Overview here
The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.
Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.
You must log in or register to comment.
Update from Simon aka imsodin, Syncthing Maintainer
tl;dr for android users: No need to switch apps at this time, the current install continues to work and is safe. If you can disable app auto-updates, please do that for now to be on the safe side.
Good news: Had a good chat with @nel0x. He is a collaborator on researchxxl’s repo and just marked those releases as “pre-release”, which prevents the obtainium auto-upgrades. So we are back to no immediate risk for users and we can take it slowly, trying to establish communication and more context. It’s still possible and imo likely that nothing nefarious is going on, just a very suboptimal handover that needs clearing up. There’s no need to go dig for repos on github, the technicalities of continuing to publish an app are not an issue - the open/relevant points are about a possible direct continuation of the existing app (or not), the time/effort that needs to be volunteered to publish an app and the trust in whoever does that. Hopefully we can work something out. If you are interested in helping maintain the app, let us know, other than that imo nothing to do here except if you are a user, to do the above in the tl;dr and every now and then check-in on the status (now and then being more like every week than every hour 😉 ).
I wouldn’t say it’s only for the extra paranoid, but rather for everyone.
After reading the whole discussion, it’s clear that the repo transfer was handled in an extremely unorthodox way, at least by usual standards for repo handovers that I’m familiar/experienced with.
Communication from Catfriend1 was absolutely nonexistent, and there was only minimal info from the person who took over using a GitHub account created just two days ago.
Trust is something that must be earned, not given to someone you’ve never seen or heard of before.
Maybe it’s actually true that catfriend1 knows the new owner in real life but… this is not a calculator app, this is something that has complete access to the phone storage… handing the keys without any communication is concerning…
And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo
And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo
people shouldn’t count on that anyways because the repo owner can delete issues, comments, also edit them
Not sure if I qualify as extra paranoid but this whole situation feels very sketchy and has me reconsidering my use of syncthing. Making significant changes like this without any explanation is extremely bad practice.
Same here. It was already a little bit concerning that I was relying on a smaller fork to get syncthing on Android. It was on my to do list to figure out options. Now it’s at the top of the list, and I’m not doing updates for the time being on Android. That’s almost the entirety of my reliance on syncthing - phone to PC sync. I don’t really need it that much for sync between PCs.
this entire thing has made me really rethink whether I want to swap to the new repo or not.
Why was there no communication about it. The gplay repo maintainer wasn’t informed of anything, no public notice to anyone was given, just a transfer of the repo and a status issue here explaining it.
Obviously the act is genuine as they were able to keep the original keys but like, this entire system seemed really sketchy.
I’m also not happy with the fact that it seems the first thing they added was removing checksums, but that might be a temp thing.
I also just noticed that it looks like they removed the entire public key for it, which if they had the original private keys using the existing public keys shouldn’t be an issue right?
Thank you!
Yup thanks for the heads-up!
No prob :)
My policy with open source projects like these is to fork the repo and only bring in upstream updates when I’m certain it’s safe and necessary
Which is just as risky as instantly updating unless you’re really closely keeping an eye on which updates are security related.
dammit I like Syncthing. does kdeconnect do a decent job at syncing files?
No.
In my case I was using syncthing to backup /storage on my phone and turns out there are faster ways to do that
My alternative:
- Ente for photos
- Borg via termux for the full /storage backup (including the photos)
Personally on Android for photos I use photosync as well as Immich
Syncthing in Termux apparently works to some extent. Another option might be Nextcloud? Will def try out some alternatives just in case.
I don’t think so. Can KDE connect even sync files?
I don’t know, I played with it years ago, didn’t need it and haven’t really touched it until now.
I use Syncthing for several things, especially syncing photos between my phone and desktop.
It can send files, but that’s all. Also, kdeconnect doesn’t work over the Internet
