lyarenei
commented
1 month ago ... we can add it to jellyfin?
Not sure what do you mean? You can add any repository to Jellyfin server, these repositories do not have to be hosted on GH.
Using another website for the manifest is risky for us
In general, using any repository you have no control over is risky and it does not matter where the manifest file is. Also the manifest can still point to another server which serves the files. So I don't see any difference between using github for repo and my server.
what happens when you forgot to renew and someone uploads malware? That's a new vector for attacks...
Imo, there is not any new attack vector. Either the bad actor gains access to my server or to my GH account. After getting access, they can quietly make changes. I can see a slight advantage here, where a new commit to the manifest file might be visible, but let's be honest, the odds of someone spotting that is pretty low.
If you do not trust the plugin repository, you can also just install the plugin manually. Or better - compile it yourself after inspecting the code and build process. I do not mean this in any condescending or similar way, it's just the factual safest way in terms of running a code from a third party.
At first, I indeed had the manifest in the repository, but maintaining it was pretty cumbersome and moving to an external server allowed me to properly automate the plugin releases.
I admit I do not have any particular deep knowledge of stuff related to security, so I may be missing something of course, but I am always willing to learn.
Description
Can you please include the manifest.json file in the repo too so we can add it to jellyfin?
Using another website for the manifest is risky for us, what happens when you forgot to renew and someone uploads malware? That's a new vector for attacks, please consider including the manifest file in the git repo.
Proposed solution
Include manifest.json file in the git repo.
Additional context
No response