cross-posted from: https://poptalk.scrubbles.tech/post/2333639
I was just forwarded this someone in my household who watches our server. That’s it folks. I’ve been a hold out for a long time, but this is honestly it.
They want me to pay to stream content that I bought from my hardware transcoded also on my hardware.
I’ll say it. As of today, I say Plex is dead. Luckily I’ve been setting up Jellyfin, I guess it’s time to make it production ready.
Edit: I have a Plex Pass. More comments saying “Just buy a plex pass” are seriously not getting it. I have a Plex Pass and my users are still getting this.
And for the thousandth person who wants to say the same things to me:
- YES I know I’m unaffected as a Plex Pass owner.
- My users were immediately angry at it, which made me angry. Our users don’t understand what plex pass is, and they shouldn’t have to, that’s why I had it. The fact that they were pinged even though it should have kept working is horribly sloppy
- Plex is still removing functionality. I don’t care that “People should pay their fair share”. If Plex wants to put every new feature behind a paywall, that’s completely okay. They are removing functionality.
- “But they have cloud costs”. Remote streaming is negligible to them. It’s a dynamic DNS service. Plex client logs in, asks where server is, plex cloud responds with the IP and port of where server is located. That’s it.
- “Good luck finding another remote streaming” - Again, Plex just opens up an IP and port. Jellyfin also just opens up an IP and port (Hold on jellyfin folks I know, security, that’s a separate conversation). All “remote streaming” is is their dynamic dns. Literal pennies to them. Know what actually is costing them money? Hosting all of that ad-supported “free” content that they’re probably losing money on.
In short, I don’t care how you justify it. Plex is doing something shitty. They’re removing functionality that has been free for years. I’m not responding to any more of your comments repeating the same arguments over and over.
I use jellyfin, and jellyfin is not safe to expose to the internet.
They have a handful of vulnerability and security holes that have been open for like 5+ years now. And the old emby architecture is quite difficult to work with.
A load of those so called vulnerabilities are way overblown and in most cases require you to be logged in anyway.
So you’re saying there are some vulnerabilities which are not overblown and therefore should be a concern?
That is with any piece of software. their will always be some vulnerabilities that are very bad. so by your definition using any piece of software is a concern.
I agree with you, it’s likely this vulnerability is only known because Jellyfin is open source… how many are hiding in Plex’s proprietary source code…
Anyways when has anyone ever been pwnd by this “exploit”, I have seriously never heard of anyone being “hacked” by one of them.
Definitely overblown as far as I am aware… don’t post your instance url all over the internet and you will likely be fine.
Using Plex (is fine, do whatever u want) and giving them your data instead doesn’t really help you (or at least sending your data through them).
You don’t need to post your IP. Any server admin would tell you that if you have a server exposed to the internet then you’re going to get people / bots knocking and your doors (ports) to see what is open. They could then use something like meta spoilt to find vulnerabilities and gain access to your server.
Hm I don’t remember posting the comment you are replying to, to the one I replied to.
You are right, but I still argue that keeping Jellyfin up to date is fine, there’s no serious bugs (afaik) that will compromise your whole server for instance, so these bots have nothing valuable to exploit here.
When I say don’t post your instance url I was talking about normal people finding it to try streaming from it without auth, I think I was replying to someone else and though this was the same thread.
And they actively refuse to do anything about them because it would force clients to update. You could just just as well open an unsecured ftp server to your content