- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
@fdroidorg at this point is being used to push out an app with sensitive permissions that’s been taken over by an unknown individual who refuses to engage with its large community of users and developers.
I STRONGLY recommend disabling updates from Fdroid, if not uninstalling and manually installing 2.0.11.2, or installing the Google Play version which has a different maintainer.
this is extremely shady and it’s just looking worse as time goes on. I’ll link to the Syncthing forum thread from about where I left off last time in a subsequent post.
Also about the issue linked at https://mastodon.pirateparty.be/@surfhosting/115674311171581770, where I just gone through, likewise I can’t see any indication of malicious code, only the code maintainer failing to show he himself is legitimate. Still rather suspicious.
Well, Jia Tan waited several years before pushing malicious code. How can we know it is not the same person?
But overall, feels a bit overblown.
Better safe than sorry.
Also, from what i just read, he seems to be playing dumb in some of his answers, while also repeatedly ignoring important questions and closing the issue because “too heated”.
In one issue (from 3 days ago) he also asks, kinda angry, if people want to see the chat he had with the previous maintainer before receiving ownership of the repo, but in the next comments he says he didn’t save that chat as screenshots.
Like… WUT??
I started reading thinking it was just people being too cautious, but now I’m sure the guy is full of shit and I would expect the worse to have happened here, honestly.
Even when well meaning sometimes malicious code can slip through like with smarttubenext due to a compromised machine.
So I think people forget that just because something is foss doesn’t mean it is automatically safe and caution can be thrown to the wind. Skepticism and being overcautious is still good practice before installing things.
I like to wait a while before installing new updates just to see if anything is caught by the community to try to reduce potential risk.
It always is. The thing with FOSS vs a private company is that internal debates are:
Meaning we not only see the ““drama””, but that it can become more verbally intense. Buuuuut it almost never ends up mattering much to the average user, and when it does, the public certainly won’t learn about it on github or the replies to a toot.