'you can just use some IPs in wg so you don't need to tunnel all data, just what you need', they say, and I rebuke by showing them my dynamic IP address. 'ask for a static one' and they haven't offered that for years besides enterprise customers.
And that's before I ask everyone 'so everyone download wireguard and scan your individual qr code, or I will send you the config file' and everyone but a single user just hears the ocean. Then I need to teach them about VPNs, why we use it, why plex doesn't work when the little lock isn't showing on their phones, why 'I had the lock in the corner but I couldn't make a call or get online, so we are all getting [thing you don't like] for dinner since I couldn't ask'. Then I have to troubleshoot and tell them to toggle it off and on again...
The we get to the bit where they try to cast to the TV, and the chromecast is like 'lol wtf is a VPN' and we are back at square one, everyone hates me, I hate everyone right back, all changes from this experiment get reverted, and I lose credibility.
VPNs are useful, but I rage at people who assume they are a blanket solution for all situations and use-cases. And often, the people suggesting them are smug, like they have found something that nobody knows about and are superior because their situation doesn't color outside of the lines.
Damn that was nice to vent. Been bothering me for way too damn long.
and everyone but a single user just hears the ocean.
I'm sorry, but this made me bust laughing. This is dead accurate for a few people in my life.
Then I have to troubleshoot and tell them to toggle it off and on again…
And this is exactly the type of support a lot of people just don't want to do (including me). And the options really boil down to settle for supporting all this, or the risk of public access to unauthenticated endpoints.
They could just fix the endpoints and it'll be a non-issue. But they won't because "backwards compatibility".
There are even other options that I can pre-emptively offer... but they all SUCK.
You can whitelist ip access... ISP ips rotate and are dynamic.
You can setup crowdsec and/or fail2ban... until a user fails to login a few times in a row because users are users and get themselves banned, now you're back to support role.
VPNs already covered ad nauseam.
There are options... they all suck, especially when the answer of JUST FIX THE ENDPOINT is sitting right there.
I had the lock in the corner but I couldn't make a call or get online, so we are all getting [thing you don't like] for dinner since I couldn't ask'. Then I have to troubleshoot and tell them to toggle it off and on again...
"I'm sorry I made my collection of movies available for you to watch for free, I'll make sure to never do anything like that again"
Upload is upload. It doesn't matter if it's over the plain Internet or over a tunnel, you're still uploading roughly the same number of bytes per second.
You didn't read anything I said, I see
Tunnels have overhead. MTU overhead itself can cut 5% of your total bandwidth as a default (1500 -> 1420). Forget all the side-channel control stuff.
MTU itself is an interesting issue for wireguard. It defaults to 1420, which should be fine in most cases as the default is 1500 for most ISP connections. But there are interesting cases where you need to go less... If you try to cram a 1420 MTU packet down a 1440 MTU ISP connection (you need 28Bytes overhead minimum, so would need 1412 in Wireguard in this case)... you're rewriting a fuckton of packets and splitting tons of data that can ruin your connection speed (halving immediately).
I have seen some people recommend 1384 MTU before... The lower you tune this for compatibility the less speed you get.
Once again though... this is way over a normal users head. And likely even over yours since you don't seem to recognize that this is happening and that it isn't byte per byte the same.
You should expect wireguard to lose you 5% speed minimum... with other issues potentially making it worse.
Edit: clarification on a sentence cause the wording was bad.
use a VPN.
That's difficult when most smart TVs / TV boxes don't really have a VPN option.
Plex works just fine without a VPN.
I am pretty positive you are a Plex shill too at this point...
Keep popping up every time somebody speaks good of jellyfin...
If there are really all those safety holes... Please explain why my publicly exposed instance never got hacked all these years.
And every time I speak up about it... I find users that never heard of it and want to learn how to reasonably fix it. And those discussion happen.
Example:
Am I a shill for talking about the risk of this specific software and even how to mitigate it with others? or am I a shill because you're defensive over software that you happen to use/like?
Feels like you patrol lemmy to post again and again the same list of "bugs" about a single specific piece of software meanwhile there is an open war moved by a commercial company against that specific piece of software, so yes this is why I think you work or have some personal interest in Plex.
And the fact you run both means nothing, it only make sense that Plex people checkout the market
Also, jellyfin has real downsides to Plex and security is not one of those.
Ah yes, I patrol lemmy... waiting over a month between posting on the matter... and present some solutions to the problem myself while advocating for a resolution of fixing bad unauthed endpoints?
Also, jellyfin has real downsides to Plex and security is not one of those.
Unauthed endpoints are literally a bigger security issue than anything plex has ever shipped.
How do you even know you were hacked? Are you monitoring the traffic?
I am monitoring my stuff, yes, I think its basic selfhost good practice when you expose stuff.
Beside the monitoring, if I got hacked, they did nothing with that hack so, what's the point.
Unless of course all my collection has been converted to porn or something without me even noticing...
I had the same thought and I don't understand why you are being down-voted. All those "security issues" are a minor inconvenience at worst. I went through them twice and I am fine living with them in my publicly exposed instance (publicly just for myself and my wife wherever we are).
It's plain deceitful to say jellyfin is simply better. It's simply less capable and less supported. I don't know if you're trying to deceive others or just yourself.
Here's the difference: With Plex it's trivial to invite other people to watch content from your server, they can view it on just about any device they have and it doesn't take any complicated networking setup to achieve. Likewise, just as you share your server, you can view content from other people's servers through the same interface. This is not a small feature it's the primary feature of Plex, it's what sets it apart from xbmc or any media center software.
I am totally on board with FOSS and I would absolutely use jellyfin in a second if it could do the things that Plex does. But it can't.
As a side note, this new interface for Plex on mobile is absolute shit, a big step backwards. If I had my way I'd still be using the Plex app from 2016.
The real problem with Plex is that it's a whole package, server and client. If it were instead a server and an open protocol, that anyone could make a client for, that would be vastly superior. I desperately want to use a more customizable 3rd party client with my Plex server.
No it's not they have to create a Plex account if putting a URL in a window is to technical then creating an account is. Also jfa-go has made inviting so easy.
I just looked up jfa-go, I'm not at all opposed to trying things if they'll work.
It seems like jfa-go is a user account management system, which is indeed super useful. But it doesn't handle the remote content part. I'm still not going to create a VPN to share content.
Am I correct that there is no first party Jellyfin app for AppleTV?
There is not, but Infuse is what the Jellyfin project officially recommends.
There is Jellyfin, Swiftfin, and Infuse - the latter being 3rd party, but its my favourite so far in terms of stability :)
If I remember right I tried to do the Infuse free trial but either Apple or Infuse was choking on processing the trial request and I could never use it.
Correct, but there is an Emby app for every device.
Emby is a paid service right?
Yes. But there is a different option. There’s a list of clients on the website.
Correct and what I've seen from Jellyfin / Emby are poor looking at best. While I could cobble together a system that works for me, there's no way anyone I share with would put up with it. Plex is PLEX for a reason.
If you use plex and jellyfin anyway, i suggest checking raspberry pi and kodi (libre elec) as an alternative. The pi4 is fine for hd at least, some use it for 4k but i have no exp with that. It works well and helps you get off the apple ecosphere.
Jellyfin really needs to work on security and server discovery.
As it is right now you have to manually input the server URL unless it's on the same physical network, discovery won't even work with broadcasts across VLANs, or over the internet.
It doesn't even work right on the same net sometimes.
I think the better answer would be to not expose Jellyfin to the internet.
Although it would be cool if it integrated with something like p2panda or libp2p
And with that it loses any edge it had over Plex. If I have to install a VPN on every device of every user, just because the project wont adhere to basic security practices, then I will not switch to it.
I still would choose Jellyfin over Plex in a heart beat. You don't need to switch if you don't want to.
Thanks for your permission
It loses a massive feature that Plex has and does really well in that case.
"Better"
Maybe if they'd fix their glaring security issues
Or their convoluted settings. When there's a github project that does the HW encoding settings for you, you know it's intuitive...
Use free streaming sites.
Anything that you want to 'collect' can be downloaded and stored on an external hard drive and taken with you where you need to go.
Don't overcomplicate things just to fit in with losers on the internet.
Well this thread is an absolute shitshow.
Jellyfin is great, but if you refuse to let yourself understand that Plex's ease of setup for remote access is a point in its favour - especially when sharing with non-tech savvy people - then you're just as bad as the supposed "Plex shills".
Plex is well on the enshittification train, and I've always been a bit concerned about how private it may or may not be, but there's absolutely no way I'd have been able to share a Jellyfin instance with my grandfather, especially as his dementia got worse.
I tried jellyfin but it isn’t even close to as a good as plex
Same as my experience
The UI for Jellyfin is horrendous.
I don't get that. Both display content and seem very similar. Now does Jellyfin have problems yes.
Emby’s better than both, but jellyfin folks are probably going to crucify me for saying that.
jellyfin was a fork of emby anyway, its core framework is solid.
Emby has more of the plex-like polish, but it is more closed source than I would prefer to trust with my media, so I get by with Jellyfin. It works more than well enough fro my in-home media streaming and I still run plex for my remote users as I bought a plex pass way back at the start and I'm going to use it until I simply cant anymore... which seems to be rapidly approaching.
Can't say me remote entry isnt working. Was streaming it from my phone in the firefox and chrome browser while on the go and also from my work pc.
Can't imagine how easier one wants it to be in comparison (it's literally like navigating to Youtube).
Samsung TVs have a Plex app, but not a Jellyfin one. Lots of people have Samsung TVs. I mean lots. Other modern TVs are likely the same, like Onn (at least the Roku TVs) last time I checked, and again they are all over. The ease-of-use factor really is a huge win for Plex.
Edit: Yes, Samsung Tizen models can try and sideload an app, but that's not something the vast majority of people are ever going to even think about, let alone figure out how to accomplish.
Edit 2: Well shiver me timbers, Jellyfin's on those Onn TV's. TIL.
Using roku jellyfin app daily, but I agree the fact that jellyfins app hasnt been approved for tizen yet is a point against it
Is that on an Onn TV? I might have to go check it out again. Thanks!
Yeah its a cheap ass roku onn I got from a roommate. Worth a look. To my knowledge tizen is the only major platform jellyfin isnt on is tizen, and from what Ive read thats more on samsung than on jellyfin. Its been up to date and submitted for a while now it just hasnt been approved by samsung
Yeah, I'm not about to defend Samsung or their app distribution by any means, I just know they had the Plex app when I needed it.
Thanks for the heads up on Roku though, I appreciate it!
I believe the AndroidTV client is the only really actively developed client.
It's not the same as a native app, but I use my Jellyfin instance on my Samsung TV via the internet browser. Scrolling is a bit of a hassle and 4K Streams apparently don't work, but otherwise it works just fine
Yeah, I get it. I just prefer the polish.
Always funny how anyone is crucified (on Lemmy) for using Windows or (how dare you) paid and/or free proprietary software.
Yet when it comes to something like Plex they always backpedal and either state that they don't have something like that or it's so convenient.
If one goes on a (F)OSS crusade at least be consistent... >:(
for using Windows
Has a time and place... But for the general person you can just put them in front of linux and they wouldn't have any idea as long as they can see the chrome icon to get to facebook.
I can see that side of the discussion... Getting over the roadblock of installation... I've converted many people to Linux. My argument with people defending windows is that they always seem to think that "windows just works"... which it really doesn't... or that linux sucks because of x, y, and z... and when I pull out a news article of windows having widespread issues because of "x" where x is literally the same x as they just said for linux... It's cricket chirps all around.
Plex is convenient. It's userbase is proof of that. Windows is convenient in that it comes pre-installed on the computer the user is using... but otherwise a user would be perfectly fine or even possibly have less issues on linux.
I don't find that to be inconsistent.
As someone with lifetime Emby premium, I switched to Jellyfin.
Why?
Emby development is dead in the water. It works, it's stable, but it's treading water. And because it is partially closed source and not changing much the addon development community is not as robust. If you try it and it has what you want, it works just fine. But I want an active community making new features and developing add-ons and extending what I get out of it. I did not need premium to get a similar feature set out of Jellyfin, I am an experienced self hoster so I was able to switch without missing a beat. And now I can click a button to skip and intro, or the recap for the episode I just finished watching. And I can try the very large set of add-ons that are out there.
I as an arch using turbonerd absolutely love jellyfin and how I can make it do what I want.
I run plex too, because the support I'd have to provide to family members when they need a password reset, or the jellyfin app doesn't work right on their new Hisense smart TV would be the death of me.
This. Having the provide the support is what stops me from dropping plex entirely. I host jellyfin for the devices I control, and plex for my family and friends, all pointing to the same media.
Not that bad. It's been about the same for Plex maybe less. Have had lots of Plex isn't working when their servers where down.
Yeah but I've always blamed plex for 10 years even if it's my fault, so they default to it being a plex issue and don't bother me!
I have had very old and non techie people setup Jellyfin. Putting a URL in a box is not actually rocket science. I thought it would be way harder but they did it.
How so?
Yo dad, heres the login:
username: dad
password: Pa$$TheP0pIf it asks for a URL on the first screen input the following URL:
https://jellyfin.domain.tld/
If you (or a relative) can't manage that, I'd be afraid to even let you handle a car or open a bank account.
Can't imagine you relative doesnt also have to create a plex account somewhere to then be invited to the plex share or input the URL to request access.
For the record, I fucking hate Plex.
But this is a disingenuous simplification of where the gap is.
Me, my brother-in-law, and friend all share our libraries with the same elderly relatives.
The GAP is that great grandma has to log in/out between servers to find content that may or may not be on an individual server. Plex lets you search/aggregate from all sources without having to jockey credentials and servers.
It's not a giant ask. I heard a fucking absolutely brain-dead take that "that would require a centralized server which is against Jellyfins core ideology".
So, I dunno. Maybe it isn't YOUR use case, but it's MY use case. Doesn't make me a shill. I'm still pissed as hell.
But don't fucking pretend that there is feature parity when there isn't, and don't accuse me of being a shill just because Jellyfin literally doesn't support my use case. I WISH it did. I HATE PLEX.
They won't even get to the login screen.
All my relatives seem to have Hisense VIDAA TVs. There's a plex app on the store. Jellyfin would require an external device like a Chromecast or HTPC to use it.
But now telling then it's $3/month to watch my pirated movies? No bueno.
And on topic, I develop a commercial app and there is no way I am dropping a rating or review on it.
Assuming you set it up for SSL, and you own and manage your own domain, and they're using a computer. Easy. So for the 10% it's cake.
How's it look for the rest?
Oh cool so you’re ok with opening ports on your server to the internet with no authentication. Good for you. Most of us with the technical knowledge of hosting a media server know better.
What's not authenticated? Run it through nginx and cloudflare, what exactly am I missing?
https://github.com/jellyfin/jellyfin/issues/5415
A reverse proxy won't help (unless you're doing authentication with it). A cloudflare tunnel would help, if it requires authentication.
Neither helps because jellyfin doesn't work with auth in front of it. https://github.com/jellyfin/jellyfin/issues/13751
And any auth mechanism breaks EVERY app even if you implement one that doesn't break the web UI. (short of VPN or other similar type of auth'd tunneling).
This is misinformation.
I run my jellyfin behind reverse proxy and use SSO pretty well. There is a OIDC plugin for jellyfin that just works with your preferred SSO.
Indeed Plex is easier to use, and manage all that for you, but this is self hosted community after all, there is smart people capable of running a reverse proxy and a proper SSO.
For the others, Plex indeed is forth paying for (?).
Fortunately, jellyfin loads fine behind an nginx proxy using basic auth.
Sounds like it works fine in the scenario I was discussing.
Ah yes, single cherry picked sentence... Care to read the very next line? Where "unfortunately, [...]"... Is that "shit doesn't load right?" Weird.
Do you know of any apps that support basic auth input for jellyfin? No... Weird? What did I say again?
Oh right, I can just scroll up and read it.
And any auth mechanism breaks EVERY app even if you implement one that doesn’t break the web UI.
I just tested and was able to get to the login page with an nginx proxy in front of jellyfin. A login attempt causes nginx to throw an error, but jellyfin itself seems fine. If I disable http basic auth, I'm able to log in and play video. This looks like an nginx configuration issue, and if I cared enough to actually get it working I'm sure it would.
Try logging in.
This is all you'll see. Even if you setup a "guest" account with NO password... it's all you'll see. This is not a Nginx issue.
Edit:
The error appears in Jellyfins toast mechanism... so you know it's not nginx.
Edit2: oh and don't forget to downvote this comment too. I see you :)
Edit3: actually I just realized that you think THIS is nginx's fault...
It is, but it isn't... It requires the wss target on the server to handle it.
Jellyfin doesn't do this. Nginx is passing it properly.
Edit4:
Thanks dad!
Ah, let's hope these get fixed then... 😬
And Plex your opening 32400 not sure what your argument is.
Oh no, Chinese hackers know I only like the first 8 seasons of The Simpsons!
They would, I suppose, were my Jellyfin available to anyone living outside of my own state via geoblocking. You can't even connect to it from the country I host the proxy from, not that they'd do anything if they could, all of the data shared is read-only.
I would've just let my setup be open, but, like you said, most of us with the technical knowledge of hosting a media server know better.
edit: chill with the downvotes, lads. Season 9 isn't completely terrible.
obamaaward.jpg
"Reviews" but there's only one.
This is probably some employee who genuinely likes the U.I.
An actual company-sponsored campaign would NOT use names from actual employees.
Corporations drill it deep into your head that you do not positively promote your own products or negatively review competitor products without both making it clear that you (1) work for $Corp; and (2) are sharing your own, personal opinion.
Giving the benefit of the doubt to Plex, they suck at training employees about social media policies.
Corporations drill it deep into your head that _you do not positively promote your own products or negatively review competitor products
This isn't a general or global thing. I have yet to be told above in any place I've worked, and one place even asked people to write fake reviews on Trustpilot/job sites
Might be. It is definitely a thing, though.
When I used to work for a large American corporation that sold products to consumers, they took it extremely seriously and breaking it would result in disciplinary action. It probably had something to do with advertisement laws, but it also easily could have just been because it makes the company look very bad.
one place even asked people to write fake reviews on Trustpilot/job sites
That sounds unethical, to say the least. Did they verify if you actually did it, or just "suggest" you do?
Might be. It is definitely a thing, though.
Oh I have no doubt about that - maybe there's a story behind their strictness. Maybe the companies I've worked for have not yet had an employee publicly embarrass the company to such an extent, that they felt the need to make this a mandatory part of employee onboarding.
That sounds unethical, to say the least. Did they verify if you actually did it, or just “suggest” you do?
There was no top-down verification, but I worked with a few Grade A suck-ups, who would proudly volunteer information on which accounts they used and which posts were theirs. I kept politely ignoring the repeated verbal requests until management moved on to their next big obsession.
Are we even sure it's the same person?
"Plex respects their employees autonomy" wow really??
Mobile app reviews are worthless anyway.
Dude just could have said something like,"Hey, I'm a developer of Plex and have really enjoyed my experience using it. Let me know if you'd like to see something added/fixed."
Is it fake or just a review by an employee that uses plex?
Yeah, I`m all for roasting Plex but nothing about that review is inappropriate or prima facie untruthful.
It's inappropriate because you're not allowed to review your own companies software, let alone do so without declaring as such.
ou’re not allowed to review your own companies software
Says who? They can still be a user of it.
Google says you can't. It's a violation of their ToS.
Really, can you point out which section that's in? All I find is "creating fake accounts or content, including fake reviews", which doesn't apply here if the person does use the service.
Who says you're not allowed to?
Google ToS
The update makes the download feature objectively worse. So, that was a stretch to praise both.
This review would have had a lot more credibility if he at least disclosed his affiliation with Plex. Instead, he posed as some unbiased rando while advertising Plex Pass. This is textbook gaslighting.
If you look on Plex's review page in the Play Store, it's receiving overwhelming amounts of negative reviews over the new UI changes, reliability/performance problems, and how the Lifetime Plex Pass purchase is a lifetime of regrets as they watch Plex getting worse every month by enshittifying itself.
If Plex is resorting to leaving fake reviews to save face, then this company is in deeper trouble than I thought.
From the forum post:
Just because he works at Plex doesn’t necessarily make his review fake.
Yikes the copium here. Reviews are meant for users of the app, this is so incredibly biased and in bad taste. I have had my shittiest companies ask us to leave positive reviews on Glassdoor. The shittiest ones.
Maybe their big redesign that no one asked for isn't doing well, and this is a self preservation thing, to get more people to download it. Maybe CEO asked them to. Maybe they're just over eager. All are excuses and not valid reasons to give a rating on your own company's product
I don't count this as fake. He most certainly uses the software and the features he described are actually features under plex pass. And I no doubt believe he enjoys it. No lies here. My experience with plex pass is the same lol.
I think the point being made is that company staff shouldn't be leaving five-star reviews on products they, themselves, work on. Whether they do it because they love the product, or a company suit told them to. Personally, I think it's fine to try and convince people to use your/your company's software, but giving yourself a five-star review to do so is downright pathetic.
Mostly without being transparent, and stating they work for the company.
I'm fully okay with them doing so, but they have to disclose what they're doing so. Like the fact that the review didn't disclose that they were an employee is very sketchy to me.
They seriously enshitified the download feature. You used to be able to set it to download X number of unplayed episodes. Then it would manage downloading fresh content for you as you watched stuff. Now you have to manually download each and every episode yourself. This was literally the killer feature Plex had over Jellyfin for me.
I think they're getting pressure re the pirating aspect. I could imagine the bigger they get the bigger the magnifying glass will be held up to them. They're probably doing some fancy footwork to be able to remain in production / avoid lawsuits and similar pressure.
Sure, that's why they keep adding features people don't want. But gimping one of their key paid features makes no sense to me.
I would imagine its harder to argue you don't condone your users using it for piracy when you have a feature that automatically does stuff very closely related to piracy. I'm not going to get into an argument over whether it's defensible legally or not, but it makes sense to me that they play it safe in general.
Oh, ffs, really? That's kind of the reason for a download feature.
Pricks.
Yeah fair enough, and I do agree. I only reused the title of the forum post where this was originally posted. Have changed the title up now.
If he was forthcoming in his review, it would have been to obvious that it's a breach of the ToS. Workers are not permitted to review apps made by their own company.
This is 100% a shady review.
And of course the twats locked the thread.
Daily reminder, Plex fails to include a libre software license text file. We do not control it, anti-libre software.
In addition: Sharing this post form r/selfhosted which also describes the recent Plex situation lately, worth a read.
What do ya know, yet another day of being happy I never invested in Plex
Yet again Plex is an amazing example of how people become more angry because they give things away for free.
If everything required a Plex pass less people would be angry.
Just use want you want.
I personally don't see a reason to use Plex over Jellyfin. Apparently some people agree since Jellyfin made bank from donations.
Plexamp
A lot of the angst about the server requirements for Plex pass really have to stretch the truth to become a victim. It only affects you if you were using it for free, in which case 🤷, it was free, it's hard to feel bad about it.
The only thing I'm disappointed in is the free mobile streaming comes at the same time they released the new broken app. When they get around to fixing the app I'll be able to tell my friends they can now use the app. The server owner paying once is much better than every person paying for the app.
Is the user from Playstore the real Rui Lebre? I mean, I can create on any platform users with real people names, but how can people know that it is the real person that is creating the comment, not just an imposter?
Don't know for sure ofc, but the co-founder has commented in the thread without addressing the issue. They've also closed the thread without addressing all together which also seems weird. Surely if it wasn't him they would have said so?
lol, did he have the AI bros in marketing write it too? If they’re gonna do this they could at least write their own bullshit…
I'm not a fan of Plex and switched to Jellyfin very early on, but I'm a bit confused by the outrage here. He used his real name to report on a UX he built. I see FOSS developers do this all the time, and it seems pretty innocuous.
I can imagine if he generated thousands of anonymous accounts and did the same it'd be very bad, but an author commenting on his own work using his full real name doesn't seem like a conspiracy plot
It isn't terrible but it isn't great
It would've been better if he gave a disclaimer
I fucking hate how I can't listen to my music libraries in the main app now. I have a separate profile for other people in the house and I can't switch profiles with plexamp.
Community Manager: After we changed the terms of our public client to force everyone to pay for what used to be a free service, our ratings have taken a hit. If we don't get back to at least 4.0, Google won't feature us for free advertising. Everyone, go and leave a 5-star review.
Developers: but there are mill....
Community Manager: STOP, go and review now. scoot!
I work at a brewery. Am I not allowed to tell people I like the beer I brew? I'm doing this very wrong I guess my brewery has been enshittified by me. Bummer
Never underestimate the sycophantic idiocy of individual tech workers. One developer does not make a corporate policy. I’m not defending Plex though, if I used them I’d switch away.
Conflict of intrest
This was a nice reminder to leave some bad reviews on the App Store
Yeah this "revamp" is just bad. I dislike it a lot. I'm seriously debating on rolling it back... but I don't tend to watch media on my phone and the new update hasn't hit any of my TVs yet.
I rolled back. It was fairly easy and now the downloads work again.
It literally crashes the app for me every time I go to downloads. I had to revert to the previous version
Never thought I’d see the hate for plex on here get to this level.
Every update they've made for just about the past decade has made the product worse for the original users who just want to stream their own media. This last UI update killed my favorite download feature. They deserve the hate they're getting.
That's what happens when you piss off a loyal fan base
it's almost as if a small group of people are desperately trying to make people change to jellyfin.
6 months ago I was seriously looking at jellyfin as a Plex alternative. Now? nah, I'm good.
I'll take a corporate shitheel company over a roach infested toxic community any day.
the more they push the less I want anything to do with jellyfin, and the leaders at jellyfin should be made aware of what their community members are doing.
A large group of people got pissed off at all the enshitification of Plex. It isn't a personal attack and you are welcome to keep using Plex. However, it is evident that many are looking towards Jellyfin as a better alternative.
You clearly have not been in a lot of Plex/Jellyfin threads. Using Plex is often portrayed as some kind of capital sin by hardcore Jellyfin fans.
I'm also in the boat of letting people use what they want, but the discussion is usually not made in good faith
but the discussion is usually not made in good faith
"Everybody who disagrees with me is a troll or a shill."
Sure, buddy, because Free Software projects run by volunteers famously have huge guerilla marketing budgets. Won't somebody think of the poor for-profit companies who first got their leg up by taking Free Software code they didn't write and then subsequently gradually closed and enshittified it? They're the real victims here.
Nobody said anything like that. I'm just saying that Jellyfin fans tend to get pretty emotional when the topic comes up, as you just proofed fabulously
I’ll take a corporate shitheel company over a roach infested toxic community any day.
What an asinine fucking take. Even if Plex were better than Jellyfin in every single way (it isn't), this take would still be asinine. I mean, wtf dude. You can just not care about the community and everything keeps working. A "shitheel" company will do everything to make your experience suck.
Meh, seems like a sensible take. Certainly better for your mental health.
Communities matter. There's a reason I'm not on X, there's a reason I don't play pubg or overwatch, toxic communities can seriously make any experience suck.
You can just not care about the community and everything keeps working. A "shitheel" company will do everything to make your experience suck.
And a toxic shitheel community won't do that?
it's comments like yours that makes me feel vindicated in choosing corporate over FOSS, and I know I'm not the only one.
Thanks for doing your part in proving my point.
No. You know you don't need to join a community for using something, right? I didn't join a community for my dishwasher. Not even for most of my apps, actually. It's very easy. When you choose corporate, you're giving money for shit service. There's literally no way for dissociate from that. On the other hand, you can simply not participate in a community, no one's forcing you. It's just weird that you'd still prefer the corporate way.
yes please explain to me what I have to do.
that's not toxic behavior at all! /s
I'm not a member of the Plex community, never have been. I expect the service to be tailored to make the company a profit. That's literally all I can trust them to do.
so what can I trust the jellyfin community to do? right now they're toxic as fuck towards me because I'm telling them they're being toxic as fuck. the software they built could be the most beautiful and elegant solution in the whole world. but...I'll never know that because I can't get past being vilified for calling an apple an apple.
Jellyfin, get your shit together or you will never get past the whole "Plex is shitty" phase.
winners don't care about winning, they only care about being the best they can be. maybe focus on more of that and less shitting on Plex for doing whatever they're doing.
I’m not a member of the Plex community, never have been.
so what can I trust the jellyfin community to do?
Clear double standards. Just use the product if you want to.
yes please explain to me what I have to do.
Alright, man. Do what you want. I'm just pointing out that you have a weird double standard, ffs. Have a great day. (Or maybe not, I don't wanna tell you what to do.)
maybe focus on more of that and less shitting on Plex
Also, you seem to be happy to tell people what they need to do. (I realize I'm being petty and annoying here, but that's kinda on purpose for this one. I get pretty fucking frustrated by double standards.)
My original comment wasn't telling anyone what to do.
I was telling the jellyfin community what I was going to do. y'all didn't like that too much though did ya?
then you came at me calling my comments asinine while attacking my position that the community is toxic as fuck by telling me to "ignore the problem". yeah, thanks for telling me what I should do.
when I pointed out that your comment is exactly the kind of toxic shit I can't support, what'd you do? you doubled down and told me more of what I should do!
thanks, if I need bad advice I know where to go now.
the only time I said what anyone should do, it was addressed to the whole jellyfin community as a fucking favor because y'all are a toxic bunch of snowflakes that are clearly too emotionally immature to understand you're alienating outsiders and killing the jellyfin brand.
I guess the point that you're not understanding is that I expect Plex to abuse me. I know what their motives are. All I know from jellyfin is that if you even mention "Plex", the community will come out of the basements they hibernate in and shit down your throat for even suggesting anything other than jellyfin.
Jesus fucking Christ you guys! look at yourselves! how about y'all read your comments to your spouses or mothers and see if they think you're a bunch of toxic assholes. you obviously won't listen to reason from a stranger.
shit man, I don't even fucking care about your asshole project enough to get this deep in comments. I just believe that FOSS deserves a better community than these shitheels.
Wow. Hope you calm down later and realize what an insufferable cunt you're being right now. (I'm not going to give you a retort anymore, because it's clear that all of that is falling onto deaf ears. Fucking hell.)
Just ignore the security problems with remote streaming.
I have been really happy with hosting my stuff via Emby even with my friend's library on Plex. I have found the media recognition and identification system in Emby to be much better/easier to use.
While the music player in Emby is nowhere near as good as plexamp. I mostly store a local copy of my music on my phone anyways so it is not really an issue. I am going to start playing with navidrome when I get time but a one directional sync with syncthing fromy server to my phone would also work for my needs.
The Emby app on android tv is decent but not flashy and does not have streaming content by default, it is fully functional as a media player for library files.
I ditched Plex for Jellyfin a while ago and am not a fan of Plex, but this is the silliest thing to complain about. First of all, just because they work for Plex doesn't automatically make it a fake review. Certainly wouldn't call it an unbiased one, but that doesn't mean the review is fake.
It would've been fine with a disclaimer
It's biased and problematic because they don't state they work for Plex.
Thing is, had they been transparent about it, at least we could give them credit for acknowledging that up front. Now we have to wonder how many reviews are from employees.
Today i finalized my switch over to Jellyfin. I was a lifetime member but i'm tired of letting them scrape my data.
Counterpoint: when I worked at Panda Express, I used to leave fake reviews on our store about how helpful and professional pp_boy_ was because I wanted a raise. Never did it on any accounts attached to my name though.
do you know for a fact that is him and not just someone using his name? either way this is fairly harmless
That plex thread is a shitshow
it’s a single review, who cares?
Is it?
Have you performed the analysis on Plex reviews and know exactly how many 5 star reviews were posted by employees?
Because I don't, and that's a problem, as well as a Google ToS violation.
I hope their app gets dropped from the store, at least long enough for them to have to go groveling to Google to get in reinstated, especially since Google likes to drop OSS devs for undisclosed reasons, and make them jump through hoops to get back on.
This reminds me to go leave a review on their refresh of the app. I just got off a plane and Plex wouldn't load once I lost service for me or my wife to watch our downloaded media.
Why all the hate for Plex?
I find it interesting how the remaining Plex fan base gets extremely pissed off when you criticize Plex. Saying how much you dislike a product doesn't mean that you are attacking the product users.
It doesn't have to, but the tone that is used when criticizing Plex users is pretty personal a lot of the time. Hard not to take it personally when using Plex is portrayed as as a sign of brain damage
Ohh, ok. That's not good, and those are some good points. I actually thought Plex was a nice, open source, project and bought a Lifepass 🙈
It runs very smooth, and I really like the plexamp app for iphone. Does Jellyfin run as smooth, and have a music stream app?
I used plex like a decade ago is it still the only decent option for gile share streaming?
i mean im sure they use it too and nothing they said was anything but their personal opinion so i don't think it's that big a deal
subtitles have completely stopped working for me :/
Hence why you should never trust proprietary software (or even hardware if you wish)
edit: replied in the wrong spot. moved elsewhere in the thread.
Plex has always been shilled hard for useful idiots with more money than sense.
Like, free streaming services are right there. Why overcomplicate things just so you can fit in with other losers on the internet?
I swear, so many of you are leaning on each other without realizing none of you have a clue what's going on.
Do you hate Plex so much that you're going out of your way to invent fake reasons to try to make others hate it even more?