And which one of those are actually vulnerabilities that are exploitable? First, yes ofc unauthenticated endpoints should be fixed, but with those there is no real damage to be done.

If you know the media path then you can request a playback, and if you get the user ids then you can get all users. That’s more or less it.

Good? No. But far from making it a poor choice exposing it.

Performance is not the goal, but cleaner code and more manageable code. But both will ultimately lead to better performance. As of now it was basically impossible to change something in the database structure since it was hard to estimate the impact of it.

… and may also break compatibility with previous 10.Y releases if required for later cleanup work.

If you read through the whole paragraph, it is clear that they mean the compatibility of previous jellyfin versions.

Also, again:

Note however that the 10.Y.Z release chain represents the “cleanup” of the codebase, so it should be accepted that 10.Y.Z breaks all compatibility,

That means that the code is not cleaned up with that release.

If you would release 11 before the code is considered cleaned up, you would basically break your own defined versioning convention. That is best decided by the active maintainers.

Consider the 10.y.z simply to be 0.y.z and everything works out.

Jellyfin inherited a lot of shitty code and architecture from emby. They simply cannot guarantee anything across patches until it is sorted out.

imho much better then releasing major version after major version because the break stuff regularly.

Also for internal use. The original emby source used not within the code base standardized database access.

Basically changes to the database were not possible since finding references across the code base which part uses which values was impossible.

Note however that the 10.Y.Z release chain represents the “cleanup” of the codebase, so it should be accepted that 10.Y.Z breaks all compatibility,

Its right there at the link you posted.

Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.

While some use cases can be replaced with traditional wireguard, others not.

Really surprised about this. I am using syncthing now for many years on various devices and never encountered issues with it. And also, file sync is not a backup solution.

Still the same but afaik they now somewhat support running zfs

deleted by creator

Do you want to prevent brute forcing or do you want to prevent the attack getting in?

If you want to prevent brute forcing then software like fail2ban helps a little, but this is only a IP based block, so with IPv6 this is not really helpfull against a real attack, since rotating IP addresses is trivial. But still can slow down the attacker. Also limiting the amount of sessions and auth tries does significantly slow down the attacker.

If you just want to not worry about it set strong passwords, and when it is a multi user system where other ppl might access it, configure Public Key Auth so you can be sure the other users have strong passwords (or keys in this case) to authenticate.

With strong passwords or keys it is basically impossible to brute force your way in with ssh.

I don’t use browser extensions and I manually copy/paste my passwords to fill in entries.

On most systems copy pasting is heavily insecure since a lot of processes have access to the clipboard. autotype and thinga like browser extensions are considered more secure.

You do not even need a port based firewall when the server is open on the internet.

When you configure the software to not have unnecessary open ports over the internet connected interface then a port based firewall is providing zero additional security.

A port based firewall has the benefit that you can lock everything down to the few ports you actually need, and do not have to worry about misconfigured software.

For example, something like docker circumvents ufw anyway. And i know ppl that had open ports even tho they had ufw running.

Clickbait (also known as link bait or linkbait) is a text or a thumbnail link that is designed to attract attention and to entice users to follow (“click”) that link and view, read, stream or listen to the linked piece of online content, being typically deceptive, sensationalized, or otherwise misleading.

https://en.wikipedia.org/wiki/Clickbait

Title is not really deceptive or misleading.

That is not really covering the topic for everyone, this only covers the article for ppl who are paying already for the pass.

Not seeing how this is clickbait. The title sums it up on point.

At the same time crowdsec heavily benefits of the big free userbase since they ‘crowdsource’ their thread detection.

Just because there is no update does not mean there are security vulnerabilities to worry about, or do you have a specific one that is not fixed?

The attack vector seems very narrow to me. It checks the container registry downloads the containers and runs some docker commands.

It has no interface, so in order to attack it you either have to compromise the container registry (but then it would be easier to compromise the containers you download) the secure connection used to download the containers (https is quite stable) or something on the server side.

Also the project does not really look that abundant to me.

EDIT: So i have not checked this, but watchtower is probably using docker for most steps anyway? So basically the only thing that could be attacked is via the notifications watchtower is sending?

Years out of date

What problems does it have? Never ran into an issue for my usecase.

Automatic updates. Works like a dream. Depending on what you are running it can obviously cause issues, either server side breaking or server,client communication issues

They’re releasing a new version every two month or so and dropping them rapidly from support, pinning it with a tag means that in 12 months the install would be exploitable.

The lifecycle can be found with a single online search. Here https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule

Releases are maintained for roughly a year.

Set yourself a notification if you forget it otherwise.