@fdroidorg at this point is being used to push out an app with sensitive permissions that’s been taken over by an unknown individual who refuses to engage with its large community of users and developers.
I STRONGLY recommend disabling updates from Fdroid, if not uninstalling and manually installing 2.0.11.2, or installing the Google Play version which has a different maintainer.
this is extremely shady and it’s just looking worse as time goes on. I’ll link to the Syncthing forum thread from about where I left off last time in a subsequent post.
To my knowledge, the only problem was that there was no communication about the handover. If there had been a post on the original repo with reasoning for Catfriend stepping down, instead of the repo just disappearing (from what I heard), there would’ve been no drama…
Admittedly, I did not look into it too deeply, though.
Catfriend was actively openly looking for a replacement for ages and couldn’t find one. No one was stepping up. When she eventually found someone, suddenly everyone wants to have a say. What was she supposed to do, put her life and mental health on hold until the community that wasn’t helping maintain the project, vetted the replacement she found? I don’t know how people can’t see that their expectations are out of whack here. As I said before, if any one of the people who are whipping up the storm had stepped up to takeover, there’d somewhat of point to this, but that’s not happening. It’s just pitchforks for the sake of pitchforks.
I don’t think this framing is completely accurate. nel0x, one of the people stepping up to maintain a fork, made reasonable requests to researchxxl that were ignored and denied. Basic stuff like “can you join the official syncthing forum”. Trust is incredibly important when you are taking over distribution of an existing app, let alone one that has permissions to your filesystem and can push changes to other devices through NAT/firewalls. Processes to develop trust can be tying your online identity to real life identity, and/or being a visible, contributing member of a community over time. A transparent handover process would also be important. None of those conditions for trust were met and auto installed updates were pushed.
It’s just the process of the handover that is making people skittish with the github going private then reappearing with a new maintainer.
I think best route would have been for researchxxl to just fork syncthing-fork to put on F-droid, and catfriend1 just leave their branch archived with an endorsement of researchxxl.
After some time passes and researchxxl gains trust in the community I’m sure people will trust their work. The transition just wasn’t handled well.
Exactly; would have been much cleaner. The recent update to v2 already required migrating one’s config. So doing it again (now knowing the process) to such new “fork-fork” would’ve been a no-brainer.
But the whole situation has a more critical aspect than this technical issue: the new dev’s appearance out of nowhere, lack of reasonable communication, and arrogance.