- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
@fdroidorg at this point is being used to push out an app with sensitive permissions that’s been taken over by an unknown individual who refuses to engage with its large community of users and developers.
I STRONGLY recommend disabling updates from Fdroid, if not uninstalling and manually installing 2.0.11.2, or installing the Google Play version which has a different maintainer.
this is extremely shady and it’s just looking worse as time goes on. I’ll link to the Syncthing forum thread from about where I left off last time in a subsequent post.
You must log in or register to comment.
This is just https://xkcd.com/2347/ but the person in Nebraska has been replaced with a new one and neither uses capital letters.
I understand and empathize with F-Droid’s position in this. An account and key handover took place. It would be a dangerous precedent for F-Droid to unilaterally take the app down without any proof of anything nefarious based on something as nebulous as community rumblings, with no way to verify any of the ill motives ascribed to the actions of the original and new maintainer.
and now that the handover was confirmed, it’s unlikely they’ll do anything without hard evidence of malicious intent
I just want to sync my music between my computer and phone and I really can’t be arsed with this drama.
If only tech companies weren’t assholes and actually developed desired features instead of the shit they have wasted our time with…
Yeah, I’ve considered setting up a scrappy rsync solution, because Syncthing felt like overkill for that use-case and like it might stop working one day.
There’s the Syncopoli app on F-Droid, which hasn’t been updated in three years, but it seems to just be a thin wrapper around rsync, which has been stable for decades, so I still kind of trust it more to continue working. Or at the very least, if I need to fix something or update the app myself, I feel like I’ll be able to do it.
I don’t think its open source, but ive had no issues with Resilio Sync in the past. Works on all major platforms.
I’ve not used it myself, but I’ve heard good things about KDE Connect, which supposedly can do this and has no controversy of which I’m aware. (It does not require KDE, apparently.)
It can send back and forth, it won’t auto-sync
Gotcha. I wish you luck with your quest.
In case someone wants to read the whole context given, just a warning, the first two links are pretty lenghty before getting to the point, and the third opens synthetizing it.
Also about the issue linked at https://mastodon.pirateparty.be/@surfhosting/115674311171581770, where I just gone through, likewise I can’t see any indication of malicious code, only the code maintainer failing to show he himself is legitimate. Still rather suspicious.
Well, Jia Tan waited several years before pushing malicious code. How can we know it is not the same person?
But overall, feels a bit overblown.
Better safe than sorry.
Also, from what i just read, he seems to be playing dumb in some of his answers, while also repeatedly ignoring important questions and closing the issue because “too heated”.
In one issue (from 3 days ago) he also asks, kinda angry, if people want to see the chat he had with the previous maintainer before receiving ownership of the repo, but in the next comments he says he didn’t save that chat as screenshots.
Like… WUT??
I started reading thinking it was just people being too cautious, but now I’m sure the guy is full of shit and I would expect the worse to have happened here, honestly.
Even when well meaning sometimes malicious code can slip through like with smarttubenext due to a compromised machine.
So I think people forget that just because something is foss doesn’t mean it is automatically safe and caution can be thrown to the wind. Skepticism and being overcautious is still good practice before installing things.
I like to wait a while before installing new updates just to see if anything is caught by the community to try to reduce potential risk.
It always is. The thing with FOSS vs a private company is that internal debates are:
- Public
- Involving people working for free
Meaning we not only see the ““drama””, but that it can become more verbally intense. Buuuuut it almost never ends up mattering much to the average user, and when it does, the public certainly won’t learn about it on github or the replies to a toot.
I’ve read through most of the drama, but it still isn’t clear, or maybe I missed it: does this also impact the Google Play version of SyncThing from nel0x (https://github.com/nel0x/syncthing-android)?
As far as I can tell, no.
TIL I’m using an old version on my phone that maybe isn’t in the play store anymore.
version 1.27.3 com.nutomic.syncthingandroidTIL I’m using 1.28.1, didn’t know it wasn’t updating.
I have not updated past the v1.30 version because I didn’t want to mess with potential issues on my server side. Given all this, is there any reason to update to the 2.0.11.2 version?
Projects change hands all the time. If someone wants to use a fork, do that. The entitlement here is fucking wild.
Bruh what the fuck are you talking about?
You think that a user being upset when they give an app full filesystem access to their phone, and then having that app be handed over to some shady new owner is entitlement?
Congratulations man, ‘skill issue’ people like you are why open source software rarely takes off. No one will use or trust any open source software if this happens. This just pushes people to use tech giants like Google and Microsoft because they’re big and stable and not about to change owners.
Don’t fucking publish your software for people to download if you’re going to pull the rug out from under them. Keep it on your local machine and jerk off to it if you don’t care about others using it.
Don’t businesses transfer to shady owners all the time? The longer time goes on, the older these developers get, the more we will have projects either transfer, die out, or someone fork.
Let’s look at the timeline.
Developer was maintaining app, didn’t wanna do it any more and suggested everyone use the most popular fork.
The maintainer of said most popular fork, after a while, didn’t wanna do it any more and after asking for maintainers for a while, found one on her own and handed him the project.
Entitled AF users, who aren’t looking to maintain the project, don’t like the cut of the new maintainers jib and thus kick up a fuss.
At this point, there’s zero new forks available on F-Droid or IzzyOnDroid, proving it’s not about anything other than kicking up a fuss.
Anyone that is so outraged, put your time and effort where your mouth is. Stop with the brigading and actually maintain and publish a fork.
Personally, I trust nutomic and catfiend and if I trusted catfiend to maintain the app, I will trust their vouch for the new maintainer too.
To my knowledge, the only problem was that there was no communication about the handover. If there had been a post on the original repo with reasoning for Catfriend stepping down, instead of the repo just disappearing (from what I heard), there would’ve been no drama…
Admittedly, I did not look into it too deeply, though.
Catfriend was actively openly looking for a replacement for ages and couldn’t find one. No one was stepping up. When she eventually found someone, suddenly everyone wants to have a say. What was she supposed to do, put her life and mental health on hold until the community that wasn’t helping maintain the project, vetted the replacement she found? I don’t know how people can’t see that their expectations are out of whack here. As I said before, if any one of the people who are whipping up the storm had stepped up to takeover, there’d somewhat of point to this, but that’s not happening. It’s just pitchforks for the sake of pitchforks.
It’s just the process of the handover that is making people skittish with the github going private then reappearing with a new maintainer.
I think best route would have been for researchxxl to just fork syncthing-fork to put on F-droid, and catfriend1 just leave their branch archived with an endorsement of researchxxl.
After some time passes and researchxxl gains trust in the community I’m sure people will trust their work. The transition just wasn’t handled well.
I’ve been running STFork for so long I forgot its not the mainline app.
Guess it’s time to learn how to host my own Relay server.
