To be fair there is a tvOS app in development but progress is slow because the whole project is maintained by a small handful of volunteers. They’ve put out a call for help and the maintainers post updates here
Comment on goodbye plex
macstainless@discuss.tchncs.de 4 days ago
I’ve heard jellyfin has a lot of security issues, which I don’t know if that’s accurate or not. But the BIGGEST issue is lack of a proper tvOS app. I really don’t feel like using Infuse or some other app just to use my library. Year after year I hear about people switching and yet, the gap is simply still there.
cantankerous_cashew@lemmy.world 4 days ago
EncryptKeeper@lemmy.world 4 days ago
I am also not up to date on Jellyfin security issues but the biggest one I care about is that its clients don’t support OIDC. There’s a neat plugin for OIDC, but without client support it only works with the web client and I’m not a fan of leaving login pages open to the internet.
meh@piefed.blahaj.zone 4 days ago
if you use the oidc connection and apps that support quick connect you can do it. you basically end up doing things like the plex link process that got implemented when they forced everyone into their authentication service. i almost went that route but opted to leave the password auth from ldap in. its the kind of log in process most people are used too and i've got a few elderly users. i disabled password reset in authentik though and everyone gets a 3 word 24 char minimum password.
fmstrat@lemmy.nowsci.com 4 days ago
Use an LDAP to OIDC bridge?
Jakeroxs@sh.itjust.works 4 days ago
Op already said they were behind authentik
There also absolutely are apps for tv oses like Android, I use one daily.
russjr08@bitforged.space 4 days ago
I think they meant Apple’s “tvOS” - which powers the Apple TV set top box.
There’s no client for it, if I had to take a guess it’s likely due to the costs of doing so.
meh@piefed.blahaj.zone 4 days ago
https://github.com/jellyfin/Swiftfin i've got 5 apple tv users, two android tv and one webostv
russjr08@bitforged.space 4 days ago
Oh interesting, it’s been a while since I have tried to use Apple TV (roughly 7 years or so - I don’t use any Apple devices anymore), this wasn’t available at the time so I’m glad to see there’s finally some native support.
Jakeroxs@sh.itjust.works 4 days ago
Oh lol, of course apple just calls it TV OS
mic_check_one_two@lemmy.dbzer0.com 4 days ago
Yeah, Samsung TVs don’t have a native Jellyfin app either. You can sideload it, but good luck walking your “you touched my computer six months ago and now it’s broken. This is your fault” grandmother through that over the phone.
fmstrat@lemmy.nowsci.com 4 days ago
I just validated that the latest version of the LDAP privilege escalation issue is not an issue anymore. The
curlscript is in the ticket.I chose this one because after going through all of them, it was the only one that allowed access to something that wasn’t just data in Jellyfin.
So for me, security is less of an issue knowing that, as only family use the service, and the remaining issues require a logged in user (hit admin endpoint with user token).
Plus, I tried a few of those and they were also fixed, just not documented yet. I didn’t add to those tickets because I was not as formal with my testing.
meh@piefed.blahaj.zone 4 days ago
https://github.com/jellyfin/Swiftfin is available for tvOS. works great for me with one bug. since i have homepods connected to one of my apple tv's as it's speakers. i had to change the setting to use the native video player instead of vlc to avoid and audio delay bug. that cost me the auto play next episode function. i though not auto playing the next episode would annoy me, but it's turned out to not be a issue at all. but infuse doesn't include that bug if you want both homepod tv speakers and auto play next episode with jellyfin. as for security, since jellyfin is more modifiable it has a lot more room for misconfiguration for sure. plex had plenty of it's own security issues, we just only heard about them when some security blogger discovered it.
pupbiru@aussie.zone 3 days ago
misconfiguration here i think is a dangerous way to phrase it… it implies that there is a secure way to run jellyfin on its own. jellyfin, by itself, should never be exposed to the www. it is, no matter the configuration, insecure. to run jellyfin on the www you must put a VPN or other reverse proxy with auth over the top of it
rumba@lemmy.zip 4 days ago
The biggest known stuff I saw on their GitHub is that a number of the exposed service URLs under the hood don’t require auth. So, it’s open-source with known requirements, you can tell easily from the outside that it’s running, and you can cause it to activate a LOT of packages without logging in. That’s a zero-day in any package that can be passed a payload away from disaster.
AS far as TVOS, I’m kinda surprised swiftfin doesn’t service you.
Lem453@lemmy.ca 4 days ago
Assuming this is all true, sure its not great but how much does it matter?
Most have jellyfin in a docker. My jellyfin can’t only has read only accses to the media folder. Only the config folder has write access. Assuming the worst case scenario here, how much damage can than do?
rumba@lemmy.zip 3 days ago
A lot of neophyte self hosters Will try running the binary in Windows instead. Experienced self hosters will indeed use docker.
Then out of the ones that are using docker some of them will set it up as privileged.
And then how many of those people actually make read-only versus how many just add the path and don’t think about it.
Don’t confuse your good practices with what the average person will do.
macstainless@discuss.tchncs.de 3 days ago
Yeah… that’s a non-starter for me. Not gonna risk my entire home lab when Plex doesn’t have any of that risk.
Also, running in Docker is fantastic but I’ve found Docker to be unstable at times depending on the version.
rumba@lemmy.zip 2 days ago
Oh, Plex has the risk. A vulnerability in Plex is how LastPass lost all their source code. A vulnerability in Tautulli which he had ported outside surfaced his auth token, then he was able to use the auth token to get into Plex and they were able to hit an rce vulnerability and pull the entire git repo the guy had locally.
The key difference is Plex at least has a security team and their name on the line with their investors.
FreedomAdvocate@lemmy.net.au 2 days ago
That’s completely different. Every internet connected service has risks, but having known vulnerabilities that you just refuse to fix is different to someone figuring out a complex exploit.
pupbiru@aussie.zone 3 days ago
swiftfin is mostly there but doesn’t support media segments, which is a deal breaker for me
really unfortunate since jellyfin media segments is a much better implementation of the concept than plex
i’m watching the swiftfin issue for when it gets added and i’ll be all over compiling and testing it