the #Syncthing Android drama is exploding.
https://github.com/researchxxl/syncthing-android/issues/16
@[email protected] at this point is being used to push out an app with sensitive permissions that's been taken over by an unknown individual who refuses to engage with its large community of users and developers.
I STRONGLY recommend disabling updates from Fdroid, if not uninstalling and manually installing 2.0.11.2, or installing the Google Play version which has a different maintainer.
this is extremely shady and it's just looking worse as time goes on. I'll link to the Syncthing forum thread from about where I left off last time in a subsequent post.
#SyncthingFork #SyncthingAndroid
@fdroidorg at this point is being used to push out an app with sensitive permissions that’s been taken over by an unknown individual who refuses to engage with its large community of users and developers.
I STRONGLY recommend disabling updates from Fdroid, if not uninstalling and manually installing 2.0.11.2, or installing the Google Play version which has a different maintainer.
this is extremely shady and it’s just looking worse as time goes on. I’ll link to the Syncthing forum thread from about where I left off last time in a subsequent post.
TL;DR: the original fork of Syncthing under the GitHub user Catfriend1 vanished without any clarifications from them to the community. Recently, another GitHub user researchxxl acquired the release keys and published a new version v2.0.12.1:
Shortly after the repo was moved to a brand new account ‘researchxxl’ who was not able to properly explain how or why the repo was handed over to them nor why the original maintainer handed over the release key to them. Or why the original maintainer did not bother communicating this to the community in advance.
The new version v2.0.12.1 under researchxxl seems to be free of malicious code, and the repo has reproducible builds.
Since the whole situation is a bit sketchy, some are advocating for the F-droid account to be locked and any release after v2.0.11.2 to be purged.
Update: it seems that as of a few hours ago, Catfriend1 broke the silence and confirmed the transfer to researchxxl:
Therefore, I did hand over all my stuff to my inheritant @researchxxl inluding the com.github.catfriend1* apps, digital signing material and wish them the best to fulfill the mission of carrying on the Syncthing-Fork app. :woman_technologist: We have met in online gaming and developing modding code together for a level that tells the story of a research station attacked by some alien-like monsters. Two players do have to cooperate on fixing electrical devices, a low power emitting nuclear reactor and avoiding a bath in acid. If you stumble upon the game, say hello to us during our test sessions. :slightly_smiling_face:
as an ammendum to this comment edit, catfriend edited the post linked and added this to the end
Edit: Regarding @nel0x , they did not have any history with the Syncthing (Android) project nor an expressive public profile when they applied to take over the Google Play Store entry in Feb 2025. I accepted this and transferred - believing in good will and we agreed on their task to be publishing what was on my repository to Google Play after their review. If they now desire to make their own app, there is, unfortunately no way to clean up the confusion caused if it is called the same other than kindly asking them to rename it.
The second half of Catfriends response is so…strange. Like there is a code in there somehow. Like when captive soldiers blink morse code to signal theyre in danger on a terrorist video. Thats how it feels to me anyway.
Ok, I poked through that thread and a few other linked threads…
Big yikes. It definitely took a turn downhill. And posting what is essentially a “cease and desist” on nel0x’s repo over the name without actually trying to do things properly.
I’ll start using nel0x’s fork instead one he starts putting up non-gplay builds.
Just want to add that suggesting to install the Google Play version instead because the poster (on mastodon) doesn’t trust the fdroid version anymore, is hilarious.
The Google Play version is maintained by someone who cooperates with the new fdroid syncthing-fork maintainer. There’s lots of github posts showing that. The fuck are you (the account on mastodon) suggesting that the fdroid version is not safe, but the Google Play version is? It is also way harder to not accidentally update the Google Play version.
Sorry, I won’t deny that the whole taking over the account thing hasn’t been super sketchy in terms of communication, but that is it. If you are uncertain, block fdroid updates for now, which is very easy, and wait what happens.
Edited to make it clear I am not flaming the OP here on Lemmy, I don’t agree with what the mastodon account says.
Sorry, maybe it wasn’t clear but when I wrote “the poster” I didn’t mean you, but the mastodon account you have linked. I debated myself how to write this the best way without having to elaborate but I guess that failed.
I’m so confused. I don’t know what to do or who to trust for this.
I wonder if I should uninstall Syncthing until this all blows over.
I am on version 2.0.10.1, that I’m pretty sure I got from Obtainium. It’s no longer in my list of installed apps on Obtainium so I can’t be sure I suppose.
Yes. The relevant points are that Catfriend’s repo was fully reset, no git history, multiple times this year, supposedly because of sensitive data that was mistakenly checked in. If that’s the case, it might explain why shortly before Catfriend deleted his repo, he created an issue saying something along the lines of ‘stop messing with my desktop’, which could be read as a plea to hackers. The repo went dark, and someone else published it, with Catfriend’s private signing key, which triggered automatic updates for some users, without them knowing the maintainer changed. They also claim to have Catfriend’s github credentials. After staying quiet for a month, Catfriend recently posted on the syncthing forum saying that everything is dandy with the new maintainer, without addressing major concerns. Meanwhile, the new maintainer has made large changes to the codebase without public comments. The last two updates from the new maintainer have been reviewed independently, and reproducible builds are enabled to ensure the apk matches the sources. However, that is assuming that Catfriend’s repo was safe to begin with. In the case of ongoing blackmail, malicious code could have been added during one of the repository resets, or in a large refactor commit.
The sad part is that Catfriend picked up this repo after Syncthing deprecated it, just for his friends and family. I don’t think he is a professional developer, and he very obviously was overwhelmed by the project. Syncthing is a very juicy target for malicious state actors, and trust is crucial. I feel awful to say that I no longer trust Catfriend or his replacement, but the circumstances don’t inspire confidence.
It is not Syncthing. It is Synchthing-fork for Android, which was specifcally forked from Syncthing for Android to improve over it.
The real Syncthing team then some time ago decided to discontinue their Syncthing for Android app, not the other versions! Then Syncthing-fork became the only way to connect to Syncthing on Android (aside from running the original Syncthing via something like Termux).
Just want to be clear on this. Syncthing is not compromised in any way. Syncthing-fork for Android might be, might be not.
From my understanding the project Syncthing-fork changed owners. The original owners GitHub repo went down, and no announcement that it was changing hands. So it comes off as shady. Bit I may be missing some things here.
Not the entirety of F-Droid being suspect, but the package available in the default repo on F-Droid is being updated by this dodgy person while the other versions are not. If they are uploading malware or making dodgy changes anyone who previously installed Syncthing-Fork could get this new version from the dodgy dev without notification.
If you open the versions drop down in F-Droid it has a ‘suggested’ tag next to the 2.0.12.1 version, so they’re aware of the issue, I’m not sure if that means if you just click install that’s what you get as I pinned it there when this all started and don’t want to uninstall reinstall just for this post, but I’m guessing it’ll just install the non suss version.
No, it’s not Syncthing itself. That’s owned and maintained by a completely different team. This is regarding Syncthing-Fork, which packages Syncthing into a neat Android app.
Not sure i would call this drama, but I’m still confused.
I’m on version v1.30.0.2 of Syncthing-Fork from f-droid and i have disabled updates for now. I need a reliable source and preferably no battery issues.
What do you mean by signed deploys? The APK is already signed, and this new person got the signing keys. I’m not sire any additional signing would have helped.
Stealing another comment’s update (thanks @[email protected] ), because catfriend1 explicitly says the new maintainer reseachxxl was willingly given the key material, which is how the update was pushed in the first place l:
Update: it seems that as of a few hours ago, Catfriend1 broke the silence and confirmed the transfer to researchxxl:
Therefore, I did hand over all my stuff to my inheritant @researchxxl inluding the com.github.catfriend1* apps, digital signing material and wish them the best to fulfill the mission of carrying on the Syncthing-Fork app. :woman_technologist: We have met in online gaming and developing modding code together for a level that tells the story of a research station attacked by some alien-like monsters. Two players do have to cooperate on fixing electrical devices, a low power emitting nuclear reactor and avoiding a bath in acid. If you stumble upon the game, say hello to us during our test sessions. :slightly_smiling_face:
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.
6. Memes are not allowed to be posts, but are allowed in the comments.
7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.
8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.
TL;DR: the original fork of Syncthing under the GitHub user
Catfriend1vanished without any clarifications from them to the community. Recently, another GitHub userresearchxxlacquired the release keys and published a new versionv2.0.12.1:The new version
v2.0.12.1underresearchxxlseems to be free of malicious code, and the repo has reproducible builds.Since the whole situation is a bit sketchy, some are advocating for the F-droid account to be locked and any release after
v2.0.11.2to be purged.Update: it seems that as of a few hours ago,
Catfriend1broke the silence and confirmed the transfer toresearchxxl:https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/165
as an ammendum to this comment edit, catfriend edited the post linked and added this to the end
The second half of Catfriends response is so…strange. Like there is a code in there somehow. Like when captive soldiers blink morse code to signal theyre in danger on a terrorist video. Thats how it feels to me anyway.
Or they’re just autistic and not good at communication.
Shit happens, and while the initial transfer was sketchy, everything I read from the new maintainer appeared to be in good faith.
I don’t agree. The issue linked in the post and also this one have shown the new maintainer to be antagonistic and evasive.
Ok, I poked through that thread and a few other linked threads…
Big yikes. It definitely took a turn downhill. And posting what is essentially a “cease and desist” on nel0x’s repo over the name without actually trying to do things properly.
I’ll start using nel0x’s fork instead one he starts putting up non-gplay builds.
deleted by creator
Just want to add that suggesting to install the Google Play version instead because the poster (on mastodon) doesn’t trust the fdroid version anymore, is hilarious.
The Google Play version is maintained by someone who cooperates with the new fdroid syncthing-fork maintainer. There’s lots of github posts showing that. The fuck are you (the account on mastodon) suggesting that the fdroid version is not safe, but the Google Play version is? It is also way harder to not accidentally update the Google Play version.
Sorry, I won’t deny that the whole taking over the account thing hasn’t been super sketchy in terms of communication, but that is it. If you are uncertain, block fdroid updates for now, which is very easy, and wait what happens.
Edited to make it clear I am not flaming the OP here on Lemmy, I don’t agree with what the mastodon account says.
I don’t use syncthing but posted that tweet because it seemed of potential relevance to the the rest of the community.
Sorry, maybe it wasn’t clear but when I wrote “the poster” I didn’t mean you, but the mastodon account you have linked. I debated myself how to write this the best way without having to elaborate but I guess that failed.
This researchxxl person then also released a new version Synthing-Lite on fdroid.
I’m so confused by this situation. Updates to syncthing-fork have been disabled. Doesn’t seem trustworthy at the moment.
I’m so confused. I don’t know what to do or who to trust for this. I wonder if I should uninstall Syncthing until this all blows over.
I am on version 2.0.10.1, that I’m pretty sure I got from Obtainium. It’s no longer in my list of installed apps on Obtainium so I can’t be sure I suppose.
I thought syncthing had fallen out of favor some years ago. I have nextcloud but I don’t currently use automatic sync so I can’t compare them.
I was not aware of any falling out years ago. Nextcloud and syncthing are definitely for different applications though
I would recommend pausing updates or trying another solution.
You can run syncthing in termux and autostart it with termux:boot, which seems to work pretty well.
If you have the scripting skills you can also do more advanced stuff like using termux:api to run it when charging only.
I guess I’ll pause updates for now. Not sure if I want to learn termux at the moment.
The app being SyncThing, if I correctly understand.
But there is a suspition that the FDroid app is under control by a malicious agent?
Yes. The relevant points are that Catfriend’s repo was fully reset, no git history, multiple times this year, supposedly because of sensitive data that was mistakenly checked in. If that’s the case, it might explain why shortly before Catfriend deleted his repo, he created an issue saying something along the lines of ‘stop messing with my desktop’, which could be read as a plea to hackers. The repo went dark, and someone else published it, with Catfriend’s private signing key, which triggered automatic updates for some users, without them knowing the maintainer changed. They also claim to have Catfriend’s github credentials. After staying quiet for a month, Catfriend recently posted on the syncthing forum saying that everything is dandy with the new maintainer, without addressing major concerns. Meanwhile, the new maintainer has made large changes to the codebase without public comments. The last two updates from the new maintainer have been reviewed independently, and reproducible builds are enabled to ensure the apk matches the sources. However, that is assuming that Catfriend’s repo was safe to begin with. In the case of ongoing blackmail, malicious code could have been added during one of the repository resets, or in a large refactor commit.
The sad part is that Catfriend picked up this repo after Syncthing deprecated it, just for his friends and family. I don’t think he is a professional developer, and he very obviously was overwhelmed by the project. Syncthing is a very juicy target for malicious state actors, and trust is crucial. I feel awful to say that I no longer trust Catfriend or his replacement, but the circumstances don’t inspire confidence.
It is not Syncthing. It is Synchthing-fork for Android, which was specifcally forked from Syncthing for Android to improve over it.
The real Syncthing team then some time ago decided to discontinue their Syncthing for Android app, not the other versions! Then Syncthing-fork became the only way to connect to Syncthing on Android (aside from running the original Syncthing via something like Termux).
Just want to be clear on this. Syncthing is not compromised in any way. Syncthing-fork for Android might be, might be not.
From my understanding the project Syncthing-fork changed owners. The original owners GitHub repo went down, and no announcement that it was changing hands. So it comes off as shady. Bit I may be missing some things here.
Okay, that plays as odd but how does it connect to the entire FDroid being under suspition?
Not the entirety of F-Droid being suspect, but the package available in the default repo on F-Droid is being updated by this dodgy person while the other versions are not. If they are uploading malware or making dodgy changes anyone who previously installed Syncthing-Fork could get this new version from the dodgy dev without notification.
If you open the versions drop down in F-Droid it has a ‘suggested’ tag next to the 2.0.12.1 version, so they’re aware of the issue, I’m not sure if that means if you just click install that’s what you get as I pinned it there when this all started and don’t want to uninstall reinstall just for this post, but I’m guessing it’ll just install the non suss version.
No, it’s not Syncthing itself. That’s owned and maintained by a completely different team. This is regarding Syncthing-Fork, which packages Syncthing into a neat Android app.
https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/160
Not sure i would call this drama, but I’m still confused.
I’m on version v1.30.0.2 of Syncthing-Fork from f-droid and i have disabled updates for now. I need a reliable source and preferably no battery issues.
… This is somehow going to be a ridiculously strong argument for requiring signed deploys because users are idiots, huh?
What do you mean by signed deploys? The APK is already signed, and this new person got the signing keys. I’m not sire any additional signing would have helped.
Stealing another comment’s update (thanks @[email protected] ), because catfriend1 explicitly says the new maintainer reseachxxl was willingly given the key material, which is how the update was pushed in the first place l: