239
top 50 comments
sorted by: hot top controversial new old
[-] floofloof@lemmy.ca 77 points 3 weeks ago

Went there to update my password but got reminded what a horrible experience Plex is these days, so deleted my account instead.

[-] JustARaccoon@lemmy.world 14 points 3 weeks ago

Wdym it's like a couple of clicks

[-] kbobabob@lemmy.dbzer0.com 4 points 3 weeks ago

They're probably just using some shit browser or something. I had no issues either.

[-] twotonebax@lemmy.world 4 points 3 weeks ago

Same lol, using jellyfin now instead

[-] bridgeenjoyer@sh.itjust.works 39 points 3 weeks ago

Meanwhile I made a post asking if plex is bad now and most people on it said "no it's great I paid for my lifetime pass years ago and its been the best!" Yeah, we know the truth now.

Jellyfin all the way.

[-] TrickDacy@lemmy.world 34 points 3 weeks ago

Seems unlikely that this happened. Most people on Lemmy despise Plex and forgive all the shortcomings of Jellyfin

[-] bridgeenjoyer@sh.itjust.works 10 points 3 weeks ago

Thats what I thought too. But I posted on ask lemmy, not here.

[-] AmbiguousProps@lemmy.today 23 points 3 weeks ago* (last edited 3 weeks ago)

I'd love to switch. I would do it right now, but the problem is that Jellyfin's security isn't better if you open it up to the internet. For example, I'd have to set up a VPN for my remote users for proper security, and most of my users are in other states, not technically inclined, and watch on their TVs. I'd have to at least support a raspberry pi for them, or some sort of site to site VPN, and if it goes down, I'll be expected to fix it. On top of that, if I do a simple raspberry pi based VPN, it would be made even more complicated since they'd want it to work with their smart TVs.

Again, I really want to switch. But Jellyfin needs to fix their security issues before I can. I'm also happy with the way Plex is reporting this, it's above the standard "your data is lost" notifications.

Edit: here's a link to the related GitHub issue I've been following: https://github.com/jellyfin/jellyfin/issues/5415

And @Saik0Shinigami@lemmy.saik0.com has a great thread explaining more: https://lemmy.today/comment/18923504

[-] bagodogs@sh.itjust.works 10 points 3 weeks ago

Jellyfin is great... As long as you're the only one who needs to access the server. I've switched to using Jellyfin myself, but I still run Plex for others to access.

I've found that I get a smoother playback experience on Jellyfin, but even outside of potential security issues, there are a still couple of features I miss from Plex.

[-] Seefoo@lemmy.world 4 points 3 weeks ago
[-] bagodogs@sh.itjust.works 2 points 3 weeks ago

One was automatic collections, but the plugin for this has since been updated, and the bug I was experiencing has been fixed. The one remaining feature that I'm missing is user ratings for media. On Plex I have automatic collections of movies that I've rated four and five stars, and it's quite useful.

[-] binarytobis@lemmy.world 5 points 3 weeks ago

My big complaint with Jellyfin is that their documentation showed a “fast forward” hotkey that convinced me to switch from Plex, and when I started it up it was a misnamed “jump forward five seconds” button instead.

It’s still better for my needs, but I remain angry.

[-] exu@feditown.com 5 points 3 weeks ago

Most of these require some form of random id to exploit, which leaves you either brute forcing ids or brute forcing a user account

[-] MaggiWuerze@feddit.org 5 points 3 weeks ago* (last edited 3 weeks ago)

Again, its not random. It's not a UUID. Its an md5 hash of the filepath. Which is easily guessable since most people have a very similar if not identical folder structure, especially since a lot have it managed by the *arr suite. take that plus the publicly available release names for movies and you're done

[-] ChairmanMeow@programming.dev 2 points 3 weeks ago

Put your files in a randomly named root folder and it's fixed. Even still, isn't the worst they could do pirating your service?

[-] MaggiWuerze@feddit.org 5 points 3 weeks ago* (last edited 3 weeks ago)

No, the worst is that a company like Sony or their lawyers can find my server and create a list of movies I offer and then sue me over it. I live in a country where lawyers make a living doing nothing but that.

Besides that, security by obscurity is the worst possible form and barely qualifies as security at all. It's also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.

And none of this is clearly communicated by the project. The unauthenticated endpoints are not disclosed, the issues with the filepath is not disclosed. Jellyfin fans treat it as a drop in replacement for Plex, but people using it as such basically throw an unauthenticated server onto the open web

[-] ShortN0te@lemmy.ml 4 points 3 weeks ago

Besides that, security by obscurity is the worst possible form and barely qualifies as security at all.

In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.

It's also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.

Another place? What else? You mean setting up you own server? That is in fact your responsibility.

[-] exu@feditown.com 2 points 3 weeks ago

I live in a country where making copies of movies and having them for private consumption isn't illegal.

I wouldn't blame the Jellyfin devs for this situation, they inherited a lot of bad code from Emby and are still cleaning it up.

load more comments (2 replies)
[-] AmbiguousProps@lemmy.today 4 points 3 weeks ago

I mean, that's fine, but it's still an issue and a risk that would cause me to want to use VPN for remote viewing. It doesn't seem like security is Jellyfin's priority at the moment, not that it's Plex's either, but it's not to a place where it's worth it to switch from a security standpoint, personally.

[-] MaggiWuerze@feddit.org 4 points 3 weeks ago

Plex has a whole team dedicated to security. It's obviously not perfect and it is a larger attack surface than Jellyfin, but I'll take that any day over devs who treat security as an afterthought

[-] Orygin@sh.itjust.works 2 points 3 weeks ago

You mean the security team that got pwned here?

[-] MaggiWuerze@feddit.org 4 points 3 weeks ago

Still better to have a team to react to this incident than just have them shrug and ignore it for 5 years

[-] AmbiguousProps@lemmy.today 2 points 3 weeks ago* (last edited 3 weeks ago)

What about the pwned users of Jellyfin that have unknowingly had security holes for 5 years because Jellyfin doesn't care enough to even put a banner in their settings to say it's not secure?

load more comments (2 replies)
[-] TrickDacy@lemmy.world 3 points 3 weeks ago

Thank you for that issues link. I keep trying jellyfin every now and then and I run into issues with general bugginess so I haven't been able to switch. Seeing that it's kinda full of security holes makes me even more reticent.

[-] atomicbocks@sh.itjust.works 3 points 3 weeks ago

This is the same reason I haven’t switched. My parents use it to watch the local OTA channels and I have zero intention of supporting a site to site VPN on their home network and multiple mobile devices.

[-] Hupf@feddit.org 6 points 3 weeks ago

Leave Plex

alone!

[-] remon@ani.social 5 points 3 weeks ago* (last edited 3 weeks ago)

Even is plex is "bad" now, it's still years ahead of jellyfin.

[-] icylobster@lemmy.world 4 points 3 weeks ago

Plex hasn't been getting better, but it still does what I need. I have a lifetime pass from years ago. If I was starting today I would be a lot less inclined to pay for Plex though. They keep adding things I don't want.

[-] ramenshaman@lemmy.world 27 points 3 weeks ago

Glad I started out with Jellyfin

[-] JustEnoughDucks@feddit.nl 5 points 3 weeks ago* (last edited 3 weeks ago)

I mean, jellyfin is absolutely even.more of a security nightmare than Plex, with multiple unfixed CVEs IIRC (software, not website or forum)

I use jellyfin also, but I only trust it not exposed to the internet at all. That is one very big area of improvement for them.

That and subtitle syncing.

load more comments (1 replies)
[-] Sivilian@lemmy.zip 17 points 3 weeks ago

I am curious as to why people thing Plex is self hosting if Plex can change how your server functions? I have never personally considered it self hosting but do others still think it is?

[-] jrbaconcheese@yall.theatl.social 33 points 3 weeks ago

Yes. It’s running on my server. That I host.

[-] bdonvr@thelemmy.club 7 points 3 weeks ago

And you fully control the service?

load more comments (1 replies)
[-] lka1988@lemmy.dbzer0.com 26 points 3 weeks ago

Because you are hosting the server software on your own hardware. That's literally self-hosting. Plex provides a way to remotely access your server through their own network as well, which is optional.

[-] Blue_Morpho@lemmy.world 16 points 3 weeks ago

The problem with Plex is it isn't fully hosted. Plex controls user passwords. You can't use it without logging into their servers.

load more comments (2 replies)
[-] KarnaSubarna@lemmy.ml 3 points 3 weeks ago

On a side note: you can remotely access any service running on home network via Tailscale[1] / Cloudflare Tunnel. Your services are never exposed on Internet. Moreover, you don't need to rely on Plex for that.

[1] https://tailscale.com/ [2] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/

[-] lka1988@lemmy.dbzer0.com 5 points 3 weeks ago* (last edited 3 weeks ago)

Tailscale is going public, so I don't really trust them anymore. I used Cloudflare tunnels for a while, but I strongly dislike being dependent on them for accessing my own network, and I don't like how they recently clamped down on "anti-piracy". There are some legitimate sites I still can't access (dirtbike parts and whatnot) because Cloudflare straight up blocks access to them.

load more comments (3 replies)
[-] magguzu@midwest.social 10 points 3 weeks ago

By your logic the *arr suite isn't self hosted either since they rely on metadata cache servers.

In fact Jellyfin relies on external services for their metadata too!

[-] femtek 9 points 3 weeks ago

Plex is self hosting, the auth is not.

load more comments (5 replies)
[-] Ebby@lemmy.ssba.com 8 points 3 weeks ago

Even though there are some cloud services like remote server management, proxies, and 3rd party integration, I do actually have to run the software myself on my hardware. Hence, self hosted.

[-] CmdrShepard49@sh.itjust.works 3 points 3 weeks ago

How is that any different than any other software package? Unless you're coding it yourself, things can be changed without your permission.

load more comments (3 replies)
load more comments (6 replies)
[-] gerowen@lemmy.world 7 points 3 weeks ago

I dropped it in favor of Jellyfin some time back, but this was a good excuse to go ahead and delete my family's accounts.

load more comments
view more: next ›
this post was submitted on 09 Sep 2025
239 points (100.0% liked)

Selfhosted

51908 readers
1066 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS