Great image.

[lonix]

A great slim image, i also quite enjoy the way you solved downloading plexpass on.

However to be fair linuxserver.io (me\we) Does download our packages from plex.tv directly, and would never download from another location, however we use a helper tool to generate a json avalible here as you can see, it referrers us to the latest avalible plexpass version, and this, and only this is what we use :)

[lonix]

Source code is avalible here btw...

[wernight]

Thanks for reaching out and also for publishing your script Open Source. My guess is that you're referring to the "third party" notice in the README. I agree that https://tools.linuxserver.io/latest-plex.json is currently pointing to the latest official download, but there is nothing blocking your server to serve another package (randomly, by cookies/IP/...). Users need to trusts linuxserver.io, which they may or not, but it's a third party (i.e. outside of Plex and Docker).

Let's oppose it to this image which is automatically built and the hash should now also be reproducible since Docker 1.10, so users of this image can check that it'll run the script in this repo and that this script cannot download from another place. A malicious package download would require a commit on this repo and users would need to docker pull. Also by simple docker image inspection it's possible to check the script. So users can check this script and don't need to trust a third party.

[lonix]

You do have a point.

Up until a few weeks ago, we only sourced the version number from that json, excatly for that reason, we changed it to accomodate some changes that happend on the plex website. i Suspect this might not have been the best idea.

We are currently in a internal discussion on how to do this in the future, we must must find a way that fits both us\our users\and the maintainers of plex

[sparklyballs]

"Users need to trusts linuxserver.io"

users need to trust @wernight as much as they trust us......

same number of parties involved.

[wernight]

@lonix I guess we're in the boat here. I even asked on their forum and by email but got no word from them. I feel the current solution is still pretty hacky.

@sparklyballs Not exactly. Both are open source, but there is no way for me to maliciously download and install another .deb file if users check either:

• Before pulling by checking the source code, or
• Before running by inspecting the image

For the current way of linuxserver.io, users may query right before starting/restarting their container but that doesn't guarantee that the request issued by their Docker image will get the same server response. So the only way would be to man-in-the-middle and validate the response before starting/restarting the container.

[lonix]

@wernight We have gotten contact with plex, and and are now looking into a way closer to yours on doing this right. There is also other nifty things in your script i liked. ( Alot of great ideas) Allthough Accepting eulas on users behalf, probably not the best idea.

[wernight]

I actually think the EULA is still shown except may be in a few rare cases. May be something changed. The only case you really want it is when setting up remote access without ever access the web UI via "localhost".

[ironicbadger]

Accepting a EULA on behalf of a user is a slippery slope...

With VPNs and SSH tunnels there's really no need either.

[wernight]

I'm going to close this issue as it seems nothing new has been added and before it turns into a troll.

[lonix]

Just one last comment. Linuxservers Container does not anymore depend on a external json file. also read our statement here:

https://www.linuxserver.io/index.php/2016/04/07/changes-to-our-plex-docker-container/

[wernight]

Thanks for the update, I've also updated the README. Interestingly you went the other way than mine by retrieving the token from the settings.