Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bxparks a day ago

I don't follow the Syncthing ecosystem, so it's difficult to understand what is happening.

[Edit: The GitHub repos are called "syncthing-android". The Android apps are called "Syncthing-Fork" or "Syncthing-Fork Wrapper", which adds to the confusion.]

If I recall, there used to be a syncthing-android app on Google PlayStore. That was discontinued by @imsodin in Oct 2024 (https://forum.syncthing.net/t/discontinuing-syncthing-androi...).

There was a version of sycnthing-android on F-Droid. I don't remember who maintained that. I have version 1.30.0.4 installed. But I cannot find any information about that version anymore.

The current version on F-Droid is 2.0.12.1. That seems to be maintained by a fellow named @researchxxl. Apparently @researchxxl claims to have inherited the source code and signing keys from a person named @Catfriend1 (Not sure who that is, the maintainer of version 1.30.0.4?)

There is another fellow named @nel0x who seems to be maintaining a different version of synchthing-android? (Edit: Here it is, https://github.com/nel0x/syncthing-android, which says that it is a fork of the one maintained by @Catfriend1).

bxparks a day ago | parent | next [-]

[Passed my edit window, so replying to self]

Looks like the original repo of syncthing-android, (https://github.com/Catfriend1/syncthing-android), which was maintained by @Catfriend1, now redirects to the one maintained by @researchxxl (https://github.com/researchxxl/syncthing-android).

The problem seems to be that no one in the syncthing community knows who @researchxxl is. The account was created only 3 weeks ago. There was no communication about how the transfer took place. Was the transfer actually authorized? Did @Catfriend1 get hacked? People are worried about a backdoor hijack attack similar to the XZ libary.

There's a long discussion at https://forum.syncthing.net/t/does-anyone-know-why-syncthing.... It is too long and complex for me to follow. (I tried to get an LLM to summarize that thread for me, but the output was not helpful.)

It is unclear what sycnthing-android users are supposed to do right now. I am staying at version 1.30.0.4 until things become more clear.

j-bos a day ago | parent [-]

> People are worried about a backdoor hijack attack similar to the XZ libary.

This is a particular concern because the syncthing-fork is coded to require full storage access, iirc for compatibility with certain phones. Idr, went through with Claude and iterrated through a diff of everything that between Catfriend1's changes and the original repo. The broad access really isn't necessary on most phones as I refactored the flag, compiled the app and installed it with no problems. I ultimately decided to go with the official build to make updates easy, now hmmm. Troubling when the trust gets so dilluted.

accoil a day ago | parent | prev | next [-]

This is how I've observed it: Catfriend1 has long been the owner of syncthing-fork on android, which was fork of the official client syncthing-android. It had extra features around Android that were lacking in the official client (e.g sync windows to reduce battery usage).

When google locked down on file apis a year or so ago, the official syncthing-android pulled out of google play, but syncthing-fork stuck around in fdroid as the fork was for personal purposes, and they were using fdroid for distribution in the first place.

This change in ownership is new to me, but I'm also not surprised it happened as syncthing-fork was always a personal project.

s_ting765 a day ago | parent | prev [-]

> I have version 1.30.0.4 installed.

Can confirm same case here. App was installed from f-droid, no longer linked to the store.