Asking because of the latest issues with the maintainer.
Verbose? What happened?
Is it safe the new Syncthing-Fork v2.0.14 on F-Droid?
Submitted 1 day ago by SolarPunker@slrpnk.net to selfhosted@lemmy.world
https://f-droid.org/packages/com.github.catfriend1.syncthingfork/
Comments
probable_possum@leminal.space 1 day ago
greencoil@lemmy.frozeninferno.xyz 1 day ago
Years ago, official development of an android app of syncthing was abandoned by the official developers. Most android users migrated to an already existing fork by a github maintainer catfriend1.
Catfriend1 unceremoniously disappeared, with their github repositories being taken over by a new user researchxxl. This was entirely unannounced and wasn’t really discovered until people with automatic updates enabled on Unobtanium noticed it.
researchxxl is not a known community member, and is being very reclusive when interacting with the syncthing community. Their github account was made specifically for the repository transfer, and their method of handling existing credentials is suspicious; looking no different than a hostile take over.
At this point in time, they are collaborating with Nexon, a user who worked with catfriend to publish syncthing fork builds to Google Play. They are more well known and trusted. If you can trust Nexon, and trust that end users in general are putting more scrutiny on the github source code after this whole situation, you can probably trust the recent releases for now.
Sorry for any details I may have gotten wrong. AFAIK, no one has taken the time to document all the things that have gone down. I would have linked to such a document otherwise. A lot of the discussion on this is happening in separate discussion threads, one of them being researchxxl’s github issue page, which they are censoring/deleting discussions from with(till recently) no oversight.
ilmagico@lemmy.world 1 day ago
I don’t use syncthing (anymore) and didn’t know the story behind this, but one thing I know is, f-droid builds the apk from source and signs it with their keys, or if reproducible builds are available, it verifies the signed apk provided by the maintainer to match bit-for-bit with the source code, so at least even if one doesn’t trust the new maintainer, they should be able to trust f-droid that the apk matches the source, so e.g. no spyware or malware was added for example. Sure, someone still needs to review the source, of course.
Railcar8095@lemmy.world 20 hours ago
Unobtanium or obtanium?
LambdaRX@sh.itjust.works 1 day ago
In addition to others’ replies there is also this thread and last post offers summary of the situation.
icermiga@lemmy.today 1 day ago
Excellent link, thanks
passenger@sopuli.xyz 1 day ago
I understood the repo changed hands in a shady way, with bad communication. Might be fine or not. I would also like to know, I’m not a user but was going to be just when it happened, and I postponed it
jared@mander.xyz 1 day ago
Syncthing dropped the android version and someone forked it.
udon@lemmy.world 1 day ago
Given that they set up a new repo from scratch, this is a missed chance to just migrate to codeberg
Lemmchen@feddit.org 1 day ago
Alternative if you can live with just the WebUI: SyncThing in Termix
IratePirate@feddit.org 1 day ago
TYSM for the link! I’ll probably switch to this.
mexicancartel@lemmy.dbzer0.com 1 day ago
Can i use my old exported synthing app config to this?
IratePirate@feddit.org 1 day ago
The handoff (if you can call it that) was extremely sketchy, including the “explanation” on the Syncthing forums. Made me switch to Nel0x’s fork of the app.
paperd@lemmy.zip 1 day ago
nel0x’s fork is now archived.
Lemmchen@feddit.org 1 day ago
AFAIK nel0x and researchxxl work together on the reserchxxl repository now.
IratePirate@feddit.org 1 day ago
Well, 🤬!
sturmblast@lemmy.world 1 day ago
I use it without isuue
smileyhead@sh.itjust.works 7 hours ago
Maybe it is, but as with any question about something containing malware or being compromised or not is not about an individual using it without problems ;).
slazer2au@lemmy.world 1 day ago
Maybe? But if you use termux you can install the official Linux package and avoid the fork drama.
IanTwenty@piefed.social 1 day ago
Presumably that can’t handle things that the app adds like run conditions for wifi/mobile data though? I realise some may not care about that as much.
SatyrSack@quokk.au 1 day ago
I migrated from the Syncthing Fork app to the official Syncthing package in Termux, and it was a breeze. Is there any reason for preferring the app, other than being afraid of CLI?
wltr@discuss.tchncs.de 1 day ago
How does it handle the battery life? Is it run all the time or do you just start it to sync when you need it?
Pika@sh.itjust.works 1 day ago
Personally, it seems like it’s trustworthy again. The previous owner of the repo did eventually admit that they authorized the transfer, but, The entire transfer process was extremely sketchy and had no chain of custody or trust. It was just the repository got deleted, and then a few days later showed under a whole blank state again with a user with no profile, no contribution history, and it was just a trust me bro, I knew the original maintainer look I have the keys to prove it.
The maintainer of the Google Play build of it seems to trust them though, and they are established in the community, And archived their sync thing builds again in favor of just using one repo, so it’s likely fine.
For future people wondering about it as well, it doesn’t help that the new maintainer of the app has deleted every issue that had to do with the migration, so you no longer can research the issue for yourself. The only information you have available to you is the discussion chain on the community forums, But any type of issue that they link to were deleted.
Personally though, I plan on keeping my current version pinned to prior to the transfer until either I’m forced to update due to bugs or I feel comfortable with the current maintainer again. I’m not sure how long that will be.
For an app that contains very sensitive information, I was not impressed with how the transfer process underwent.