@fdroidorg at this point is being used to push out an app with sensitive permissions that’s been taken over by an unknown individual who refuses to engage with its large community of users and developers.
I STRONGLY recommend disabling updates from Fdroid, if not uninstalling and manually installing 2.0.11.2, or installing the Google Play version which has a different maintainer.
this is extremely shady and it’s just looking worse as time goes on. I’ll link to the Syncthing forum thread from about where I left off last time in a subsequent post.
I don’t think this framing is completely accurate. nel0x, one of the people stepping up to maintain a fork, made reasonable requests to researchxxl that were ignored and denied. Basic stuff like “can you join the official syncthing forum”. Trust is incredibly important when you are taking over distribution of an existing app, let alone one that has permissions to your filesystem and can push changes to other devices through NAT/firewalls. Processes to develop trust can be tying your online identity to real life identity, and/or being a visible, contributing member of a community over time. A transparent handover process would also be important. None of those conditions for trust were met and auto installed updates were pushed.