• 0 Posts
  • 230 Comments
Joined 3 years ago
cake
Cake day: June 10th, 2023

help-circle


  • Glad you solved it yourself, but I’m still struggling to understand what happened, how did you have them all in a single folder if the filename for docker compose has to be one of a few predetermined things? I mean, you could have them all in a single file, which makes some things easier, but then you wouldn’t have been able to move them into individual folders. Would you mind explaining what happened there so that if someone else in the future has the same issue they might find the solution here?

    Also, note that even if someone had given you an example of a working docker file you would still have to configure the service. For future reference, this site is great and has working examples of docker compose files for a lot of services, e.g. https://hub.docker.com/r/linuxserver/radarr

    Finally, welcome to the club, sorry you had a bad experience the first time, it’s hard for us to know what’s obvious and what isn’t: https://xkcd.com/2501/


  • Plex server doesn’t need to be “portable”

    Strongly disagree, I’ve switched my media server several times in the past decade for a multitude of reasons, having things in docker has allowed me to do this seamlessly.

    Also you’re ignoring all of the other benefits of running in docker, from isolation to automation.

    and running it in docker definitely doesn’t make it easier.

    Plex is the only self-hosted service that is purposefully trying to block you from being ran in docker. All other things are just much easier to run in docker, that’s part of the appeal, reproducible builds eliminate the “it works on my machine” errors.

    There absolutely are programs that make sense to run in docker, but Plex server isn’t one of them.

    Why do you think it doesn’t make sense? Does Jellyfin make sense to you to run in docker? Why are they different?

    Also, Plex only supports Ubuntu and CentOS, none of which I run on my server, so the only OFFICIAL way to run Plex is Docker.



  • What Plex does is closer to having an embedded tailscale client, you can access Jellyfin remotely with tailscale for free, but OP specifically asked for no VPN.

    That being said, I’m not opposed to Plex charging for that service, even a tailscale like server costs something to maintain. My gripe with Plex is that it purposefully shoots itself in the foot to force you into their paid service, i.e. it actively tries to isolate itself so you can’t access it remotely, which means that it can’t run inside a docker container unless you give it network host access, otherwise it only considers other docker containers locals and doesn’t let you watch your own content from another machine in the same network.





  • Except most people have almost the same structure because of media organizers like radarr/sonarr. At the very least they should hide that behind a setting to not require auth (since the header should be there for most clients) so only people running an old client would be affected. They could also add an extra salt to that hash or something similar.

    I agree, it’s not critical, but it shouldn’t be hand waved either. And like I said, security is relative, I would argue for most people this is fine, but I still think this should be taken more seriously.










  • I don’t get how that output showcases anything, unless he had run that against a known instance of forgejo so the owners of that instance could confirm that he actually executed code. But he’s only showing a text file, that’s like saying look I hacked super_secure_self_hosted_service:

    python hack_it.py localhost:3000
    
    Hacked!
    

    For all we know chain_alpha.py is just a bunch of prints.

    Also, even if it is real (which I don’t really doubt, but I have seen no proof) holding the information instead of properly disclosing it is just childish. It’s not a carrot methodology, it’s a stick one, and one without a carrot. This is the sort of thing you do to big companies with no morals, doing it to a small open source project is just wrong, they don’t have the manpower or money to redo the investigation you already did. Release a CVE, talk to the devs, and/or push a PR, but saying “I found a vulnerability but I won’t tell you about it” is just dumb.


  • That article has lots of issues:

    17% of the most popular Rust packages contain code that virtually nobody knows what it does

    That’s not true at all, the article where he got that information from says:

    Only 8 crate versions straight up don’t match their upstream repositories. None of these were malicious: seven were updates from vendored upstreams (such as wrapped C libraries) that weren’t represented in their repository at the point the crate version was published, and the last was the inadvertent inclusion of .github files that hadn’t yet been pushed to the GitHub repository.

    So, of the 999 most popular crates analyzed 0% contains code nobody knows what it does.

    He then lists some ways packages can be maliciously compromised:

    1. Steal credentials and impersonate a dev
    2. Misleading package names
    3. Malicious macros (this one is interesting, had never considered it before)
    4. Malicious build script

    And his solutions are:

    1. Bigger std library (solves none of the above)
    2. Source dependencies (solves none of the issues he showed, only the issue that happens in 0% of packages where binary doesn’t match the source and is detectable)
    3. Decentralized packages (which worsens every security concern)
    4. Centralized Checksum database (so a centralized package manager is bad, but a centralized Checksum index is good? How does that work?)

    Honestly I can’t take that article seriously, it grossly misinterpreted another study, presents problems that exist on every single package manager ever, doesn’t propose ANY valid solution, and the only thing he points to as a solution suffers from ALL of the same issues and then some.