I just upgraded to 2.0.11.3 via F-Droid before realizing any of this was happening. Is this version safe to use? I tried to downgrade to 2.0.11.2, but it doesn’t look like F-Droid app store app lets me do that. I went on F-Droid website via browser and downloaded the APK file for 2.0.11.2, but when I tried to install it I get an error saying it’s corrupt.
It should be fine for now, as people are still on alert for any changes made. It isn’t like we don’t see the source code.
But if you strictly need the APK, I could back it up from my phone (ARM).
I believe Android will validate F-Droid’s signature by default if you have an F-Droid variant installed.
I had 2.0.11.2 installed from Obtainium (the GitHub release). After uninstalling it in F-Droid, I was able to install the F-Droid version 2.0.11.2 just now.
I and others have gone over the updates for 2.0.11.3 and it appears safe. I’ve turned off auto updates on it.
Please don’t share APKs like that. Yes, you could verify the signature, but the average user won’t be able to do that, so it’s just not safe. I’ve edited the post and removed the link.
@Username2 Android doesn’t allow to downgrade apps. You need to uninstall the current version, and then install the older one. Of course, all settings will be gone in the process, so you do need to make a backup (e.g. with the backup option built into the app), and then restore it after you’ve reinstalled the app.
Also, when it comes to F-Droid, there a few older versions available in the normal repository, and even more if you enable F-Droid Archive in the settings.
5 Likes
Any kind of possible plans to synchronize the programming langs paradigm between syncthing android and syncthing desktop with go (e.g., RCX and Rclone Mobile, something like QT, GTK, and other cross platform programming langs), or syncthing android go>Kotlin with syncthing desktop: golang?
Implementation or rewrite might be too burdensome but I think diverging code is not good either, e.g., Linux in contrast with Ru s sian Linux code diverging from each other, altho possible to sync with self hosted gitea copying from Linux source code maybe?
Sorry for the ping, I just wanted to give some of my thought here:
<https ://github .com/syncthing/syncthing/issues/8114#issuecomment-3193889501>
<https ://github .com/syncthing/syncthing/issues/8114#issuecomment-3193850432>
<https ://github .com/x0b/rcx/issues/123#issuecomment-82873185>
<https ://github .com/x0b/rcx/issues/123#issuecomment-828731858>
Golang
QT, GTK.
Golang or Kotlin
Golang or swift
, etc?
@ researchxxl
@ imsodin
@ calmh
@ AudriusButkevicius
@ catfriend1
@ acolomb
Is it okay to ping syncthing maintainers here or should I switch and talk about this on forum?
SD Maid SE is rewrite. While syncthing 1.X version to 2.X version is manual transfer.
I think that discussion be better fitted on a seperate Forum thread but to at least provide a short answer, it’s important to know that Syncthing for Android is “just” a wrapper, so it definitely uses the go binary of Syncthing (or “Syncthing Desktop”).
Java/Kotlin are well suited for a native Android Application imo.
7 Likes
I have not a good idea what you mean with “synchronize the programming langs paradigm”.
In my opinion it makes no sense to me to rewrite the Syncthing service in another language. The Go code can run just fine on most platforms including within an Android service context (when given the right permissions and possibly a few vendor-specific tweaks). I also doubt that using Java APIs would make it faster (in certain cases where it can be quite slow; these limitations come from the underlying filesystem implementation).
Even rewriting the web-based Syncthing UI is questionable. Hence I only tried to only complement it when implementing Syncthing Tray. Having that said, for Android I now have an almost full UI (still missing some features that the web-based UI has) which is based on Qt Quick and therefore cross-platform. I plan to re-use bits of that UI in the desktop version of Syncthing Tray.
I generally try to avoid using platform-specific APIs leading to code that only runs on one platform. Using platform-specific APIs of course leads to the most “native” UX (at least for a while until the platform comes up with some new UI library you’ll have to port your app to). However, having to maintain different implementations for each platform it just not sustainable in my opinion.
9 Likes
Signed up just to leave my two cents. I’ve been a Syncthing user for about a decade now, and, like many others here, started asking questions when the 404s started popping up in Obtainium. Since then, I’ve been following the development of this story, lurking, reading, watching. I’ll admit that I have nearly no knowledge of how github and project handovers work, although I have a few years of software development under my belt and I know enough to assume that handing over your keys and credentials to someone is rarely if ever the proper way.
I noticed catfriend1 going awol before researchxxl’s profile popped up. The straight up redirects from catfriend1’s repo to the researchxxl’s one seemed very fishy at first. The github history on researchxxl’s profile also shows that they have created repos earlier than signing up the account - how does that even work? And they have now started to delete comments on the “status” issue in the repo. As I’m writing this comment, the second newest entry in the “status” issue comments says: “Repository owner deleted a comment from Adhjie 19 hours ago”. I don’t know what was said there, but deleting comments is surely not a good look in my book. And what seems the most disturbing is that there has been absolutely zero communication from catfriend1 since all of this started (EDIT: as well as researchxxl’s seeming reluctance/ignorance to join the forums here).
The researchxxl’s account profile picture has also changed. The character in the picture had four arms about a week ago!! I particularly and specifically remember this because I thought I was tripping balls, I scrutinized the picture for every detail and even asked my mate to confirm. Thinking back, I now regret not taking a screenshot. The character had two arms with hands on the keyboard, and two more arms holding some things up, one of their left hands was holding the flask that’s still there. Every other detail in the picture seems to be exactly as I remember it. I’m not saying that this is telling anything, just another piece to the puzzle.
I have no proof of anything and I’m not accusing anyone of anything, just a silly pestering feeling that AI is somehow involved in or even caused this mess. Couldn’t even tell you exactly why, just that the whole thing seems…. janky.
3 Likes
The picture looks AI-generated, and it did have four arms before, but I wouldn’t judge anyone by their avatar image alone (or changes done to it over time) 
. Everything else surrounding the repository transfer is a different story though.
At the moment, I’m seeing that they’ve been pushing commits that may be considered controversial (e.g. removing root access for the app), and those releases are likely going to be published on F-Droid soon, so I wouldn’t be surprised if we have angry users coming to the forum for support (which, in the current state of affairs regarding the app, we cannot really provide).
3 Likes
And they have now started to delete comments on the “status” issue in the repo. As I’m writing this comment, the second newest entry in the “status” issue comments says: “Repository owner deleted a comment from Adhjie 19 hours ago”. I don’t know what was said there, but deleting comments is surely not a good look in my book.
@Adhjie’s comment was the same as his comment in this very conversation, which is totally off-topic IMO. As a proof, here’s the notification I received from GitHub from my subscription of the “status” issue:
But @researchxxl should have hidden the comment as off-topic, not delete it.
@SmashTheState Regarding the rest of your comment, I agree with you. I’m not putting my finger on the future versions @researchxxl could release until the situation is clarified and some trusty people here can guarantee that @Catfriend1 did really hand over his project to someone we can trust. Until now, everything is too suspicious.
3 Likes
I do not understand @Catfriend1‘s silence. It takes 1 minute to write a short message to the community.
1 Like
To be precise, we already know that this is the case; we just don’t know under what circumstances.
It could have been a buyout, a way to reset with new identity, or something else entirely.
1 Like
I’ve missed that. How do we know exactly?
1 Like
Just thought to add a few points. I’ll preface this by saying that I hadn’t ever followed the development of Syncthing very closely, it’s “just another tool on the belt” for me, so I have limited knowledge of the projects history, mostly just things that I’ve pieced together over these past weeks. I’m not willing to accuse anyone of malicious intent, intentional or not, without proof. Just some things that concern me personally to some degree.
I’d like to disable checking for Syncthing updates in Obtainium, but I can’t find the option, so I’m considering uninstalling the Obtainium managed apk and sideload v2.0.11.2 manually, but can we be sure that the v2.0.11.2 apk on researchxxl’s github releases page has not been tampered with? Furthermore, as far as I know, there is no public release history before v2.0.10.2, which was already the second new repo after the one following v2.0.7.0, if I recall correctly. Again, not intending to accuse anyone, but shady things have been known to be introduced in various ways in OSS projects, and I could see this being as one of such ways. For that matter, do we have a truly reliable source for an apk of a last known good version?
To be fair, there are any number of reasons why someone might want to go completely awol, including but not limited to, being tired of a specific online identity and the reponsibilities and burdens that come with it, or, for a more serious matter, witness protection programs and the likes. But literally everything is a speculation at this point. To me personally also researchxxl’s communication style seems… peculiar, but I understand that it’s not something that one should be judged by. Just trying to see things from different angles.
2 Likes
Not my circus nor my monkeys, but my understanding is that the F-droid builds are entirely from source and reproducible, so they should be good?
6 Likes
The theory is that this researchxxl person is the upstream of the f-droid package now, and making strange commits.
I looked at some commits and they seem like a long needed overhaul.
But for sure such a shift is a bit scary
What makes absolutely no sense is randomly disabling updates. ResearchXXL just bumped the syncthing version which is good
1 Like
My 2c.
IMHO, there is zero chance of getting any clarification on the situation. Therefor due to security concerns syncthing-android-fork should be treated as abandoned software at version 2.0.11.2 as posted on F-Droid.
Last release will probably continue to work for a couple Android releases but we should concentrate on a alternative solutions:
- syncthing-tray port by Martchus
- Simplifying/Documenting how to run syncthing natively (eg Termux)
8 Likes
The last version on F-Droid that was built before the repository transfer is “2.0.11.2 (2001102)”. At the moment it’s still available to download at https://f-droid.org/packages/com.github.catfriend1.syncthingfork. F-Droid builds from source, so you can be sure that the APK file itself hasn’t been tampered with.
To be honest, I don’t agree with this. If I were using the app, I’d definitely disable updates, at least for now. Please keep in mind that the average user isn’t capable of examining code or analysing commits to see if there is nothing malicious going on in there.
4 Likes
To be fair, researchxxl themselves has said on the github issue : “I was asked to create a new account after I got keys and creds to their original account.” Can anyone be quite sure of how long they’ve had access to catfriend1’s account? Could they’ve had something to do with the earlier repo resets? Is it possible that there’s something malicious obfuscated in the code from the earlier repos? When, and what, is the last statement from catfriend1, verified or not?
With all due respect, I don’t mean to bash on anyone. I might just be fearmongering at this point, again, I apologize if my tone comes off as condescending, that’s not intended in the slightest. Speaking from my limited experience and general lack of knowledge regarding FOSS, trying to learn along the way.
4 Likes
This too, it doesn’t take a lot of effort to say hello and introduce yourself to the community here, it would go a long way.
5 Likes