Comment

macstainless@discuss.tchncs.de ⁨9⁩ ⁨months⁩ ago

I’ve heard jellyfin has a lot of security issues, which I don’t know if that’s accurate or not. But the BIGGEST issue is lack of a proper tvOS app. I really don’t feel like using Infuse or some other app just to use my library. Year after year I hear about people switching and yet, the gap is simply still there.

source

Sort:hotnew top

mic_check_one_two@lemmy.dbzer0.com ⁨9⁩ ⁨months⁩ ago
Yeah, Samsung TVs don’t have a native Jellyfin app either. You can sideload it, but good luck walking your “you touched my computer six months ago and now it’s broken. This is your fault” grandmother through that over the phone.

source
fmstrat@lemmy.nowsci.com ⁨9⁩ ⁨months⁩ ago
I just validated that the latest version of the LDAP privilege escalation issue is not an issue anymore. The curl script is in the ticket.

I chose this one because after going through all of them, it was the only one that allowed access to something that wasn’t just data in Jellyfin.

So for me, security is less of an issue knowing that, as only family use the service, and the remaining issues require a logged in user (hit admin endpoint with user token).

Plus, I tried a few of those and they were also fixed, just not documented yet. I didn’t add to those tickets because I was not as formal with my testing.

@EncryptKeeper@lemmy.world

source
cantankerous_cashew@lemmy.world ⁨9⁩ ⁨months⁩ ago
To be fair there is a tvOS app in development but progress is slow because the whole project is maintained by a small handful of volunteers. They’ve put out a call for help and the maintainers post updates here

source
rumba@lemmy.zip ⁨9⁩ ⁨months⁩ ago

I’ve heard jellyfin has a lot of security issues

The biggest known stuff I saw on their GitHub is that a number of the exposed service URLs under the hood don’t require auth. So, it’s open-source with known requirements, you can tell easily from the outside that it’s running, and you can cause it to activate a LOT of packages without logging in. That’s a zero-day in any package that can be passed a payload away from disaster.

AS far as TVOS, I’m kinda surprised swiftfin doesn’t service you.

source
- macstainless@discuss.tchncs.de ⁨8⁩ ⁨months⁩ ago
  Yeah… that’s a non-starter for me. Not gonna risk my entire home lab when Plex doesn’t have any of that risk.
  
  Also, running in Docker is fantastic but I’ve found Docker to be unstable at times depending on the version.
  
  source
  - rumba@lemmy.zip ⁨8⁩ ⁨months⁩ ago
    Oh, Plex has the risk. A vulnerability in Plex is how LastPass lost all their source code. A vulnerability in Tautulli which he had ported outside surfaced his auth token, then he was able to use the auth token to get into Plex and they were able to hit an rce vulnerability and pull the entire git repo the guy had locally.
    
    The key difference is Plex at least has a security team and their name on the line with their investors.
    
    source
    FreedomAdvocate@lemmy.net.au ⁨8⁩ ⁨months⁩ ago
    That’s completely different. Every internet connected service has risks, but having known vulnerabilities that you just refuse to fix is different to someone figuring out a complex exploit.
    
    source
- pupbiru@aussie.zone ⁨9⁩ ⁨months⁩ ago
  swiftfin is mostly there but doesn’t support media segments, which is a deal breaker for me
  
  really unfortunate since jellyfin media segments is a much better implementation of the concept than plex
  
  i’m watching the swiftfin issue for when it gets added and i’ll be all over compiling and testing it
  
  source
- Lem453@lemmy.ca ⁨9⁩ ⁨months⁩ ago
  Assuming this is all true, sure its not great but how much does it matter?
  
  Most have jellyfin in a docker. My jellyfin can’t only has read only accses to the media folder. Only the config folder has write access. Assuming the worst case scenario here, how much damage can than do?
  
  source
  - rumba@lemmy.zip ⁨9⁩ ⁨months⁩ ago
    A lot of neophyte self hosters Will try running the binary in Windows instead. Experienced self hosters will indeed use docker.
    
    Then out of the ones that are using docker some of them will set it up as privileged.
    
    And then how many of those people actually make read-only versus how many just add the path and don’t think about it.
    
    Don’t confuse your good practices with what the average person will do.
    
    source
meh@piefed.blahaj.zone ⁨9⁩ ⁨months⁩ ago
https://github.com/jellyfin/Swiftfin is available for tvOS. works great for me with one bug. since i have homepods connected to one of my apple tv's as it's speakers. i had to change the setting to use the native video player instead of vlc to avoid and audio delay bug. that cost me the auto play next episode function. i though not auto playing the next episode would annoy me, but it's turned out to not be a issue at all. but infuse doesn't include that bug if you want both homepod tv speakers and auto play next episode with jellyfin. as for security, since jellyfin is more modifiable it has a lot more room for misconfiguration for sure. plex had plenty of it's own security issues, we just only heard about them when some security blogger discovered it.

source
- pupbiru@aussie.zone ⁨9⁩ ⁨months⁩ ago
  misconfiguration here i think is a dangerous way to phrase it… it implies that there is a secure way to run jellyfin on its own. jellyfin, by itself, should never be exposed to the www. it is, no matter the configuration, insecure. to run jellyfin on the www you must put a VPN or other reverse proxy with auth over the top of it
  
  source
Jakeroxs@sh.itjust.works ⁨9⁩ ⁨months⁩ ago
Op already said they were behind authentik

There also absolutely are apps for tv oses like Android, I use one daily.

source
- russjr08@bitforged.space ⁨9⁩ ⁨months⁩ ago
  I think they meant Apple’s “tvOS” - which powers the Apple TV set top box.
  
  There’s no client for it, if I had to take a guess it’s likely due to the costs of doing so.
  
  source
  - Jakeroxs@sh.itjust.works ⁨9⁩ ⁨months⁩ ago
    Oh lol, of course apple just calls it TV OS
    
    source
  - meh@piefed.blahaj.zone ⁨9⁩ ⁨months⁩ ago
    https://github.com/jellyfin/Swiftfin i've got 5 apple tv users, two android tv and one webostv
    
    source
    russjr08@bitforged.space ⁨9⁩ ⁨months⁩ ago
    Oh interesting, it’s been a while since I have tried to use Apple TV (roughly 7 years or so - I don’t use any Apple devices anymore), this wasn’t available at the time so I’m glad to see there’s finally some native support.
    
    source
    -> View More Comments
EncryptKeeper@lemmy.world ⁨9⁩ ⁨months⁩ ago
I am also not up to date on Jellyfin security issues but the biggest one I care about is that its clients don’t support OIDC. There’s a neat plugin for OIDC, but without client support it only works with the web client and I’m not a fan of leaving login pages open to the internet.

source
- fmstrat@lemmy.nowsci.com ⁨9⁩ ⁨months⁩ ago
  Use an LDAP to OIDC bridge?
  
  source
- meh@piefed.blahaj.zone ⁨9⁩ ⁨months⁩ ago
  if you use the oidc connection and apps that support quick connect you can do it. you basically end up doing things like the plex link process that got implemented when they forced everyone into their authentication service. i almost went that route but opted to leave the password auth from ldap in. its the kind of log in process most people are used too and i've got a few elderly users. i disabled password reset in authentik though and everyone gets a 3 word 24 char minimum password.
  
  source