Overview here
The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.
Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.
You must log in or register to comment.
Maybe it’s actually true that catfriend1 knows the new owner in real life but… this is not a calculator app, this is something that has complete access to the phone storage… handing the keys without any communication is concerning…
And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo
this entire thing has made me really rethink whether I want to swap to the new repo or not.
Why was there no communication about it. The gplay repo maintainer wasn’t informed of anything, no public notice to anyone was given, just a transfer of the repo and a status issue here explaining it.
Obviously the act is genuine as they were able to keep the original keys but like, this entire system seemed really sketchy.
I’m also not happy with the fact that it seems the first thing they added was removing checksums, but that might be a temp thing.
I also just noticed that it looks like they removed the entire public key for it, which if they had the original private keys using the existing public keys shouldn’t be an issue right?
What’s the last “safe” version on F-Droid? 2.0.11.2?
I had intended to try it out, but now uninstalled for… just in case.
Some kind guru please watch the source for unwanted effects.
dammit I like Syncthing. does kdeconnect do a decent job at syncing files?
No.
In my case I was using syncthing to backup /storage on my phone and turns out there are faster ways to do that
My alternative:
- Ente for photos
- Borg via termux for the full /storage backup (including the photos)
I don’t think so. Can KDE connect even sync files?
I wouldn’t say it’s only for the extra paranoid, but rather for everyone.
After reading the whole discussion, it’s clear that the repo transfer was handled in an extremely unorthodox way, at least by usual standards for repo handovers that I’m familiar/experienced with.
Communication from Catfriend1 was absolutely nonexistent, and there was only minimal info from the person who took over using a GitHub account created just two days ago.
Trust is something that must be earned, not given to someone you’ve never seen or heard of before.
What’s wrong with original Syncthing? Why would anyone use a fork?
Not sure if I qualify as extra paranoid but this whole situation feels very sketchy and has me reconsidering my use of syncthing. Making significant changes like this without any explanation is extremely bad practice.
has me reconsidering my use of syncthing
This is about a third party piece of software that isnt directly related to syncthing. The devs of syncthing have however been recommending syncthing-fork as their choice for android, so it definitely needs clearing up.
Yes, I only use it via syncthing-fork so this is a distinction without a difference to me.
We’re sort of in this situation because the official project decided not to continue providing an official Android app, yet people want to use it on Android forcing unofficial versions to be created and maintained.
I get that they don’t want to deal with Google Play anymore, but somebody has to deal with it and them not owning the app is putting users at risk.
Same here. It was already a little bit concerning that I was relying on a smaller fork to get syncthing on Android. It was on my to do list to figure out options. Now it’s at the top of the list, and I’m not doing updates for the time being on Android. That’s almost the entirety of my reliance on syncthing - phone to PC sync. I don’t really need it that much for sync between PCs.
I installed mine from F-Droid. I just went there to turn off updates and it doesn’t exist. I have not been paying attention so it may have been gone for ages and not related?
I’m still seeing it here?
https://f-droid.org/packages/com.github.catfriend1.syncthingfork
Interesting - mine is syncthing-fork 1.30.0.4. When I go to the App Info page it says “App installed from F-Droid” and when I tap on that button I get a small pop-up that says “No such app found.”
The 2.0 update was made into a new package in fdroid, so that you paid close attention to the upgrade, as it could maybe break things.
During the update to 2.0 you had to uninstall the 1.3 version then install and restore your syncthing-fork settings. So if you are still on 1.3 that’s probably why you aren’t seeing it. Should pop up if you search F-droid for the 2.0 version.
Same exact scenario here. Hmm
Add me to the list with this exact issue.
You guys all missed the Syncthing 2.0 upgrade.
I think everyone misses the upgrade except new installs, how users (including power users) can know that they have to uninstall the old app, potentially lose all the settings , then reinstall and reconfigure?
Some more info here, does not read super fishy, all meant well but happened in a strange way https://github.com/researchxxl/syncthing-android/issues/16#issuecomment-3542202530
deleted by creator
My policy with open source projects like these is to fork the repo and only bring in upstream updates when I’m certain it’s safe and necessary
Which is just as risky as instantly updating unless you’re really closely keeping an eye on which updates are security related.
Thank you!
Yup thanks for the heads-up!
No prob :)
