this post was submitted on 09 Dec 2025

83 points (98.8% liked)

F-Droid

10006 readers

1 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 4 years ago

MODERATORS

fossdd@lemmy.ml

testman@lemmy.ml

Key handover in the dark: Syncthing fork community raises alarm (www.heise.de)

submitted 1 month ago by redd@discuss.tchncs.de to c/fdroid@lemmy.ml

21 comments fedilink hide all child comments

all 22 comments

sorted by: hot top controversial new old

[–] RustyNova@lemmy.world 21 points 1 month ago (1 children)

Dammit. They are taking the last android syncthing client from us.

[–] TwiddleTwaddle@lemmy.blahaj.zone 12 points 1 month ago (3 children)

The original maintainer came back recently and said that the handover has their blessing and the new maintainer is someone they know. Some people are still talking about moving to syncthing-tray, but it's still experimental on android.

[–] leobluefish@lemmy.world 20 points 1 month ago

That catfriend post was... a bit strange

[–] QuestionMark@lemmy.world 10 points 1 month ago

They could have been hacked or forced.

[–] RustyNova@lemmy.world 4 points 1 month ago (2 children)

Where did you see that? Couldn't find anything on the repo.

Will still go with nel0x's version tho

[–] trolske@feddit.org 3 points 1 month ago (1 children)

It's on the forum, not on the GitHub

[–] boredsquirrel@slrpnk.net 3 points 1 month ago

https://forum.syncthing.net/t/25661/165

[–] sylver_dragon@lemmy.world 16 points 1 month ago* (last edited 1 month ago) (1 children)

While it's probably fine, it's also worth remembering the FBI's Operation Trojan Shield happened. Similar state sponsored APTs would be very happy to get into such a privileged position.

[–] CandleTiger@programming.dev 19 points 1 month ago (2 children)

I really don’t see why there are so many people around saying “it’s probably fine”

In my personal opinion shit like this is probably not fine at all.

[–] leobluefish@lemmy.world 6 points 1 month ago (1 children)

For me that's an uninstall unfortunately and looking for another solution at the moment.

[–] eldavi@lemmy.ml -2 points 1 month ago (1 children)

is it because it's onerous to read the source?

[–] CandleTiger@programming.dev 6 points 1 month ago (1 children)

Yes. It’s very very hard to read the source and know there’s no security bug in it. That’s 10x truer when the security bugs are potentially on purpose, and carefully hidden.

[–] eldavi@lemmy.ml -1 points 1 month ago

i would run a diff on the previous version compared to the current one.

[–] sylver_dragon@lemmy.world 4 points 1 month ago (1 children)

I really don’t see why there are so many people around saying “it’s probably fine”

Because there is currently no direct evidence of anything amiss. From the linked article:

Technically, the changes made so far have been reviewed by some people and no obvious malicious modifications have been found; F-Droid also builds the app reproducibly and verifies whether the published code matches the binaries

Granted, someone could be playing a long game here. Get control, wait for the controversy to die down while playing nice, then do then rug pull when no one is watching anymore. That's possible. It's also quite possible that the previous maintainer got tired of doing a hard and thankless job for no pay and wanted to shed the whole thing. They found someone to hand it off to, and the new maintainer is just shit at open communications. That happens and is also possible. Whether or not it makes you change your usage of the package is down to your risk appetite. But, jumping at every shadow gets old quick and at some point you have to accept some risk. So, unless and until there is more evidence to backup the claim of foul play; or, if you have a really low risk appetite, this is one of those things which falls under "keep an ear open, but it's probably fine".

[–] CandleTiger@programming.dev 9 points 1 month ago

Because there is currently no direct evidence of anything amiss.

You don’t need direct evidence of a problem. It’s the other way around — In order for the software to be trustable with private data you need steady, ongoing evidence that the authors are trustworthy.

National spy agencies are out there, right now, and recently in the news, trying to suborn open source project maintainers. This is a known risk.

[–] XTL@sopuli.xyz 5 points 1 month ago

Does some place have a trusted archived copy? Should be easy to checksum a given common commit in their history and read forward.

[–] Emanuel@hexbear.net 4 points 1 month ago

Of note in this article is the mention of nel0x's fork of Syncthing-Fork, which is, as much as I've gathered, and old contributor to Syncthing and more trusted member of the community than researchxxl, as well as much more transparent about the whole changing of hands of the Syncthing-Fork project.

This issue on researchxxl's fork might also be of interest, as it documents the (lack of) response to the whole sketchiness of what is happening, as well as more discussion.

[–] Lfrith@lemmy.ca 3 points 1 month ago (1 children)

How's using termux to run syncthing? And any good guides?

[–] Marcus@scribe.disroot.org 2 points 4 weeks ago (1 children)

There's a rough guide here: lemmy.zip/comment/23205163

Perhaps sufficient to get started...

[–] Lfrith@lemmy.ca 1 points 4 weeks ago

That doesn't look too hard to follow. Thanks for the link to the guide.

[–] t0fr@lemmy.ca 2 points 4 weeks ago

Yeah I really don't like this. Seems lik a terrible way to do this.

I've disabled updates on it.

I already no longer use it to sync my music (moved to Navidrome with Symfonium). Do I move away for my personal photos & documents?