Overview here
The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.
Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.
You must log in or register to comment.
I installed mine from F-Droid. I just went there to turn off updates and it doesn’t exist. I have not been paying attention so it may have been gone for ages and not related?
I wouldn’t say it’s only for the extra paranoid, but rather for everyone.
After reading the whole discussion, it’s clear that the repo transfer was handled in an extremely unorthodox way, at least by usual standards for repo handovers that I’m familiar/experienced with.
Communication from Catfriend1 was absolutely nonexistent, and there was only minimal info from the person who took over using a GitHub account created just two days ago.
Trust is something that must be earned, not given to someone you’ve never seen or heard of before.
This whole situation has been bizarre and really poorly communicated.
Some more info here, does not read super fishy, all meant well but happened in a strange way https://github.com/researchxxl/syncthing-android/issues/16#issuecomment-3542202530
Not sure if I qualify as extra paranoid but this whole situation feels very sketchy and has me reconsidering my use of syncthing. Making significant changes like this without any explanation is extremely bad practice.
has me reconsidering my use of syncthing
This is about a third party piece of software that isnt directly related to syncthing. The devs of syncthing have however been recommending syncthing-fork as their choice for android, so it definitely needs clearing up.
My policy with open source projects like these is to fork the repo and only bring in upstream updates when I’m certain it’s safe and necessary
Which is just as risky as instantly updating unless you’re really closely keeping an eye on which updates are security related.
that’s probably what I might do and build apks myself with forgejo. and/or pull in nel0x’s fork instead and build from his code.
Thank you!
No prob :)
Yup thanks for the heads-up!
