I have been following the development from the beginning and the TL;DR is that the original maintainer deleted his repository, and a new maintainer appeared out of thin air, with the original maintainer’s signing keys. As of now, I would refrain from updating (the last presumed safe version to be found in the post linked below). In the future, there is a new fork from a trusted packager of the GPlay version of Syncthing-fork which might be the way forward, or one might use another client altogether.
More story: The new maintainer says they got the keys from the original maintainer after agreeing to maintain the application instead of the original maintainer so that the original maintainer can retire. However, the alleged “transition” was done so poorly (more like sketchy as all …) that the community has mostly decided to, at least for now, not blindly trust the new maintainer as there is no indication from the original maintainer that such a transition was indeed done, and that nothing malicious is going on. Nothing malicious has been found for now, but everything is sketchy as … Time might help mend the broken trust, but I would say that at this point and with the behaviour of the new maintainer so far, that is somewhat unlikely.
Read more on this in the official Syncthing forum post.
I really don’t like the way these people treated you and me, but it’s an issue. I can attest the app is still working, doing its thing, but it’s not worth the risk for me. I uninstalled it after reading the state of things in github, basically, the lack of trust to the current maintainer and their unwillingness to deal with this problem whatsoever.
I have been following the development from the beginning and the TL;DR is that the original maintainer deleted his repository, and a new maintainer appeared out of thin air, with the original maintainer’s signing keys. As of now, I would refrain from updating (the last presumed safe version to be found in the post linked below). In the future, there is a new fork from a trusted packager of the GPlay version of Syncthing-fork which might be the way forward, or one might use another client altogether.
More story: The new maintainer says they got the keys from the original maintainer after agreeing to maintain the application instead of the original maintainer so that the original maintainer can retire. However, the alleged “transition” was done so poorly (more like sketchy as all …) that the community has mostly decided to, at least for now, not blindly trust the new maintainer as there is no indication from the original maintainer that such a transition was indeed done, and that nothing malicious is going on. Nothing malicious has been found for now, but everything is sketchy as … Time might help mend the broken trust, but I would say that at this point and with the behaviour of the new maintainer so far, that is somewhat unlikely.
Read more on this in the official Syncthing forum post.
I use syncthing-fork on android, works fine.
What an irresponsible thing to say, “I’m a moron, jump off the bridge with me”.
Yeah no shit its fine, just until one day we all wake up with “xz” style exploits because “it works bro, stop caring”.
I also use synching-fork for Android. It works fine for me, too.
I like birds.
Yes, but is it secure? Is there something malicious in the code? That’s what we’re worried about
I really don’t like the way these people treated you and me, but it’s an issue. I can attest the app is still working, doing its thing, but it’s not worth the risk for me. I uninstalled it after reading the state of things in github, basically, the lack of trust to the current maintainer and their unwillingness to deal with this problem whatsoever.
If you still think it’s worth for you, enjoy.