cross-posted from: https://poptalk.scrubbles.tech/post/2333639
I was just forwarded this someone in my household who watches our server. That’s it folks. I’ve been a hold out for a long time, but this is honestly it.
They want me to pay to stream content that I bought from my hardware transcoded also on my hardware.
I’ll say it. As of today, I say Plex is dead. Luckily I’ve been setting up Jellyfin, I guess it’s time to make it production ready.
Edit: I have a Plex Pass. More comments saying “Just buy a plex pass” are seriously not getting it. I have a Plex Pass and my users are still getting this.
And for the thousandth person who wants to say the same things to me:
- YES I know I’m unaffected as a Plex Pass owner.
- My users were immediately angry at it, which made me angry. Our users don’t understand what plex pass is, and they shouldn’t have to, that’s why I had it. The fact that they were pinged even though it should have kept working is horribly sloppy
- Plex is still removing functionality. I don’t care that “People should pay their fair share”. If Plex wants to put every new feature behind a paywall, that’s completely okay. They are removing functionality.
- “But they have cloud costs”. Remote streaming is negligible to them. It’s a dynamic DNS service. Plex client logs in, asks where server is, plex cloud responds with the IP and port of where server is located. That’s it.
- “Good luck finding another remote streaming” - Again, Plex just opens up an IP and port. Jellyfin also just opens up an IP and port (Hold on jellyfin folks I know, security, that’s a separate conversation). All “remote streaming” is is their dynamic dns. Literal pennies to them. Know what actually is costing them money? Hosting all of that ad-supported “free” content that they’re probably losing money on.
In short, I don’t care how you justify it. Plex is doing something shitty. They’re removing functionality that has been free for years. I’m not responding to any more of your comments repeating the same arguments over and over.
I’ve spoken out on this same issue before… and as a previous security instructor/researcher… it’s fucking scary how many people shit on Plex for a platform that has had known vulnerabilities in auth for 4 years now, that’s existed since the previous code-base… so at least 7 years old and those issues existed in the previous emby codebase going back over a decade.
Plex isn’t perfect… there’s risks involved there too… but at least when something is brought up as a significant risk it seems to get fixed outside of the implicit risks of the Plex org itself.
All I read in these threads is effectively “WAAAH I don’t WANNA pay!”… Without realizing that the payment gave them something significantly more secure.
I’ve never used Plex, but the thing that stopped me from looking at it isn’t that it’s a paid service. It’s that it’s partially centralised, and starting to become hostile to its user base. This current change, locking down a previously free feature being an iconic example of that.
My partner and I fund two decently sized fediverse instances and a matrix instance mostly out of our own pockets. We do that precisely because we have both actively chosen to move away from centralised, user hostile social media platforms. And whilst Plex isn’t a social media platform, it is centralised and becoming more user hostile, and I won’t pay for that.
(And to be clear, I’m front of house, I’m not responsible for setting up our instances security :P)
I mean, that’s effectively the same boat I’m in. I run all my own stuff in my own cluster (recently posted some of it if you check my post history).
But putting up Jellyfin for any user that isn’t on your network is literally a security nightmare. I cannot run blatantly insecure software and leave it internet facing. It’s one thing if it was just found and they’re working on closing it… But this has been documented/known for 4 years. They’re not fixing it and have shown no interest in addressing it at all.
VPN is literally the only answer… and that breaks all TV-based access outright since none of them do VPN. Basic auth doesn’t work. Other forms of auths breaks all app access (leaving only browser). And each time any of these possible alternative answers come up, they’ve outright dismissed it.
If/When Plex finally gets hostile, I’ll simply turn it off. But I can’t let Jellyfin be what services my users, it just doesn’t work.