JRaccoon

Happy cake day! (Although for me it shows it’s tomorrow. Must be the time zone difference.)

My favorite thing about Lemmy is that there’s just the right amount of content. I can scroll through my subscribed feed and be done for the day. If I try coming back only after an hour, there most likely won’t be much new content to scroll. This is great for not getting addicted.

Thanks. This is kinda important info so I’ve edited my initial comment.

They are not saying anything on why they are removing it.

Jellyfin is dropping HTTPS support with a future update[…]

What’s the source for this? I wasn’t able to find anything with a quick google search

I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don’t see a realistic risk in exposing Jellyfin directly to the internet. It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore. (See Edit 2)

In my setup, which I’ve been running for some time, I’ve port-forwarded only Jellyfin’s HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I’ve also changed the Jellyfin’s default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.

Anyone wanna yell at me for being an idiot and doing everything wrong? I’m genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I’m not entirely sure why.

Edit: Thank you everyone for your responses. While I don’t agree with everything, the new insight is appreciated.

Edit 2: I’ve been informed that infact the support for HTTPS will be removed in a future version. From v10.11 release notes:

Deprecation Notice: Jellyfin’s internal handling of TLS/SSL certificates and configuration in the web server will be removed in a future version. No changes to the current system have been made in 10.11, however future versions will remove the current system and instead will provide advanced instructions to configure the Kestrel webserver directly for this relatively niche usecase. We strongly advise anyone using the current TLS options to use a Reverse Proxy for TLS termination instead if at all possible, as this provides a number of benefits

What if a bad actor acquires one of these once popular tracker domains? Could they somehow take advantage of it? For example, what if they make the tracker advertise a large number of “fake” peers that serve malware instead of the actual files? I only have a crude understanding of how BitTorrent works, so I’m not sure what kinds of protections, if any, it has against this type of attack.

He would be the perfect host for the show

As someone living in a green country, could someone explain how things work in practice in the yellow or orange countries? I understand that in places like Russia or China, journalists can end up in prison, or worse, if the government doesn’t like their writing. But how exactly is the press not free in countries like Canada or most European nations that are labeled yellow here?

And why is the US labeled orange? As far as I know, the media there is highly politically polarized, with most major news organizations openly supporting a particular agenda. That’s certainly a serious issue and not how the press should operate, but even Trump’s government isn’t actively limiting the freedom of the press to report on issues like they see fit? Or am I mistaken? I’m genuinely asking.

That’s reassuring to know. What I don’t understand is why you have the /api/v3/post/like/list route. You say you don’t want votes to be snooped on, but then you add an endpoint that makes it very easy for instance admins to do exactly that if they choose to? Also worth pointing out that the tool linked here wouldn’t work in its current form if this route didn’t exist.

Compare your actions to releasing a 0-day exploit for a security vulnerability instead of responsibly disclosing. It doesn’t help, it just causes chaos until the people who do the actual work can figure out a solution.

This comparison is not fair at all. It’s not like the devs are unaware of this. They could start by removing the API endpoint that lists a post’s votes, but they haven’t, which means they seem to think it’s okay for the instance admins to snoop on votes if they so wish.

Someone else just brings the stuff to me? In that case, definitely the clothes. I hate shopping for them, it’s always such a chore, even if you don’t care about style and just want high-quality, comfortable ones.

Is there a similar bot on Lemmy?

They can include runnable JavaScript too, which can cause vulnerabilities in certain contexts. One example from work some years back: We had a web app where users could upload files, and certain users could view files uploaded by others. They had the option to download the file or, if it was a file type that the browser could display (like an image or a PDF), the site would display it directly on the page.

To prevent any XSS (scripts from user-provided files), we served all files with the CSP sandbox header, which prevents any scripts from running. However, at the time, that header broke some features of the video player on certain browsers (I think in Safari, at least), so we had to serve some file types without the header. Mistakenly, we also included image files in the exclusion, as everyone through image files couldn’t contain scripts. But the MIME type for SVG files is image/svg+xml… It was very embarrassing to have such a simple XSS vuln flagged in a security audit.

My use case is a bit different than yours but still worth mentioning, I think; I have Sharry running in Docker and it makes sharing and receiving files super easy. All downloads and uploads are resumable so they work well even in unstable networks.

The house with a pool if someone else would take care of the maintenance without me needing to worry about it. Otherwise the beach house, I would imagine it would be the easiest to rent out and use that income to get a house I would actually like.

Nope. But as mentioned in the article, some support for display servers might be coming in Android 16.

Networking does work. I was able to install packages using apt and also ping machines on my local network. Could be useful.
I guess in a pinch it could be used to ssh into other machines. However, I’m sure there are plenty of SSH clients available for Android, which are much more lightweight solution than running a whole VM.

It has access to /sdcard as a shared folder.

How does this work? The app doesn’t seem to have any settings related to it yet. Under /mnt in the VM I noticed folder shared that seems to match the downloads folder on my phone, which seems odd

Tested this on my Pixel 8a. Works as you would expect. Personally I have a little hard time coming up with use cases for this but I guess it’s kinda cool.