unisoft 363 Posted June 30 Posted June 30 20 hours ago, RanmaCanada said: And this is why I said that people here were making a mountain out of a molehill, and yet they still thought they knew better.. This doesnt alter the fact there should be a deidcated secutity page where facts can be published and the process of reporting new security issues. It would help everyone and avoid posts like yours where the community is either arguing against each other or towards the developers. 1
RanmaCanada 557 Posted June 30 Posted June 30 5 hours ago, unisoft said: This doesnt alter the fact there should be a deidcated secutity page where facts can be published and the process of reporting new security issues. It would help everyone and avoid posts like yours where the community is either arguing against each other or towards the developers. They do have a a dedicated security page, it's just not on the forums, it's where it's supposed to be, on the github pages. There is also nothing to stop people from looking at the CVE pages to see what the dangers are, as everything is typically spelled out there in plain english (exactly what I posted). Yes we have a lot of ignorant users on the forums, but anyone with a functional brain would know to look at these places, and dumbing things down to the common people is something that I'd argue only needs to be done when it's something serious, which the dev team has done in the past, and this was not serious. Otherwise, people blow things out of proportion and get their knickers in a twist and start saying things they don't understand while puffing out their chests and act like they understand what they are talking about.. A little knowledge is dangerous, specially when those that have it don't understand what they have while claiming they do. 2 1 1
unisoft 363 Posted July 1 Posted July 1 1 hour ago, RanmaCanada said: They do have a a dedicated security page, it's just not on the forums, it's where it's supposed to be, on the github pages. There is also nothing to stop people from looking at the CVE pages to see what the dangers are, as everything is typically spelled out there in plain english (exactly what I posted). Yes we have a lot of ignorant users on the forums, but anyone with a functional brain would know to look at these places, and dumbing things down to the common people is something that I'd argue only needs to be done when it's something serious, which the dev team has done in the past, and this was not serious. Otherwise, people blow things out of proportion and get their knickers in a twist and start saying things they don't understand while puffing out their chests and act like they understand what they are talking about.. A little knowledge is dangerous, specially when those that have it don't understand what they have while claiming they do. Odd then that Microsoft, Apple, Oracle and many others have dedicated web pages for it and dont expect end customers to know about git hub and trawling it. You make incorrect assumption that everyone is dumb or common people. CVE numbers can point to a security vulnerability, but they dont always tell you the full range of products affected and versions or mitigating workarounds that a software vendor would. If the information is clear and severity level clear then nobody is going to get their knickers in a twist like you say. I expect the info on the software vendors web site without having to go to 3rd party places. It's a response from them for a start..... 1
softworkz 5275 Posted July 1 Posted July 1 (edited) I am sure that every Microsoft, Apple or Oracle customer would cry with happiness for having the opportunity to get direct answers from the people in charge in a forum. Edited July 1 by softworkz 5
softworkz 5275 Posted July 1 Posted July 1 But seriously: The idea is plausible for sure. In fact, during the botnet incident two years ago, we had started a "Security Incidents" section as part of the documentation. And it just didn't work out. We've been busy all the time and couldn't keep it up-to-date continuously. And when it was updated and users were pointed at it, they still continued to ask questions, including things that were answered there. Nobody cared about it and we were answering questions in the forums all the time. At the end, even I had forgotten about it and it wasn't even updated with the outcome but nobody ever came asking about it. Eventually the section was removed, because nobody was interested in this anymore. We are small and cannot be compared with companies like MS, Apple & Co - this is a whole different world, and also we do not have that many security issues to deal with. In turn, a security page with less than a handful of incidents and maybe the newest being a year old would not make a good impression (people might easily draw wrong conclusions) and while there is an active incident, people would still be asking the same kind of questions and we'd see the same kinds of discussions like here (excepting the side-track about a "security page", but then probably about why it doesn't get updated by the minute). If it were a larger number - it might be a different story. We'll see and adapt to the situation if necessary. 3 1
RanmaCanada 557 Posted July 1 Posted July 1 18 hours ago, unisoft said: Odd then that Microsoft, Apple, Oracle and many others have dedicated web pages for it and dont expect end customers to know about git hub and trawling it. You make incorrect assumption that everyone is dumb or common people. CVE numbers can point to a security vulnerability, but they dont always tell you the full range of products affected and versions or mitigating workarounds that a software vendor would. If the information is clear and severity level clear then nobody is going to get their knickers in a twist like you say. I expect the info on the software vendors web site without having to go to 3rd party places. It's a response from them for a start..... Yeah and I'm sure the CEO's of those companies answer questions directly on their forums, RIGHT? Comparing Emby to multi billion or trillion dollar companies is just the epitime of ignorance. Thanks for continuing to validate my points. Have a great day. 2
unisoft 363 Posted July 2 Posted July 2 (edited) 20 hours ago, RanmaCanada said: Yeah and I'm sure the CEO's of those companies answer questions directly on their forums, RIGHT? Comparing Emby to multi billion or trillion dollar companies is just the epitime of ignorance. Thanks for continuing to validate my points. Have a great day. You like insulting people don't you? You assume you are the greater authority, and that everyone else is stupid. You don't know my background, where I work, how long I have been in the industry etc. etc. CEO's don't answer anything on web sites or forums for those companies (usually). Instead you have program managers or actual developers or a department responsible doing it. Emby support is on here, I don't need to know about their background, just a mere question about a securiuy page so that posts in the forums are avoided and Emby looks more professional with regards to security and integrity of their products. Softworkz has explained the position, it could have been left at that, without you chipping in. I don't need smebody who gets off on gas lighting people for their fulfillment. Edited July 2 by unisoft
xe` 48 Posted July 3 Posted July 3 Can someone explain to me why I am having to read pages of forum debates to gain an insight into this CVE? Why is this being handled like some sort of "first time a CVE has been released" bespoke process? Publish a succinct impact statement and a timeline on the main website, we are all busy people managing busy lives, no one has time for this.
pwhodges 2073 Posted July 3 Posted July 3 3 hours ago, xe` said: Can someone explain to me why I am having to read pages of forum debates to gain an insight into this CVE? You didn't need to - the impact was described near the start of the discussion (and is minimal for Emby, unlike for Jellyfin), as were the steps being taken. Most of the discussion is complaints about how it "should" have been announced - some of the criticism has merit, but the discussion of it has added nothing to understanding the CVE itself. Paul 1 3
xe` 48 Posted Saturday at 06:56 AM Posted Saturday at 06:56 AM sigh, the very fact this reply is getting upvotes speaks volumes. 1
RanmaCanada 557 Posted yesterday at 07:59 PM Posted yesterday at 07:59 PM On 04/07/2026 at 02:56, xe` said: sigh, the very fact this reply is getting upvotes speaks volumes. I literally posted what the CVE was in picture form with plain english and no tech babble, while the very first post had a direct link to the CVE, and still the ignorant masses here continued to wag their epeen and puffed out their chest claiming that the information was wrong and that they would only take it from Luke's mouth as proof.. People embrace their ignorance and belittle those who actually know what they are talking about as the ignorant make up their own facts if the truth doesn't fit their narrative. If anything, this thread just shows how many users here know nothing about computers while claiming they do.. 2
TeamB 2443 Posted 16 hours ago Posted 16 hours ago 10 hours ago, RanmaCanada said: wag their epeen and puffed out their chest WTF dude, are you ok?, do you really need to respond like this? I feel the Emby team could have handled this better. All that was needed was once the Emby team had a handle on the issue they should have released a notice. Nothing grand but a short announcement with the impact and recommendations for users. 2
RanmaCanada 557 Posted 8 hours ago Posted 8 hours ago 8 hours ago, TeamB said: WTF dude, are you ok?, do you really need to respond like this? I feel the Emby team could have handled this better. All that was needed was once the Emby team had a handle on the issue they should have released a notice. Nothing grand but a short announcement with the impact and recommendations for users. It's hard to dumb things down enough when even plain English is too hard for users to understand. I feel this was addressed properly as it was a nothing burger and would have been posted on the git as per Softworkz and would have made it to the forums. You needed to have a totally obscure codec for starters, and for Emby, it was only a potential DOS, that's it, that's all. All this shows is just how little the masses here understand about computers, and that a little information is far too dangerous for them as this was blown way out of proportion by the fear mongers who demanded Luke's head. If you read the CVE and understood the basics of computers, that was all you needed to understand this was a nothingburger..and yet people still demanded it be dumbed down even further.. If you feel my comment was out of line, please feel free to report it to the admins. Ignorance should not be embraced, and sadly a lot of users here do exactly that.
TeamB 2443 Posted 1 hour ago Posted 1 hour ago 6 hours ago, RanmaCanada said: It's hard to dumb things down enough when even plain English is too hard for users to understand. I agree it can be frustrating trying to explain things to none technical people, but also not everyone has English as a first language. Also none technical people that are are never going to understand the CVE need reassurance that everything is OK. 6 hours ago, RanmaCanada said: I feel this was addressed properly as it was a nothing burger and would have been posted on the git as per Softworkz and would have made it to the forums. Even if the CVE was a nothing burger, and it mostly was for Emby, it was still out there and there were multiple people on multiple projects talking about it and some freaking out some fear mongering and some outright pointing fingers at projects calling them out as compromised. This is what should have been addressed, Emby has a large customer base and fear and rumors can hurt customer confidence as much as actual real world exploitable issues. That is what I was referring to, Emby should get in front of, head it off before anyone can get hysterical and make a mountain out of the mole hill. 7 hours ago, RanmaCanada said: You needed to have a totally obscure codec for starters, and for Emby, it was only a potential DOS, that's it, that's all. yep, it is low to very low on the scale, a nothing burger as you put it, but still all that is needed is an simply worded announcement that Emby Team knows about the issue and what they are doing about it. i.e. in this case disable the codec in question. 7 hours ago, RanmaCanada said: All this shows is just how little the masses here understand about computers, If this was a security forum or a computer/tech forum I would 100% agree with you but it is not. This forum is for customers of a personal media management/playback tool, a lot of the people on this forum are not IT or computer experts and they don't need to be to use Emby. 7 hours ago, RanmaCanada said: If you feel my comment was out of line, please feel free to report it to the admins. Ignorance should not be embraced, and sadly a lot of users here do exactly that. I feel your frustration, why do you think I don't post much to the forums any longer, it can be frustrating and at the end of the day futile to try to get your point across to users. But I will say this, I have worked in IT Security for close to 30 years and worked with all sorts of people in that time. I have worked in some of the largest companies in the world and with some very smart people, way smarted than me. When I think back to some of the smartest people I have worked with over the years, some have been dicks, huge dicks, and I don't remember them for being start, I remember them for being disks.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now