Specifically these issues: https://github.com/jellyfin/jellyfin/issues/5415

The big one is that video/audio playing endpoints can be used without authentication. However, you have to guess a UUID. If Jellyfin is using UUIDv4 (fully random), then this shouldn’t be an issue; the search space is too big. However, many of the other types of UUIDs could hypothetically be enumerated through brute force. I’m not sure what Jellyfin uses for UUIDs.

Nah, setting non-standard ports is sound advice in security circles.

People misunderstand the “no security through obscurity” phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it’s bad. But if you build security in layers, like a castle, then it can only help. It’s OK for a layer to be weak when there are other layers behind it.

Even better, non-standard ports will make 99% of threats go away. They automate scans that are just looking for anything they can break. If they don’t see the open ports, they move on. Won’t stop a determined attacker, of course, but that’s what other layers are for.

As long as there’s real security otherwise (TLS, good passwords, etc), it’s fine.

If anyone says “that’s a false sense of security”, ignore them. They’ve replaced thinking with a cliche.

There are ways they can work around it, but their lead developer was drafted into their country’s military. Ultimately, they’re going to have to make their own phone, and it looks like they’re making plans to do that.

For now, it’s fine.

And they purposely hobbled certain things people want, like inline links and images. Some clients will do it anyway, but it’s against the collective wishes of the developers.

If I wanted to track people on Gemini, I could totally do it. It’d just be in a more server-to-server way than how its evolved on HTTP (pixel trackers and such).

Some people haven’t lived through the time when HTML layout was done through nested tables, and it shows.

Maybe we could have No-JS and No-Client-Storage (which would include cookies) headers added to HTTP. Browsers could potentially display an icon showing this to users on the address bar.

Theoretically, browsers could even stop from the JS engine from being started for the site in the first place. Though I wouldn’t be surprised if the engine is too tied into the code of modern browsers for that to work.

Let’s not. It’s a terrible protocol with amateur design errors.

JS does a lot of crap that didn’t need doing in the first place. It can be used in a way that improves performance and user experience, but what’s out there is so far from that.

HTML could maybe be replaced by a specific form of Markdown (one with a real spec), but meh, whatever. Gemini did that, but its limitations are a little too much.

Was never part of the standard.

You want to do what Gemini did. Take Markdown, add some specific features to make up for some blind spots in the original, formalize it, and give your version a specific name.

Someone will thank you for your service. Not me, but someone.

Which is important because about a year ago the headlines were saying EV sales were collapsing. In fact, it was just Tesla having less market share of new EVs sold because other manufacturers got off their ass.