Comment on PSA syncthing-fork has changed owners
AmbiguousProps@lemmy.today 2 days ago
The new repo has two releases in it now. These releases are not signed with the original key as far as I can tell. Further, GitHub is silently redirecting to the new repo, even in Obtainium, meaning it’s possible that if you had this previously installed via Obtainium and updated now,** you may have unsigned apks installed that may or may not contain the changes in the repo**.
This is a mess. I deleted the repo from Obtainium (luckily I don’t auto install updates) and will wait to see what happens over the next few months. Might just save my notes in a network share instead of using syncthing from my phone. Idk, notes are all that I was using it for.
pulsewidth@lemmy.world 2 days ago
Sounds like a really good reason not to use Obtainium, if any repo you have tracked for updates can just redirect you to a completely different repo - and throw no complaints when updating to an entirely different apk.
With F-Droid they at least have to have the same signing keys, and the code must be a replicable build by F-Droid’s internal apk signature copying process - meaning the code for the supplied APK always matches the code on the repository for the build.
WhyJiffie@sh.itjust.works 2 days ago
that’s not a requirement. or was it already being built reproducibly?
pulsewidth@lemmy.world 2 days ago
Every Catfriend build since v2 has been reproducable. Most apps on F-Droid are and they are encouraging it for all devs, to build trust.
…f-droid.org/…/com.github.catfriend1.syncthingfor…