this post was submitted on 17 Nov 2025
389 points (99.5% liked)

Selfhosted

53057 readers
863 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
389
PSA syncthing-fork has changed owners (lemmy.world)
submitted 3 days ago by ueiqkkwhuwjw@lemmy.world to c/selfhosted@lemmy.world
69 comments fedilink hide all child comments
 

Overview here

https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/39

The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.

Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.

top 50 comments
sorted by: hot top controversial new old
[–] pulsewidth@lemmy.world 29 points 2 days ago* (last edited 2 days ago)

Update from Simon aka imsodin, Syncthing Maintainer

tl;dr for android users: No need to switch apps at this time, the current install continues to work and is safe. If you can disable app auto-updates, please do that for now to be on the safe side.

Good news: Had a good chat with @nel0x. He is a collaborator on researchxxl’s repo and just marked those releases as “pre-release”, which prevents the obtainium auto-upgrades. So we are back to no immediate risk for users and we can take it slowly, trying to establish communication and more context. It’s still possible and imo likely that nothing nefarious is going on, just a very suboptimal handover that needs clearing up. There’s no need to go dig for repos on github, the technicalities of continuing to publish an app are not an issue - the open/relevant points are about a possible direct continuation of the existing app (or not), the time/effort that needs to be volunteered to publish an app and the trust in whoever does that. Hopefully we can work something out. If you are interested in helping maintain the app, let us know, other than that imo nothing to do here except if you are a user, to do the above in the tl;dr and every now and then check-in on the status (now and then being more like every week than every hour 😉 ).

https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/58

[–] spacelord@sh.itjust.works 88 points 2 days ago

I wouldn’t say it’s only for the extra paranoid, but rather for everyone.

After reading the whole discussion, it’s clear that the repo transfer was handled in an extremely unorthodox way, at least by usual standards for repo handovers that I'm familiar/experienced with.

Communication from Catfriend1 was absolutely nonexistent, and there was only minimal info from the person who took over using a GitHub account created just two days ago.

Trust is something that must be earned, not given to someone you’ve never seen or heard of before.

[–] Wispy2891@lemmy.world 29 points 2 days ago* (last edited 2 days ago) (1 children)

Maybe it's actually true that catfriend1 knows the new owner in real life but... this is not a calculator app, this is something that has complete access to the phone storage... handing the keys without any communication is concerning...

And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo

[–] WhyJiffie@sh.itjust.works 8 points 2 days ago

And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo

people shouldn't count on that anyways because the repo owner can delete issues, comments, also edit them

[–] arcterus@piefed.blahaj.zone 90 points 3 days ago

This whole situation has been bizarre and really poorly communicated.

[–] CoyoteFacts@piefed.ca 42 points 2 days ago (2 children)

Absolutely not trusting this. Uninstalling until we know more, and ideally just getting a different solution entirely. A new account tried to impersonate Catfriend1 directly at first, and then they switched to researchxxl when someone called it out (both are new accounts). Meanwhile the original Catfriend1 has provided no information about this, and we only have the new person's word as to what's going on. There's way too many red flags here.

[–] Wispy2891@lemmy.world 10 points 2 days ago (1 children)

Afaik don't need to uninstall yet, f-droid won't automatically get new builds from this repo until the situation is cleared

[–] 0_o7@lemmy.dbzer0.com 3 points 2 days ago

But but my outrage… means I can do stupid things and act smart online.

I'm uninstalling Android and installing iOS right now.

[–] curiousfurbytes@programming.dev 7 points 2 days ago* (last edited 2 days ago) (2 children)

I've done the same. Not trusting something until it can be trusted. Unfortunately it seems there's no easy alternative apps, so not sure how I'll handle my usage now

load more comments (2 replies)
[–] Pika@sh.itjust.works 24 points 2 days ago* (last edited 2 days ago) (1 children)

this entire thing has made me really rethink whether I want to swap to the new repo or not.

Why was there no communication about it. The gplay repo maintainer wasn't informed of anything, no public notice to anyone was given, just a transfer of the repo and a status issue here explaining it.

Obviously the act is genuine as they were able to keep the original keys but like, this entire system seemed really sketchy.

I'm also not happy with the fact that it seems the first thing they added was removing checksums, but that might be a temp thing.

I also just noticed that it looks like they removed the entire public key for it, which if they had the original private keys using the existing public keys shouldn't be an issue right?

[–] tgxn@lemmy.tgxn.net 15 points 2 days ago* (last edited 2 days ago) (1 children)

It's likely because the app will no longer be distributed on Google. They likely removed the Google play signing keys and configuration, which is completely fine. I'll have a look over their changes when I get home, but I doubt it's anything nefarious.

I also ditched this stuff when Google decided to start asking for my drivers license and will no longer distribute my apps within their closed marketplace.

[–] Wispy2891@lemmy.world 10 points 2 days ago (1 children)

Google decided to start asking for my drivers license

I wish it was only the drivers license, I had to give up my Android dev account too because having my private home address + phone number + email publicly available on the dev profile page is completely unacceptable

load more comments (1 replies)
[–] Takios@discuss.tchncs.de 13 points 2 days ago

Thank you for the notice. This is a really bad look on the project. Thankfully I still have a version from before the takeover installed and disabled auto-updates just in case. Though I suspect f-droid will not accept builds by this person until trust has been established.

[–] AmbiguousProps@lemmy.today 14 points 2 days ago* (last edited 2 days ago) (1 children)

The new repo has two releases in it now. These releases are not signed with the original key as far as I can tell. Further, GitHub is silently redirecting to the new repo, even in Obtainium, meaning it's possible that if you had this previously installed via Obtainium and updated now, you may have unsigned apks installed that may or may not contain the changes in the repo.

This is a mess. I deleted the repo from Obtainium (luckily I don't auto install updates) and will wait to see what happens over the next few months. Might just save my notes in a network share instead of using syncthing from my phone. Idk, notes are all that I was using it for.

[–] pulsewidth@lemmy.world 9 points 2 days ago* (last edited 1 day ago) (1 children)

Sounds like a really good reason not to use Obtainium, if any repo you have tracked for updates can just redirect you to a completely different repo If they have the keys - and throw no complaints when updating to an entirely different apk.

With F-Droid they at least have to have the same signing keys, and the code is built by F-droid from source - meaning the code for the supplied APK always matches the code on the repository for the build. Whereas Obtainium will just offer you any APK the dev releases on their GitHub/Gitlab/etc, this places much higher trust on the dev.

Edit:
my bad, I wrote earlier that all F-droid builds are reproducable. But that's not accurate F-droid does not enforce that all builds must be reproducible. They have been helping devs with the tools and assistance to do so since 2015, and all the apps that I use I'd checked in the past and are all using reproducable builds, so I wrongly presumed it was mandatory now. Eg, Syncthing-Fork from Catfriend has had all builds reproducible since v2: https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/

[–] WhyJiffie@sh.itjust.works 2 points 2 days ago (1 children)

and the code must be a replicable build by F-Droid's internal apk signature copying process

that's not a requirement. or was it already being built reproducibly?

[–] pulsewidth@lemmy.world 2 points 2 days ago

Every Catfriend build since v2 has been reproducable. Most apps on F-Droid are and they are encouraging it for all devs, to build trust.

https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/

[–] ultranaut@lemmy.world 53 points 3 days ago (2 children)

Not sure if I qualify as extra paranoid but this whole situation feels very sketchy and has me reconsidering my use of syncthing. Making significant changes like this without any explanation is extremely bad practice.

[–] unexposedhazard@discuss.tchncs.de 67 points 3 days ago* (last edited 3 days ago) (2 children)

has me reconsidering my use of syncthing

This is about a third party piece of software that isnt directly related to syncthing. The devs of syncthing have however been recommending syncthing-fork as their choice for android, so it definitely needs clearing up.

[–] chaospatterns@lemmy.world 39 points 2 days ago (1 children)

We're sort of in this situation because the official project decided not to continue providing an official Android app, yet people want to use it on Android forcing unofficial versions to be created and maintained.

I get that they don't want to deal with Google Play anymore, but somebody has to deal with it and them not owning the app is putting users at risk.

[–] hersh@literature.cafe 20 points 2 days ago (1 children)

I get that they don’t want to deal with Google Play

Was that the reason? Shame they didn't just leave it on F-Droid and GitHub then. Nobody needs to use Google Play (at least not yet...)

[–] chaospatterns@lemmy.world 23 points 2 days ago

https://forum.syncthing.net/t/discontinuing-syncthing-android/23002

According to this post, it was partly that and lack of maintainers. Given there's maintainers for a fork, I'm curious why they didn't bring them into the main project.

Reason is a combination of Google making Play publishing something between hard and impossible and no active maintenance. The app saw no significant development for a long time and without Play releases I do no longer see enough benefit and/or have enough motivation to keep up the ongoing maintenance an app requires even without doing much, if any, changes.

load more comments (1 replies)
[–] tychosmoose@lemmy.world 7 points 2 days ago (1 children)

Same here. It was already a little bit concerning that I was relying on a smaller fork to get syncthing on Android. It was on my to do list to figure out options. Now it's at the top of the list, and I'm not doing updates for the time being on Android. That's almost the entirety of my reliance on syncthing - phone to PC sync. I don't really need it that much for sync between PCs.

[–] midribbon_action@lemmy.blahaj.zone 6 points 2 days ago (2 children)

I said this in another thread, but apparently it's not widely known: syncthing works fine on termux, there is no need to install any third party code. You do need to run termux-setup-storage to get access to the shared storage that other apps can access, and I found it worth it to set up the termux:boot app to run syncthing on phone boot. This way only uses the official syncthing repo.

[–] ueiqkkwhuwjw@lemmy.world 3 points 2 days ago

Thanks for the tips, was planning on trying this out.

[–] tychosmoose@lemmy.world 1 points 1 day ago (1 children)

I have heard that. Can it be given run conditions, like only on wifi, and respecting the Android battery saving setting?

My phone has an always on split tunnel VPN to home, so the other sync devices are always accessible. Without the Syncthing-Fork run conditions it chews through mobile data and battery.

[–] midribbon_action@lemmy.blahaj.zone 2 points 1 day ago (1 children)

You'll have to brew your own run conditions I think. For me, it's not a big deal, just a bunch of documents and pictures and not much gets added every day. But termux does have access to network state, and I'm pretty sure syncthing accepts stop and continue execution signals, so a shell script shouldn't be too difficult. Another possible option is to use termux:tasker.

[–] tychosmoose@lemmy.world 2 points 1 day ago

Cool, thanks. I'll take a look.

[–] Lemmchen@feddit.org 11 points 2 days ago* (last edited 2 days ago) (1 children)

What's the last "safe" version on F-Droid? 2.0.11.2?

[–] ueiqkkwhuwjw@lemmy.world 7 points 2 days ago* (last edited 2 days ago)

That's the last version that was released before the transfer AFAIK. Someone in the linked thread also said they didn't see anything suspicious between 2.0.11.1 and 2.0.11.2.

https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/17

[–] ook@discuss.tchncs.de 19 points 3 days ago (2 children)

Some more info here, does not read super fishy, all meant well but happened in a strange way https://github.com/researchxxl/syncthing-android/issues/16#issuecomment-3542202530

load more comments (2 replies)
[–] Zwuzelmaus@feddit.org 9 points 2 days ago* (last edited 2 days ago)

I had intended to try it out, but now uninstalled for... just in case.

Some kind guru please watch the source for unwanted effects.

[–] BackgrndNoize@lemmy.world 15 points 3 days ago (2 children)

My policy with open source projects like these is to fork the repo and only bring in upstream updates when I'm certain it's safe and necessary

[–] Serinus@lemmy.world 14 points 2 days ago

Which is just as risky as instantly updating unless you're really closely keeping an eye on which updates are security related.

load more comments (1 replies)
[–] smeg@infosec.pub 9 points 2 days ago (2 children)

What's wrong with original Syncthing? Why would anyone use a fork?

[–] nekusoul@lemmy.nekusoul.de 35 points 2 days ago

First up, this fork is specifically about the Android client, not any other ones.

The fork of that always had some nice mobile battery saving features added, but morr importantly, the original version has been discontinued.

[–] anzo@programming.dev 4 points 2 days ago (2 children)

For some reason, my version of syncthing-fork is old and source is not even on f-droid anymore. Was there any other before catfriend1? Perhaps I downloaded APK from GitHub... Can't recall.

load more comments (2 replies)
[–] GreatBlueHeron@lemmy.ca 8 points 2 days ago (2 children)

I installed mine from F-Droid. I just went there to turn off updates and it doesn't exist. I have not been paying attention so it may have been gone for ages and not related?

[–] Sir_Kevin@lemmy.dbzer0.com 7 points 2 days ago (1 children)
[–] GreatBlueHeron@lemmy.ca 5 points 2 days ago (8 children)

Interesting - mine is syncthing-fork 1.30.0.4. When I go to the App Info page it says "App installed from F-Droid" and when I tap on that button I get a small pop-up that says "No such app found."

load more comments (8 replies)
load more comments (1 replies)
[–] Serinus@lemmy.world 10 points 3 days ago (2 children)

Thank you!

[–] hummingbird@lemmy.world 8 points 2 days ago

Yup thanks for the heads-up!

[–] ueiqkkwhuwjw@lemmy.world 6 points 2 days ago

No prob :)

load more comments
view more: next ›