Submitted 4 hours ago by ueiqkkwhuwjw@lemmy.world to selfhosted@lemmy.world
Overview here
The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.
Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.
This whole situation has been bizarre and really poorly communicated.
Not sure if I qualify as extra paranoid but this whole situation feels very sketchy and has me reconsidering my use of syncthing. Making significant changes like this without any explanation is extremely bad practice.
has me reconsidering my use of syncthing
This is about a third party piece of software that isnt directly related to syncthing.
Some more info here, does not read super fishy, all meant well but happened in a strange way github.com/researchxxl/syncthing-android/…/16#iss…
My policy with open source projects like these is to fork the repo and only bring in upstream updates when I’m certain it’s safe and necessary
Which is just as risky as instantly updating unless you’re really closely keeping an eye on which updates are security related.
that’s probably what I might do and build apks myself with forgejo.
Thank you!
No prob :)
Yup thanks for the heads-up!
spacelord@sh.itjust.works 1 hour ago
I wouldn’t say it’s only for the extra paranoid, but rather for everyone.
After reading the whole discussion, it’s clear that the repo transfer was handled in an extremely unorthodox way, at least by usual standards for repo handovers that I’m familiar/experienced with.
Communication from Catfriend1 was absolutely nonexistent, and there was only minimal info from the person who took over using a GitHub account created just two days ago.
Trust is something that must be earned, not given to someone you’ve never seen or heard of before.