PSA syncthing-fork has changed owners

PSA syncthing-fork has changed owners
from ueiqkkwhuwjw@lemmy.world to selfhosted@lemmy.world on 17 Nov 16:52
https://lemmy.world/post/38929150

Overview here

forum.syncthing.net/t/…/39

The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.

Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.

#selfhosted

threaded - newest

Serinus@lemmy.world on 17 Nov 17:46 next collapse

Thank you!

hummingbird@lemmy.world on 17 Nov 21:10 next collapse

Yup thanks for the heads-up!

ueiqkkwhuwjw@lemmy.world on 17 Nov 21:40 collapse

No prob :)

arcterus@piefed.blahaj.zone on 17 Nov 17:48 next collapse

This whole situation has been bizarre and really poorly communicated.

ultranaut@lemmy.world on 17 Nov 17:53 next collapse

Not sure if I qualify as extra paranoid but this whole situation feels very sketchy and has me reconsidering my use of syncthing. Making significant changes like this without any explanation is extremely bad practice.

unexposedhazard@discuss.tchncs.de on 17 Nov 17:55 next collapse

has me reconsidering my use of syncthing

This is about a third party piece of software that isnt directly related to syncthing. The devs of syncthing have however been recommending syncthing-fork as their choice for android, so it definitely needs clearing up.

chaospatterns@lemmy.world on 17 Nov 22:32 next collapse

We’re sort of in this situation because the official project decided not to continue providing an official Android app, yet people want to use it on Android forcing unofficial versions to be created and maintained.

I get that they don’t want to deal with Google Play anymore, but somebody has to deal with it and them not owning the app is putting users at risk.

hersh@literature.cafe on 17 Nov 22:40 collapse

I get that they don’t want to deal with Google Play

Was that the reason? Shame they didn’t just leave it on F-Droid and GitHub then. Nobody needs to use Google Play (at least not yet…)

chaospatterns@lemmy.world on 17 Nov 23:06 collapse

forum.syncthing.net/t/…/23002

According to this post, it was partly that and lack of maintainers. Given there’s maintainers for a fork, I’m curious why they didn’t bring them into the main project.

Reason is a combination of Google making Play publishing something between hard and impossible and no active maintenance. The app saw no significant development for a long time and without Play releases I do no longer see enough benefit and/or have enough motivation to keep up the ongoing maintenance an app requires even without doing much, if any, changes.

ultranaut@lemmy.world on 18 Nov 02:51 collapse

Yes, I only use it via syncthing-fork so this is a distinction without a difference to me.

tychosmoose@lemmy.world on 17 Nov 22:36 collapse

Same here. It was already a little bit concerning that I was relying on a smaller fork to get syncthing on Android. It was on my to do list to figure out options. Now it’s at the top of the list, and I’m not doing updates for the time being on Android. That’s almost the entirety of my reliance on syncthing - phone to PC sync. I don’t really need it that much for sync between PCs.

BackgrndNoize@lemmy.world on 17 Nov 18:25 next collapse

My policy with open source projects like these is to fork the repo and only bring in upstream updates when I’m certain it’s safe and necessary

kokomo@lemmy.kokomo.cloud on 17 Nov 19:49 next collapse

that’s probably what I might do and build apks myself with forgejo. and/or pull in nel0x’s fork instead and build from his code.

Serinus@lemmy.world on 17 Nov 21:18 collapse

Which is just as risky as instantly updating unless you’re really closely keeping an eye on which updates are security related.

ook@discuss.tchncs.de on 17 Nov 19:05 next collapse

Some more info here, does not read super fishy, all meant well but happened in a strange way github.com/researchxxl/syncthing-android/…/16#iss…

hayalci@fstab.sh on 18 Nov 02:24 collapse

Two people communicating one-to-one and starting a new account to solely dedicate to maintaining a pretty public open source project doesn’t sound too fishy, tbh, if everything else checks out. (Catfriend1 confirms the handover, etc.)

spacelord@sh.itjust.works on 17 Nov 20:34 next collapse

I wouldn’t say it’s only for the extra paranoid, but rather for everyone.

After reading the whole discussion, it’s clear that the repo transfer was handled in an extremely unorthodox way, at least by usual standards for repo handovers that I’m familiar/experienced with.

Communication from Catfriend1 was absolutely nonexistent, and there was only minimal info from the person who took over using a GitHub account created just two days ago.

Trust is something that must be earned, not given to someone you’ve never seen or heard of before.

GreatBlueHeron@lemmy.ca on 17 Nov 21:46 next collapse

I installed mine from F-Droid. I just went there to turn off updates and it doesn’t exist. I have not been paying attention so it may have been gone for ages and not related?

wax@feddit.nu on 17 Nov 22:19 next collapse

Perhaps you had the pre-fork android app?

Sir_Kevin@lemmy.dbzer0.com on 17 Nov 22:36 collapse

I’m still seeing it here?

f-droid.org/…/com.github.catfriend1.syncthingfork

GreatBlueHeron@lemmy.ca on 18 Nov 00:36 collapse

Interesting - mine is syncthing-fork 1.30.0.4. When I go to the App Info page it says “App installed from F-Droid” and when I tap on that button I get a small pop-up that says “No such app found.”

xylene@sh.itjust.works on 18 Nov 01:16 next collapse

Same exact scenario here. Hmm

Kernal64@sh.itjust.works on 18 Nov 03:44 collapse

Add me to the list with this exact issue.

Lfrith@lemmy.ca on 18 Nov 04:12 next collapse

During the update to 2.0 you had to uninstall the 1.3 version then install and restore your syncthing-fork settings. So if you are still on 1.3 that’s probably why you aren’t seeing it. Should pop up if you search F-droid for the 2.0 version.

zeca@lemmy.ml on 18 Nov 04:20 collapse

The 2.0 update was made into a new package in fdroid, so that you paid close attention to the upgrade, as it could maybe break things.

[deleted] on 17 Nov 22:01 next collapse

CoyoteFacts@piefed.ca on 17 Nov 23:05 next collapse

Absolutely not trusting this. Uninstalling until we know more, and ideally just getting a different solution entirely. A new account tried to impersonate Catfriend1 directly at first, and then they switched to researchxxl when someone called it out (both are new accounts). Meanwhile the original Catfriend1 has provided no information about this, and we only have the new person’s word as to what’s going on. There’s way too many red flags here.

curiousfurbytes@programming.dev on 18 Nov 03:23 collapse

I’ve done the same. Not trusting something until it can be trusted. Unfortunately it seems there’s no easy alternative apps, so not sure how I’ll handle my usage now

smeg@infosec.pub on 17 Nov 23:36 next collapse

What’s wrong with original Syncthing? Why would anyone use a fork?

nekusoul@lemmy.nekusoul.de on 17 Nov 23:43 next collapse

First up, this fork is specifically about the Android client, not any other ones.

The fork of that always had some nice mobile battery saving features added, but morr importantly, the original version has been discontinued.

Kirk@startrek.website on 18 Nov 00:18 collapse

…syncthing.net/…/discontinuing-syncthing-android/

Lemmchen@feddit.org on 18 Nov 03:19 next collapse

What’s the last “safe” version on F-Droid? 2.0.11.2?

Pika@sh.itjust.works on 18 Nov 03:20 next collapse

this entire thing has made me really rethink whether I want to swap to the new repo or not.

Why was there no communication about it. The gplay repo maintainer wasn’t informed of anything, no public notice to anyone was given, just a transfer of the repo and a status issue here explaining it.

Obviously the act is genuine as they were able to keep the original keys but like, this entire system seemed really sketchy.

I’m also not happy with the fact that it seems the first thing they added was removing checksums, but that might be a temp thing.

I also just noticed that it looks like they removed the entire public key for it, which if they had the original private keys using the existing public keys shouldn’t be an issue right?

tgxn@lemmy.tgxn.net on 18 Nov 03:55 collapse

It’s likely because the app will no longer be distributed on Google. They likely removed the Google play signing keys and configuration, which is completely fine. I’ll have a look over their changes when I get home, but I doubt it’s anything nefarious.

I also ditched this stuff when Google decided to start asking for my drivers license and will no longer distribute my apps within their closed marketplace.

Zwuzelmaus@feddit.org on 18 Nov 03:36 next collapse

I had intended to try it out, but now uninstalled for… just in case.

Some kind guru please watch the source for unwanted effects.

captain_aggravated@sh.itjust.works on 18 Nov 04:05 collapse

dammit I like Syncthing. does kdeconnect do a decent job at syncing files?