Automatic update security


I have been using Syncthing for a few years and it’s awesome.

But I’m always worrying about one thing: If the developers servers/computers ever got compromised, an attacker would be able to upload a Syncthing version with malware and since Syncthing auto updates by default it would compromises thousands of systems.

When we hear all the time in the news about big software companies being compromised, how does Syncthing developers protect against this ?

The binaries are signed, and the releases are signed, though if someone got hold of the signing keys, yes, it could be trouble.

The signing keys live on a specific machine used only for the purpose. You need to compromise several accounts (SSH keys, passwords) to get there. Specifically the signing keys are not present on any developer machine or the build server.

You also need to compromise a github account with permissions to create releases and upload binaries. But that might be the easier step - there are more with access, and many do not use 2FA. Alternatively you can compromise the update server we use to point at the binaries.

It’s all certainly possible but I think we’ve done what we can to lock it down (while still making it reasonably painless to publish releases).


It’s reassuring to know some steps are taken to secure the release process.

Hopefully everyone that has access to sensible parts of the infrastructure has good security hygiene.

With great power comes great responsability :wink: