Overview here
The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.
Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.
You must log in or register to comment.
This whole situation has been bizarre and really poorly communicated.
Absolutely not trusting this. Uninstalling until we know more, and ideally just getting a different solution entirely. A new account tried to impersonate Catfriend1 directly at first, and then they switched to researchxxl when someone called it out (both are new accounts). Meanwhile the original Catfriend1 has provided no information about this, and we only have the new person’s word as to what’s going on. There’s way too many red flags here.
Afaik don’t need to uninstall yet, f-droid won’t automatically get new builds from this repo until the situation is cleared
But but my outrage… means I can do stupid things and act smart online.
I’m uninstalling Android and installing iOS right now.
I’ve done the same. Not trusting something until it can be trusted. Unfortunately it seems there’s no easy alternative apps, so not sure how I’ll handle my usage now
Syncthing desktop in termux and handle triggers like battery + wifi via tasker?
My policy with open source projects like these is to fork the repo and only bring in upstream updates when I’m certain it’s safe and necessary
Which is just as risky as instantly updating unless you’re really closely keeping an eye on which updates are security related.
that’s probably what I might do and build apks myself with forgejo. and/or pull in nel0x’s fork instead and build from his code.
What’s wrong with original Syncthing? Why would anyone use a fork?
First up, this fork is specifically about the Android client, not any other ones.
The fork of that always had some nice mobile battery saving features added, but morr importantly, the original version has been discontinued.
Thank you!
Yup thanks for the heads-up!
No prob :)
Not sure if I qualify as extra paranoid but this whole situation feels very sketchy and has me reconsidering my use of syncthing. Making significant changes like this without any explanation is extremely bad practice.
Same here. It was already a little bit concerning that I was relying on a smaller fork to get syncthing on Android. It was on my to do list to figure out options. Now it’s at the top of the list, and I’m not doing updates for the time being on Android. That’s almost the entirety of my reliance on syncthing - phone to PC sync. I don’t really need it that much for sync between PCs.
I said this in another thread, but apparently it’s not widely known: syncthing works fine on termux, there is no need to install any third party code. You do need to run
termux-setup-storageto get access to the shared storage that other apps can access, and I found it worth it to set up the termux:boot app to runsyncthingon phone boot. This way only uses the official syncthing repo.
has me reconsidering my use of syncthing
This is about a third party piece of software that isnt directly related to syncthing. The devs of syncthing have however been recommending syncthing-fork as their choice for android, so it definitely needs clearing up.
We’re sort of in this situation because the official project decided not to continue providing an official Android app, yet people want to use it on Android forcing unofficial versions to be created and maintained.
I get that they don’t want to deal with Google Play anymore, but somebody has to deal with it and them not owning the app is putting users at risk.
I get that they don’t want to deal with Google Play
Was that the reason? Shame they didn’t just leave it on F-Droid and GitHub then. Nobody needs to use Google Play (at least not yet…)
https://forum.syncthing.net/t/discontinuing-syncthing-android/23002
According to this post, it was partly that and lack of maintainers. Given there’s maintainers for a fork, I’m curious why they didn’t bring them into the main project.
Reason is a combination of Google making Play publishing something between hard and impossible and no active maintenance. The app saw no significant development for a long time and without Play releases I do no longer see enough benefit and/or have enough motivation to keep up the ongoing maintenance an app requires even without doing much, if any, changes.
Yes, I only use it via syncthing-fork so this is a distinction without a difference to me.
deleted by creator
dammit I like Syncthing. does kdeconnect do a decent job at syncing files?
No.
In my case I was using syncthing to backup /storage on my phone and turns out there are faster ways to do that
My alternative:
- Ente for photos
- Borg via termux for the full /storage backup (including the photos)
Syncthing in Termux apparently works to some extent. Another option might be Nextcloud? Will def try out some alternatives just in case.
I don’t think so. Can KDE connect even sync files?
I wouldn’t say it’s only for the extra paranoid, but rather for everyone.
After reading the whole discussion, it’s clear that the repo transfer was handled in an extremely unorthodox way, at least by usual standards for repo handovers that I’m familiar/experienced with.
Communication from Catfriend1 was absolutely nonexistent, and there was only minimal info from the person who took over using a GitHub account created just two days ago.
Trust is something that must be earned, not given to someone you’ve never seen or heard of before.
I installed mine from F-Droid. I just went there to turn off updates and it doesn’t exist. I have not been paying attention so it may have been gone for ages and not related?
I’m still seeing it here?
https://f-droid.org/packages/com.github.catfriend1.syncthingfork
Interesting - mine is syncthing-fork 1.30.0.4. When I go to the App Info page it says “App installed from F-Droid” and when I tap on that button I get a small pop-up that says “No such app found.”
Same exact scenario here. Hmm
Add me to the list with this exact issue.
You guys all missed the Syncthing 2.0 upgrade.
I think everyone misses the upgrade except new installs, how users (including power users) can know that they have to uninstall the old app, potentially lose all the settings , then reinstall and reconfigure?
I knew because I install through F-droid instead of github so ended up getting like a notice informing me that to upgrade to 2.0 I should back up the settings then uninstall 1.3 then install 2.0 then back up settings.
But, if retrieving from github or obtanium then maybe message wasn’t relayed.
During the update to 2.0 you had to uninstall the 1.3 version then install and restore your syncthing-fork settings. So if you are still on 1.3 that’s probably why you aren’t seeing it. Should pop up if you search F-droid for the 2.0 version.
The 2.0 update was made into a new package in fdroid, so that you paid close attention to the upgrade, as it could maybe break things.
Perhaps you had the pre-fork android app?
Some more info here, does not read super fishy, all meant well but happened in a strange way https://github.com/researchxxl/syncthing-android/issues/16#issuecomment-3542202530
Two people communicating one-to-one and starting a new account to solely dedicate to maintaining a pretty public open source project doesn’t sound too fishy, tbh, if everything else checks out. (Catfriend1 confirms the handover, etc.)
Could of course be the same person behind both accounts but at least one of them existed for a while.
For some reason, my version of syncthing-fork is old and source is not even on f-droid anymore. Was there any other before catfriend1? Perhaps I downloaded APK from GitHub… Can’t recall.
Could be the same issue as here https://lemmy.ca/comment/20114092
The new repo has two releases in it now. These releases are not signed with the original key as far as I can tell. Further, GitHub is silently redirecting to the new repo, even in Obtainium, meaning it’s possible that if you had this previously installed via Obtainium and updated now, you may have unsigned apks installed that may or may not contain the changes in the repo.
This is a mess. I deleted the repo from Obtainium (luckily I don’t auto install updates) and will wait to see what happens over the next few months. Might just save my notes in a network share instead of using syncthing from my phone. Idk, notes are all that I was using it for.
Sounds like a really good reason not to use Obtainium, if any repo you have tracked for updates can just redirect you to a completely different repo If they have the keys - and throw no complaints when updating to an entirely different apk.
With F-Droid they at least have to have the same signing keys, and the code must be a replicable build by F-Droid’s internal apk signature copying process - meaning the code for the supplied APK always matches the code on the repository for the build.
What’s the last “safe” version on F-Droid?
That’s the last version that was released before the transfer AFAIK. Someone in the linked thread also said they didn’t see anything suspicious between 2.0.11.1 and 2.0.11.2.
Thank you for the notice. This is a really bad look on the project. Thankfully I still have a version from before the takeover installed and disabled auto-updates just in case. Though I suspect f-droid will not accept builds by this person until trust has been established.
