I’ve been a user for years of the PC version + Android app. Today I realize there is no official Android version anymore on Google Play.
I know there are forks (Syncthing-Fork by nel0x and/or catfriend1) but the problem is that trusting unknown builds by third-party people (not employee of Syncthing Foundation) is too complicated, at least for me, for an app which deals with very personal files.
The problem is not the availability of the source code (available here, however archived now - related post here) but the trust on the builds: an official version released by the Foundation would be much more trustable than builds from of a third-party person.
(We are probably all aware of the hundreds/thousands of data breach per year and the “JiaTan” supply-chain attack against XZ compression library drama in 2024).
We are many people using Syncthing, I think it should be doable that 100 people per year donate 20 € or 50 € to the Foundation, at least.
What would be the costs for the Foundation for an “official” Android version ?
source code availability : it should be possible to do a Foundation-official fork of the “syncthing-fork-Android”, so the source-code might be already “ready to use”, with little modifications ?
build process : done by a member of the Foundation
Google Play developer account management
Google Play administrative tasks
(alternatively: no GooglePlay at all, but everything on F-Droid)
are there other hidden costs ?
Even 1 build per year would be ok (I still use the old official Android app and it works well), don’t you think so ?
I am developer myself, please pardon me if I’m wrong, but would 10-20 days of work per year to just maintain a version online on Google Play (or F-Droid) be ok? In Europe 500€/day might be common, would 5000 - 10 000€ be the range needed ?
TL;DR : Would the Syncthing Foundation be interested in a donation-funded official “Android” Syncthing app?
Maintaining a piece of open-source software requires a genuine interest in the wellbeing of that software, and the stamina to keep that up through a continuous onslaught of bug reports and general crap from everyone from Google to entitled users. I do that for Syncthing (-core), happily. You literally could not pay me to do it for the Android app.
However, if there was a stable, non-drama-generating maintainer of it, they are welcome to have the source code hosted under the Syncthing org and have the foundation pay the required costs for whatever app stores etc. However, I’d like to be able to trust them and their commitment to it first, or we end up with just another abandoned “”“official”“” fork.
More generally, what you’re describing is effectively the situation we had with the android app prior to shutting it down – minimal maintenance and a couple of builds now and then. That’s just not really enough to make it a viable project, given the moving target that is the mobile app environment.
All of which is to say, money is not the problem, as I see it. People who care, and prove themselves to act reasonably over time, are.
Even more generally, the purpose of having the repo and builds under the foundation/org would, as I see it, primarily be to be able to provide continuity over time for things like maintainer handovers. Continuity of process, policy, and source.
However, the maintainer handovers we’ve seen recently have tended towards the “fuck existing policy & processes, I want to do things my own, different way in my own fork”. Which is reasonable, people are entitled to do what they want with their own forks, but I doubt it would have helped to have an official version hosted in our org, it would just as likely just have been abandoned. So, again, this requires people wanting to act within the Syncthing org, we can’t just pull the project in.
Honestly, you will require way more time than that just on dealing with Google’s nonsense regarding publishing the app (and keeping it up-to-date) on the Play Store. This was the case when the official app was still maintained, and it was largely a waste of time, as you weren’t even sure if the other side was a real person or just a bot rejecting the app automatically. You can still find some of the struggle that @imsodin was going through with Google in the now archived official repository.
One of the main obstacles, as I see, seems to be Google Play (I agree it is a pain in …, I once developed and maintained a small Android app years ago, and managing the Google Play distribution was insane).
Then, one much easier solution would be a FDroid distribution, … or even simpler: just a “Download APK” link on Syncthing | Downloads ? Of course, the end-user should be able to Allow APK unknown sources in the Android Settings, but that would be ok.
Do you think this basic solution (no GooglePlay, no FDroid) just a “Download APK” with a new build every year might be ok in the future years?
The guarantee that the build is done by a member of the Syncthing Foundation and no third-party developer (again, I don’t want to risk to make all my personal files transit via an app built by an unknown person, once again I remember the 2024 XZ backdoor fiasco / JiaTan story) would be great for the ST community in general.
I totally understand you don’t want to do it @calmh , you already give a wonderful gift to the world by developing Syncthing(Core).
May I ask if another member of the ST Foundation team (are you 3 or more people?) could be willing to do this “APK build” once every year (direct APK download on the website, no GooglePlay distrib)?
Could donation-funding be a potential solution?
Speaking again just for myself, in my opinion there is no such thing as just making a build once a year. If you make and publish a build you take on the responsibility of timely updates, security updates, compatibility updates, and all the support and bug handling that comes with it.
I just want to share my experience for your usage statistics (because my situation might happen for other people): I had to setup a new Android phone yesterday, and because of the lack of an official Android version (I really cannot trust a fork built by a random person for personal files managament), with a lot of regrets, and after years of happy usage of ST, I had to install another software (Dropbox-style) instead of ST.
I am quite sad to be in this situation, since I’ve been an advocate of ST for years (along the years, I have spoken of ST to many friends, and some of them still use it).
You do have the BEST sync software in the world @calmh@tomasz86, but I am sad to see there is no future for an official APK version (even without GooglePlay but just APK alone would be great). (please note that, of course, I totally understand the reasons you mentioned, being a developer and maintainer of several projects myself, I know the burden of software maintenance.)
Sorry to be that (annoying) guy but I had to share my sincere feelings before having to use another software.
For the record, you can install and run bare Syncthing binaries via Termux. While those aren’t distributed by us, they are just built from source, similarly to Syncthing binaries shipped in various Linux distributions. With those, you should be safe from any shenanigans or instabilities that could possibly be caused by 3rd-party wrappers.
So, again, this requires people wanting to act within the Syncthing org, we can’t just pull the project in.