I believe they are tying to get across the fact that PMS doesn’t need any Python installed.
What Python that PMS uses is strictly internal to PMS and is not exposed outside PMS.
The objection here is that Plex should not be bundling python at all. It should be using the system python. Linux distributions strongly discourage packages from bundling other libraries / applications because it makes it very difficult to manage the security landscape of those bundled libraries.
In the ideal world, Plex would link against the system provided python runtime, and my distribution would manage the security patching of the system python.
But if Plex is going to bundle it’s own copies of things, then they can make the lives of Linux distribution packagers a lot easier by providing documentation on which versions of things they are bundling, and whether or not they’ve made changes to the bundled libraries, because that’ll allow the Linux distributions to replace those bundled libraries that has not been modified with system wide versions.
1 Like
For a moment I am going to ignore the discussion if Python2 is a bad idea or not.
Coming back to the Gentoo package and what ChuckPa wrote about how to make it work:
It does.
Just copy the official package to your own Repository, edit a few lines regarding python and it installs and runs fine!
It is absolutely no problem to fix this package. So rest assured that plex-media-server can stay on Gentoo. 
Distributions nowadays discourage to bring your own libraries as an open package. And they have done so for a long time. And all of them use different versions of the libraries. That is why we are in dependency hell when building for more than one distribution.
If you are compliant with modern Distribution standards you have to create a SNAP package. Or a docker image. Or some other container. Containing basically a whole operating system as far as it is necessary to run the software.
sarcasm mode on
Everybody can see that it is much better to run a program that has 2 GB of >>supportive libraries<< with it that cannot be shared with the rest of the OS.
sarcasm mode off
The advantage of SNAP, DOCKER and the others is that you know that it works. Even if the Application is of the >>only works in the machine of the developer<< type.
But you need to have 32 GB RAM if you want to run three of them in parallel.
I’m also a Gentoo Linux user and in my case, as I also poses a lifetime Plex Pass subscription I wanted fast access to the regular beta releases too. That fact, plus my decision to run a second Plex server on the same machine drove me to Docker. Never looked back since. The RAM demands are not as high as some posters claim them be, and by just adding the Plex user to the video and render groups Plex can utilize hardware acceleration too.
As for the python 2.7 issues, I can’t see the problem since python itself is not needed as an external dependency.
For us Gentoo folks, there are now ebuilds on plex-overlay that don’t depend on python2.
As for the security concerns, they’re broader than the stringent packaging requirements of one distro. There are some relevant articles here and here.
There was an earlier post in this thread about an effort being made to port it to C++ which appears to be deleted. I assume it was made in error.
3 Likes
Another Gentoo user here, and lifetime Plex pass holder.
Python 2 is obsolete. It is only a matter of time until a massive vulnerability is found, then everyone in this community is screwed, not just Gentoo users.
2 Likes
Also I’d like to add my reply to this statement:
“… I do not understand the demand by the Gentoo community to have Python 3 within the next 30 days.”
I personally don’t see anyone clamoring for it in the next 30 days, that’s a ridiculous goal for anyone to meet. Just please tell us it’s on the roadmap in the coming year or something.
1 Like
The fact that people are arguing to keep around software that has been EOL’d for 11 months now is mind boggling. Why are we even arguing about Gentoo at all, here? I run plex in docker, but that doesn’t make me any happier about plex using Python 2.
This is because of how a container is architected, and these containers generally use ‘upstream’ dependencies. It’s possible to use your own, but most build off of an up-to-date alpine or ubuntu image for this reason: they don’t want to maintain out of date software, just their own code/software. Yes, the docker container you use might go out of date, but the maintainers of most are not bundling their own python or other dependencies with it, they’re using distro dependencies.
The idea here is that Plex needs to stop bundling software they are either not equipped or not willing to maintain. Python 2 is EOL for almost a year, so what has Plex done to test or fix security issues in py2? What patches are there for CVE’s related to python? Are they going to be released so others can use them? Is Plex volunteering to maintain Python 2.7?
Add me to the list of Gentoo users with lifetime plex pass.
My biggest concern is not having to run system-wide python2, it’s Plex (and every other python2-required app) coming into a major vulnerability in the future that I’m concerned about. This is the case for any third party library that Plex is using that isn’t up-to-date either (another defense for using the system’s library). Such a vulnerability could not only compromise plex, but anything that the plex user has access to (and now your plex library could be locked down with ransomware through such a vulnerability). Much of these big data breaches or compromises lately have been through unpatched systems or poor security practice (even Target back in the day was using XP machines).
I just want to reiterate what two other users in this thread have said, as an answer to this question:
From a security standpoint, this is a ticking bomb.
But it’s not “system wide” – as the part of my post you are quoting says.
Not sure if you’re referring to the media files themselves, or the library database. But if you’re keeping the only copy of that data on your server, you’re already doing this wrong.
Myself, I only give Plex read-only access to my media files, so it’s not possible for someone to come in and trash everything, even if I didn’t have backups.
I misspoke, I was agree with you that it’s not system wide but noting that this wasn’t my gripe.
Everyone should give plex read-only access, but I’m willing to guess not everybody does. Perhaps another example would be someone simply accessing all of your files and leaking, I admittedly have many private family photos/videos that I would rather not get into the hands of some Russian hacker.
My point was that by utilizing Python2, plex is just waiting for a vulnerability that it could have otherwise mitigated by updating to python3 and now you’re running that software on your server and giving people a new attack vector. It’s bad infosec practice and this is going to come back to bite us if such a vulnerability appears before they migrate to Python3. This is the general consensus by the majority of secadmins and some warnings have been linked in above comments.
Of course you can have (and should have) infrastructure for disaster recovery, but that shouldn’t be a justification for leaving yourself open to an additional line of disaster. I will still use plex, I will still maintain backups, and I will still bind the service to a specific network interface that interacts with the internet but not other devices behind my firewall. But I’m going to hope that they work to move off of an EOL platform before security concerns become worse.
I don’t think Plex will ever use Python 3…
Currently what little use of the Python 2 is with the agents, don’t think they are going to be around long…
What are the agents?
Are they optional ? Can they be removed?
Thanks
1 Like
For us Gentoo folks, there are now ebuilds on plex-overlay that don’t depend on python2.
I see the “official” package for Gentoo is now gone, and my Plex installation is orphaned. And comio’s plex-overlay has no .ebuild — maybe it’s just temporary? So the options are Plex Docker or cancel my Plex subscription and switch back to mythtv?
And comio’s plex-overlay has no .ebuild
And comio’s plex-overlay has no .ebuild
Damned if I can figure out what I was looking at before, but when I went back a second time, it’s certainly there.
I did an eselect repository command as shown in the README.md file, did a sync and an update, and it seems to be installed and working fine.
I feel like this is an appropriate time to post these:
Improper Input Validation in Plex Media Server on Windows allows a local, unauthenticated attacker to execute arbitrary Python code with SYSTEM privileges.
https://nvd.nist.gov/vuln/detail/CVE-2020-5740
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
https://nvd.nist.gov/vuln/detail/CVE-2020-5741
1 Like
How is it an appropriate time? These were patched months ago, as will any new vulnerabilities that are discovered. EOL of Python2 doesn’t prevent Plex from fixing or working around them until Py2 is replaced completely.
1 Like
logged in today due to an issue that appears to stem with the agents and python 2 that is keeping me from being able to match stuff so. you know. not exactly a minor detail here.
