Overview here
The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.
Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.
You must log in or # to comment.
I wouldn’t say it’s only for the extra paranoid, but rather for everyone.
After reading the whole discussion, it’s clear that the repo transfer was handled in an extremely unorthodox way, at least by usual standards for repo handovers that I’m familiar/experienced with.
Communication from Catfriend1 was absolutely nonexistent, and there was only minimal info from the person who took over using a GitHub account created just two days ago.
Trust is something that must be earned, not given to someone you’ve never seen or heard of before.
Update from Simon aka imsodin, Syncthing Maintainer
tl;dr for android users: No need to switch apps at this time, the current install continues to work and is safe. If you can disable app auto-updates, please do that for now to be on the safe side.
Good news: Had a good chat with @nel0x. He is a collaborator on researchxxl’s repo and just marked those releases as “pre-release”, which prevents the obtainium auto-upgrades. So we are back to no immediate risk for users and we can take it slowly, trying to establish communication and more context. It’s still possible and imo likely that nothing nefarious is going on, just a very suboptimal handover that needs clearing up. There’s no need to go dig for repos on github, the technicalities of continuing to publish an app are not an issue - the open/relevant points are about a possible direct continuation of the existing app (or not), the time/effort that needs to be volunteered to publish an app and the trust in whoever does that. Hopefully we can work something out. If you are interested in helping maintain the app, let us know, other than that imo nothing to do here except if you are a user, to do the above in the tl;dr and every now and then check-in on the status (now and then being more like every week than every hour 😉 ).
Absolutely not trusting this. Uninstalling until we know more, and ideally just getting a different solution entirely. A new account tried to impersonate Catfriend1 directly at first, and then they switched to researchxxl when someone called it out (both are new accounts). Meanwhile the original Catfriend1 has provided no information about this, and we only have the new person’s word as to what’s going on. There’s way too many red flags here.
Afaik don’t need to uninstall yet, f-droid won’t automatically get new builds from this repo until the situation is cleared
But but my outrage… means I can do stupid things and act smart online.
I’m uninstalling Android and installing iOS right now.
I’ve done the same. Not trusting something until it can be trusted. Unfortunately it seems there’s no easy alternative apps, so not sure how I’ll handle my usage now
Syncthing desktop in termux and handle triggers like battery + wifi via tasker?
Well, it’s not easy, but I like the idea, hadn’t thought of that… I don’t really use the triggers, only when files change, so that’ll do it!
Maybe it’s actually true that catfriend1 knows the new owner in real life but… this is not a calculator app, this is something that has complete access to the phone storage… handing the keys without any communication is concerning…
And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo
And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo
people shouldn’t count on that anyways because the repo owner can delete issues, comments, also edit them
this entire thing has made me really rethink whether I want to swap to the new repo or not.
Why was there no communication about it. The gplay repo maintainer wasn’t informed of anything, no public notice to anyone was given, just a transfer of the repo and a status issue here explaining it.
Obviously the act is genuine as they were able to keep the original keys but like, this entire system seemed really sketchy.
I’m also not happy with the fact that it seems the first thing they added was removing checksums, but that might be a temp thing.
I also just noticed that it looks like they removed the entire public key for it, which if they had the original private keys using the existing public keys shouldn’t be an issue right?
It’s likely because the app will no longer be distributed on Google. They likely removed the Google play signing keys and configuration, which is completely fine. I’ll have a look over their changes when I get home, but I doubt it’s anything nefarious.
I also ditched this stuff when Google decided to start asking for my drivers license and will no longer distribute my apps within their closed marketplace.
Google decided to start asking for my drivers license
I wish it was only the drivers license, I had to give up my Android dev account too because having my private home address + phone number + email publicly available on the dev profile page is completely unacceptable
Yeah exactly, where does it end? next they will be asking for more. I’ll just distribute APKs elsewhere.
The new repo has two releases in it now. These releases are not signed with the original key as far as I can tell. Further, GitHub is silently redirecting to the new repo, even in Obtainium, meaning it’s possible that if you had this previously installed via Obtainium and updated now, you may have unsigned apks installed that may or may not contain the changes in the repo.
This is a mess. I deleted the repo from Obtainium (luckily I don’t auto install updates) and will wait to see what happens over the next few months. Might just save my notes in a network share instead of using syncthing from my phone. Idk, notes are all that I was using it for.
Sounds like a really good reason not to use Obtainium, if any repo you have tracked for updates can just redirect you to a completely different repo If they have the keys - and throw no complaints when updating to an entirely different apk.
With F-Droid they at least have to have the same signing keys, and the code is built by F-droid from source - meaning the code for the supplied APK always matches the code on the repository for the build. Whereas Obtainium will just offer you any APK the dev releases on their GitHub/Gitlab/etc, this places much higher trust on the dev.
Edit:
my bad, I wrote earlier that all F-droid builds are reproducable. But that’s not accurate F-droid does not enforce that all builds must be reproducible. They have been helping devs with the tools and assistance to do so since 2015, and all the apps that I use I’d checked in the past and are all using reproducable builds, so I wrongly presumed it was mandatory now. Eg, Syncthing-Fork from Catfriend has had all builds reproducible since v2: https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/and the code must be a replicable build by F-Droid’s internal apk signature copying process
that’s not a requirement. or was it already being built reproducibly?
Every Catfriend build since v2 has been reproducable. Most apps on F-Droid are and they are encouraging it for all devs, to build trust.
https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/
Thank you for the notice. This is a really bad look on the project. Thankfully I still have a version from before the takeover installed and disabled auto-updates just in case. Though I suspect f-droid will not accept builds by this person until trust has been established.
Some more info here, does not read super fishy, all meant well but happened in a strange way https://github.com/researchxxl/syncthing-android/issues/16#issuecomment-3542202530
Two people communicating one-to-one and starting a new account to solely dedicate to maintaining a pretty public open source project doesn’t sound too fishy, tbh, if everything else checks out. (Catfriend1 confirms the handover, etc.)
Could of course be the same person behind both accounts but at least one of them existed for a while.
What’s the last “safe” version on F-Droid? 2.0.11.2?
That’s the last version that was released before the transfer AFAIK. Someone in the linked thread also said they didn’t see anything suspicious between 2.0.11.1 and 2.0.11.2.
I had intended to try it out, but now uninstalled for… just in case.
Some kind guru please watch the source for unwanted effects.
What’s wrong with original Syncthing? Why would anyone use a fork?
First up, this fork is specifically about the Android client, not any other ones.
The fork of that always had some nice mobile battery saving features added, but morr importantly, the original version has been discontinued.
I installed mine from F-Droid. I just went there to turn off updates and it doesn’t exist. I have not been paying attention so it may have been gone for ages and not related?
I’m still seeing it here?
https://f-droid.org/packages/com.github.catfriend1.syncthingfork
Interesting - mine is syncthing-fork 1.30.0.4. When I go to the App Info page it says “App installed from F-Droid” and when I tap on that button I get a small pop-up that says “No such app found.”
The 2.0 update was made into a new package in fdroid, so that you paid close attention to the upgrade, as it could maybe break things.
During the update to 2.0 you had to uninstall the 1.3 version then install and restore your syncthing-fork settings. So if you are still on 1.3 that’s probably why you aren’t seeing it. Should pop up if you search F-droid for the 2.0 version.
Same exact scenario here. Hmm
Add me to the list with this exact issue.
You guys all missed the Syncthing 2.0 upgrade.
I think everyone misses the upgrade except new installs, how users (including power users) can know that they have to uninstall the old app, potentially lose all the settings , then reinstall and reconfigure?
I knew because I install through F-droid instead of github so ended up getting like a notice informing me that to upgrade to 2.0 I should back up the settings then uninstall 1.3 then install 2.0 then back up settings.
But, if retrieving from github or obtanium then maybe message wasn’t relayed.
Perhaps you had the pre-fork android app?
For some reason, my version of syncthing-fork is old and source is not even on f-droid anymore. Was there any other before catfriend1? Perhaps I downloaded APK from GitHub… Can’t recall.
Could be the same issue as here https://lemmy.ca/comment/20114092
Thanks. Sure it is. But I will call this a feature now ;)
dammit I like Syncthing. does kdeconnect do a decent job at syncing files?
No.
In my case I was using syncthing to backup /storage on my phone and turns out there are faster ways to do that
My alternative:
- Ente for photos
- Borg via termux for the full /storage backup (including the photos)
Personally on Android for photos I use photosync as well as Immich
Syncthing in Termux apparently works to some extent. Another option might be Nextcloud? Will def try out some alternatives just in case.
I don’t think so. Can KDE connect even sync files?
It can send files, but that’s all. Also, kdeconnect doesn’t work over the Internet
I don’t know, I played with it years ago, didn’t need it and haven’t really touched it until now.
I use Syncthing for several things, especially syncing photos between my phone and desktop.
deleted by creator
