[Passed my edit window, so replying to self]

Looks like the original repo of syncthing-android, (https://github.com/Catfriend1/syncthing-android), which was maintained by @Catfriend1, now redirects to the one maintained by @researchxxl (https://github.com/researchxxl/syncthing-android).

The problem seems to be that no one in the syncthing community knows who @researchxxl is. The account was created only 3 weeks ago. There was no communication about how the transfer took place. Was the transfer actually authorized? Did @Catfriend1 get hacked? People are worried about a backdoor hijack attack similar to the XZ libary.

There's a long discussion at https://forum.syncthing.net/t/does-anyone-know-why-syncthing.... It is too long and complex for me to follow. (I tried to get an LLM to summarize that thread for me, but the output was not helpful.)

It is unclear what sycnthing-android users are supposed to do right now. I am staying at version 1.30.0.4 until things become more clear.

> People are worried about a backdoor hijack attack similar to the XZ libary.

This is a particular concern because the syncthing-fork is coded to require full storage access, iirc for compatibility with certain phones. Idr, went through with Claude and iterrated through a diff of everything that between Catfriend1's changes and the original repo. The broad access really isn't necessary on most phones as I refactored the flag, compiled the app and installed it with no problems. I ultimately decided to go with the official build to make updates easy, now hmmm. Troubling when the trust gets so dilluted.