Overview here
The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.
Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.
You must log in or register to comment.
Update from Simon aka imsodin, Syncthing Maintainer
tl;dr for android users: No need to switch apps at this time, the current install continues to work and is safe. If you can disable app auto-updates, please do that for now to be on the safe side.
Good news: Had a good chat with @nel0x. He is a collaborator on researchxxl’s repo and just marked those releases as “pre-release”, which prevents the obtainium auto-upgrades. So we are back to no immediate risk for users and we can take it slowly, trying to establish communication and more context. It’s still possible and imo likely that nothing nefarious is going on, just a very suboptimal handover that needs clearing up. There’s no need to go dig for repos on github, the technicalities of continuing to publish an app are not an issue - the open/relevant points are about a possible direct continuation of the existing app (or not), the time/effort that needs to be volunteered to publish an app and the trust in whoever does that. Hopefully we can work something out. If you are interested in helping maintain the app, let us know, other than that imo nothing to do here except if you are a user, to do the above in the tl;dr and every now and then check-in on the status (now and then being more like every week than every hour 😉 ).
Thank you for the notice. This is a really bad look on the project. Thankfully I still have a version from before the takeover installed and disabled auto-updates just in case. Though I suspect f-droid will not accept builds by this person until trust has been established.
The new repo has two releases in it now. These releases are not signed with the original key as far as I can tell. Further, GitHub is silently redirecting to the new repo, even in Obtainium, meaning it’s possible that if you had this previously installed via Obtainium and updated now, you may have unsigned apks installed that may or may not contain the changes in the repo.
This is a mess. I deleted the repo from Obtainium (luckily I don’t auto install updates) and will wait to see what happens over the next few months. Might just save my notes in a network share instead of using syncthing from my phone. Idk, notes are all that I was using it for.
Sounds like a really good reason not to use Obtainium, if any repo you have tracked for updates can just redirect you to a completely different repo If they have the keys - and throw no complaints when updating to an entirely different apk.
With F-Droid they at least have to have the same signing keys, and the code is built by F-droid from source - meaning the code for the supplied APK always matches the code on the repository for the build. Whereas Obtainium will just offer you any APK the dev releases on their GitHub/Gitlab/etc, this places much higher trust on the dev.
Edit:
my bad, I wrote earlier that all F-droid builds are reproducable. But that’s not accurate F-droid does not enforce that all builds must be reproducible. They have been helping devs with the tools and assistance to do so since 2015, and all the apps that I use I’d checked in the past and are all using reproducable builds, so I wrongly presumed it was mandatory now. Eg, Syncthing-Fork from Catfriend has had all builds reproducible since v2: https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/and the code must be a replicable build by F-Droid’s internal apk signature copying process
that’s not a requirement. or was it already being built reproducibly?
Every Catfriend build since v2 has been reproducable. Most apps on F-Droid are and they are encouraging it for all devs, to build trust.
https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/
Maybe it’s actually true that catfriend1 knows the new owner in real life but… this is not a calculator app, this is something that has complete access to the phone storage… handing the keys without any communication is concerning…
And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo
And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo
people shouldn’t count on that anyways because the repo owner can delete issues, comments, also edit them
For some reason, my version of syncthing-fork is old and source is not even on f-droid anymore. Was there any other before catfriend1? Perhaps I downloaded APK from GitHub… Can’t recall.
Could be the same issue as here https://lemmy.ca/comment/20114092
Thanks. Sure it is. But I will call this a feature now ;)
this entire thing has made me really rethink whether I want to swap to the new repo or not.
Why was there no communication about it. The gplay repo maintainer wasn’t informed of anything, no public notice to anyone was given, just a transfer of the repo and a status issue here explaining it.
Obviously the act is genuine as they were able to keep the original keys but like, this entire system seemed really sketchy.
I’m also not happy with the fact that it seems the first thing they added was removing checksums, but that might be a temp thing.
I also just noticed that it looks like they removed the entire public key for it, which if they had the original private keys using the existing public keys shouldn’t be an issue right?
It’s likely because the app will no longer be distributed on Google. They likely removed the Google play signing keys and configuration, which is completely fine. I’ll have a look over their changes when I get home, but I doubt it’s anything nefarious.
I also ditched this stuff when Google decided to start asking for my drivers license and will no longer distribute my apps within their closed marketplace.
Google decided to start asking for my drivers license
I wish it was only the drivers license, I had to give up my Android dev account too because having my private home address + phone number + email publicly available on the dev profile page is completely unacceptable
Yeah exactly, where does it end? next they will be asking for more. I’ll just distribute APKs elsewhere.
Absolutely not trusting this. Uninstalling until we know more, and ideally just getting a different solution entirely. A new account tried to impersonate Catfriend1 directly at first, and then they switched to researchxxl when someone called it out (both are new accounts). Meanwhile the original Catfriend1 has provided no information about this, and we only have the new person’s word as to what’s going on. There’s way too many red flags here.
Afaik don’t need to uninstall yet, f-droid won’t automatically get new builds from this repo until the situation is cleared
But but my outrage… means I can do stupid things and act smart online.
I’m uninstalling Android and installing iOS right now.
I’ve done the same. Not trusting something until it can be trusted. Unfortunately it seems there’s no easy alternative apps, so not sure how I’ll handle my usage now
Syncthing desktop in termux and handle triggers like battery + wifi via tasker?
Well, it’s not easy, but I like the idea, hadn’t thought of that… I don’t really use the triggers, only when files change, so that’ll do it!
What’s the last “safe” version on F-Droid? 2.0.11.2?
That’s the last version that was released before the transfer AFAIK. Someone in the linked thread also said they didn’t see anything suspicious between 2.0.11.1 and 2.0.11.2.
I wouldn’t say it’s only for the extra paranoid, but rather for everyone.
After reading the whole discussion, it’s clear that the repo transfer was handled in an extremely unorthodox way, at least by usual standards for repo handovers that I’m familiar/experienced with.
Communication from Catfriend1 was absolutely nonexistent, and there was only minimal info from the person who took over using a GitHub account created just two days ago.
Trust is something that must be earned, not given to someone you’ve never seen or heard of before.
I had intended to try it out, but now uninstalled for… just in case.
Some kind guru please watch the source for unwanted effects.
This whole situation has been bizarre and really poorly communicated.
Not sure if I qualify as extra paranoid but this whole situation feels very sketchy and has me reconsidering my use of syncthing. Making significant changes like this without any explanation is extremely bad practice.
has me reconsidering my use of syncthing
This is about a third party piece of software that isnt directly related to syncthing. The devs of syncthing have however been recommending syncthing-fork as their choice for android, so it definitely needs clearing up.
We’re sort of in this situation because the official project decided not to continue providing an official Android app, yet people want to use it on Android forcing unofficial versions to be created and maintained.
I get that they don’t want to deal with Google Play anymore, but somebody has to deal with it and them not owning the app is putting users at risk.
I get that they don’t want to deal with Google Play
Was that the reason? Shame they didn’t just leave it on F-Droid and GitHub then. Nobody needs to use Google Play (at least not yet…)
https://forum.syncthing.net/t/discontinuing-syncthing-android/23002
According to this post, it was partly that and lack of maintainers. Given there’s maintainers for a fork, I’m curious why they didn’t bring them into the main project.
Reason is a combination of Google making Play publishing something between hard and impossible and no active maintenance. The app saw no significant development for a long time and without Play releases I do no longer see enough benefit and/or have enough motivation to keep up the ongoing maintenance an app requires even without doing much, if any, changes.
Yes, I only use it via syncthing-fork so this is a distinction without a difference to me.
Same here. It was already a little bit concerning that I was relying on a smaller fork to get syncthing on Android. It was on my to do list to figure out options. Now it’s at the top of the list, and I’m not doing updates for the time being on Android. That’s almost the entirety of my reliance on syncthing - phone to PC sync. I don’t really need it that much for sync between PCs.
I said this in another thread, but apparently it’s not widely known: syncthing works fine on termux, there is no need to install any third party code. You do need to run
termux-setup-storageto get access to the shared storage that other apps can access, and I found it worth it to set up the termux:boot app to runsyncthingon phone boot. This way only uses the official syncthing repo.I have heard that. Can it be given run conditions, like only on wifi, and respecting the Android battery saving setting?
My phone has an always on split tunnel VPN to home, so the other sync devices are always accessible. Without the Syncthing-Fork run conditions it chews through mobile data and battery.
Thanks for the tips, was planning on trying this out.
dammit I like Syncthing. does kdeconnect do a decent job at syncing files?
No.
In my case I was using syncthing to backup /storage on my phone and turns out there are faster ways to do that
My alternative:
- Ente for photos
- Borg via termux for the full /storage backup (including the photos)
Syncthing in Termux apparently works to some extent. Another option might be Nextcloud? Will def try out some alternatives just in case.
I don’t think so. Can KDE connect even sync files?
I don’t know, I played with it years ago, didn’t need it and haven’t really touched it until now.
I use Syncthing for several things, especially syncing photos between my phone and desktop.
It can send files, but that’s all. Also, kdeconnect doesn’t work over the Internet
What’s wrong with original Syncthing? Why would anyone use a fork?
First up, this fork is specifically about the Android client, not any other ones.
The fork of that always had some nice mobile battery saving features added, but morr importantly, the original version has been discontinued.
Some more info here, does not read super fishy, all meant well but happened in a strange way https://github.com/researchxxl/syncthing-android/issues/16#issuecomment-3542202530
Two people communicating one-to-one and starting a new account to solely dedicate to maintaining a pretty public open source project doesn’t sound too fishy, tbh, if everything else checks out. (Catfriend1 confirms the handover, etc.)
Could of course be the same person behind both accounts but at least one of them existed for a while.
