11
Is it safe the new Syncthing-Fork v2.0.14 on F-Droid? (f-droid.org)
submitted 2 months ago by SolarPunker@slrpnk.net to c/selfhosted@lemmy.world
13 comments fedilink hide all child comments

Asking because of the latest issues with the maintainer.

top 13 comments
sorted by: hot top controversial new old
[-] Pika@sh.itjust.works 9 points 2 months ago* (last edited 2 months ago)

Personally, it seems like it's trustworthy again. The previous owner of the repo did eventually admit that they authorized the transfer, but, The entire transfer process was extremely sketchy and had no chain of custody or trust. It was just the repository got deleted, and then a few days later showed under a whole blank state again with a user with no profile, no contribution history, and it was just a trust me bro, I knew the original maintainer look I have the keys to prove it.

The maintainer of the Google Play build of it seems to trust them though, and they are established in the community, plus they archived their sync thing builds again in favor of just using one repo, so it's likely fine.

For future people wondering about it as well, it doesn't help that the new maintainer of the app has deleted every issue that had to do with the migration, so you no longer can research the issue for yourself. The only information you have available to you is the discussion chain listed on the community forums, But any type of issue that they link to were deleted.

Personally though, I plan on keeping my current version pinned to prior to the transfer until either I'm forced to update due to bugs or I feel comfortable with the current maintainer again. I'm not sure how long that will be.

For an app that contains very sensitive information, I was not impressed with how the transfer process underwent.

[-] Lemmchen@feddit.org 2 points 2 months ago* (last edited 2 months ago)

Alternative if you can live with just the WebUI: SyncThing in Termux

[-] IratePirate@feddit.org 1 points 2 months ago

TYSM for the link! I'll probably switch to this.

[-] probable_possum@leminal.space 1 points 2 months ago* (last edited 2 months ago)

Verbose please? What happened?

E: thank you all. Especially lambdaRX' hint to a summary (comment 234 by GrabbenD) helped me.

[-] greencoil@lemmy.frozeninferno.xyz 4 points 2 months ago* (last edited 2 months ago)

Years ago, official development of an android app of syncthing was abandoned by the official developers. Most android users migrated to an already existing fork by a github maintainer catfriend1.

Catfriend1 unceremoniously disappeared, with their github repositories being taken over by a new user researchxxl. This was entirely unannounced and wasn't really discovered until people with automatic updates enabled on *Obtanium noticed it.

researchxxl is not a known community member, and is being very reclusive when interacting with the syncthing community. Their github account was made specifically for the repository transfer, and their method of handling existing credentials is suspicious; looking no different than a hostile take over.

At this point in time, they are collaborating with Nexon, a user who worked with catfriend to publish syncthing fork builds to Google Play. They are more well known and trusted. If you can trust Nexon, and trust that end users in general are putting more scrutiny on the github source code after this whole situation, you can probably trust the recent releases for now.

Sorry for any details I may have gotten wrong. AFAIK, no one has taken the time to document all the things that have gone down. I would have linked to such a document otherwise. A lot of the discussion on this is happening in separate discussion threads, one of them being researchxxl's github issue page, which they are censoring/deleting discussions from with(till recently) no oversight.

*Edit: this is also a poor summary. There is a lot of additional context that I don't feel comfortable trying to encompass. Like why the official syncthing developers stopped their official android app, or catfriend1's forum account coming back for a short time to try to explain their side of the story. Frankly, for how many people are using syncthing, I don't think this story is getting enough attention.

[-] ilmagico@lemmy.world 1 points 2 months ago

I don't use syncthing (anymore) and didn't know the story behind this, but one thing I know is, f-droid builds the apk from source and signs it with their keys, or if reproducible builds are available, it verifies the signed apk provided by the maintainer to match bit-for-bit with the source code, so at least even if one doesn't trust the new maintainer, they should be able to trust f-droid that the apk matches the source, so e.g. no spyware or malware was added for example. Sure, someone still needs to review the source, of course.

[-] greencoil@lemmy.frozeninferno.xyz 3 points 2 months ago

Thats part of the problem though. Supposedly catfriend1 gave researchxxl their signing keys, and researchxxl used these on their new github account. No one was aware that catfriend1 was not maintaining the repo anymore until users saw unexpected/unannounced updates and looked into the matter. This sparked a short lived discussion on F-Droid forums about what should be done when maintainer transfers are handled poorly like this. F-Droid admins decided that it wasn't that big of an issue, which is problematic... this supposedly happened between two people meeting each other online and discussing it with each other. But its possible that catfriend1 is being blackmailed or otherwise coerced into handing off this data. This type of credential attack could happen with a compromised machine, without the victim ever realizing it in time. The fact that F-Droid treats this so casually is upsetting. Signed developer certificates protect you from MITM attacks, it does not protect you from the sources themselves being compromised.

[-] ilmagico@lemmy.world 1 points 2 months ago

Yes, I understand the situation is shady and f-droid maybe didn't handle it the best way on a human level, and that is important when evaluating trustworthiness.

What I was focusing on was more on the technical side: As long as I can:

  • trust f-droid to actually build from source and only publish something guaranteed to match the source, and
  • read the source code myself, or trust an independent researcher to study it, and confirm there's no malware,

then I don't need to trust the maintainer of the project at all, and I can ignore all the drama, being assured with a high degree of certainty there is no malware

I can also ignore any drama involving f-droid as long as I still trust them to build from source. This can also be verified by independent researchers by buulding themselves ans comparing, once again filtering out the drama and noise, though most people probably won't go this far.

[-] IratePirate@feddit.org 0 points 2 months ago

The handoff (if you can call it that) was extremely sketchy, including the "explanation" on the Syncthing forums. Made me switch to Nel0x's fork of the app.

[-] paperd@lemmy.zip 0 points 2 months ago

nel0x's fork is now archived.

[-] Lemmchen@feddit.org 1 points 2 months ago

AFAIK nel0x and researchxxl work together on the reserchxxl repository now.

[-] tychosmoose@lemmy.world 0 points 2 months ago

Do they? I don't see any nel0x PRs. I moved away from it out of an abundance of caution.

[-] ToTheGraveMyLove@sh.itjust.works 1 points 2 months ago

nel0x commented on that syncthing thread.

this post was submitted on 07 Feb 2026
11 points (100.0% liked)

Selfhosted

58589 readers
78 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz