Good point SmashTheState
Before current saga started, I wasn’t aware of previous resets and failed to take those into account. You are probably right and we should be at least more careful even when using older versions and should accelerate adoption of alternative solutions.
Yes, even considering that nel0x invited them on several occasions, but not only that. They seem to argue in favour of their changes more than having an intention on collaborating. 4 days ago they go silent after adding their latest comment on the “status” issue saying that they’re fixing battery drain reported on multiple social media boards. I tried to search and the latest posts I found regarding Syncthing battery drain was 4-5 years ago. Also, shouldn’t something like that be normally handled by opening a separate github issue? Then 2 days later they post a new release bumping some version numbers. Another day later they commit changes that remove root access and wakelock. I get wanting to remove root access due to security reasons (and even then, many people might be using it to sync app data or OS settings), but why would you want wakelock removed for a sync app? No comments or anything anywhere, too. Very little information all around, especially coming from someone who supposedly has all the keys and creds. Very, very, very strange imho.
Same here tbh. I remember seeing a new Syncthing app popping up on Fdroid earlier this year. The app said to remove the old version and install this one, carrying over the settings with a backup. Already first thing that came to my mind was - “this is strange…” I checked out the developer and source, and everything seemed legit as far as I knew back then. Now with the development of the situation over the past weeks, I’m starting to have doubts about everything.
The battery drain comment is likely about https://forum.syncthing.net/t/syncthing-fork-v2-uses-far-too-much-battery-over-v1/25384. I doubt removing the wake lock will help though, because that was a separate setting in the app (which would make it use a wake lock, keeping the device awake all the time). However. that particular setting was turned off by default.
When it comes to removing and reinstalling the app, that was probably done to prevent automatic upgrades to Syncthing v2.
With the uncertainty surrounding the android-fork, I’ve removed it and installed Syncthing (v2.0.11) through termux. I only have a couple of folders synced to my RPi4, so I was up and running in about 5 minutes.
GitHub redirects the old URL to the new one, confirming an official repo move. Catfriend1 or the hacker who gained access initiated a transfer within the repo to move it to the researchxxl account.
Or, It could still be the same person.
Anyway, I’ll keep the last version (pre-move) installed without updates until it stops working, then try the Syncthing Tray version.
To sum it up: because a lot of things align. Many details would have played out differently if Catfriend1 hadn’t cooperated.
In a coercion scenario, we wouldn’t have noticed a thing; the new owner would have silently assumed Catfriend1’s identity. There would be no need to delete the account and create a new one.
In the case of hacking or credential leakage, we would have seen Catfriend1 reach out on the forum.
As for other possibilities, researchxxl wouldn’t have possession of everything—the repository, the keys, etc.
Those scenarios are certainly possible. But considering Catfriend1 went dark without any warning or comments and the new “operator” refuses to explain, we should assume the worst: '“Hostile takeover” or “Irresponsible sellout“. Considering what we saw in recent years with XZ and browser extensions, we should not be surprised. It was only a matter of time before “dark forces” would try to attack niche but sensitive projects.
I can only report from my exchanges with @Catfriend1 around the time of the last repository reset. There were good reasons for him wanting to take action, although the measures taken were too drastic, disruptive and pointless in the end. I didn’t learn more details about what really happened, only some bits. It must have been an emotionally challenging situation caused by other peoples’ hostile behavior. Trying to hide something contained in the repository history led to a complete rewrite of commit history. I advised against it, as it would cause more attention actually, instead of silently discarding sensitive information, because Git is just designed to provide the opposite: maximum transparency and exact accountability of history. That led to his decision to instead dump the history (and complete repository) and restart with a clean slate, including only a few recent releases. Nothing fishy going on at that time, just a bit bumpy way of handling the measures he deemed necessary to protect himself from harm.
I just hope that @Catfriend1 is alright and the disappearance / absence of his digital identity does protect him from whatever or whoever was pressuring him enough to take these drastic actions. We really need to be thankful for all the work poured into the app and even the revival of the Syncthing-Lite app effort.
As for the current situation, we can only assume that whatever was pressuring him finally got too much. Whether it is a legitimate handover, a digital identity restart or some form of forced takeover, we should ask ourselves whether the motivation for this decision could have been caused by some malicious actor posing an actual threat to @Catfriend1. If that were the case, the same force could be behind the researchxxl identity, trying to gain control over the Syncthing-Fork app in order to attack some individuals’ data. The latter would be rather hard to pull off, as there is no hiding features in open source apps. But as only few people really do follow changes to the source code and many rely on automatic updates, there is a good chance of success to deliver backdoors to less careful users.
Considering the possibility of a malicious force behind the takeover, for sure they would be doing a terrible job at it. Communicating and trying to gain people’s trust would be the most important step for protecting that investment. In that sense, the lack of communication is actually a good sign right now, because it indicates clumsiness or disinterest in building trust, instead of an intricate strategy to undermine the app’s integrity.
This is the point where a clean restart of the distribution channels seems appropriate. Nobody should get an automatic update of the app, which is clearly not a continuation of @Catfriend1’s effort, but must be considered an independent contribution by someone else, where each user needs to evaluate from scratch how much that contribution can be trusted.
Slightly off topic again (sorry), but just in case anyone else is ever in this situation:
While GitHub normally retains history even after a force push rewriting commit history, you can talk to their support to have sensitive information removed from a repo when you published it accidentally. Wiping the entire repo is a bad way to solve such problems. Their support will not do this for simple things such as leaked secrets where you can just rotate the secret and forget about it, but they will try to help you in cases where that’s not an option.
I can’t verify any part of the story, but it sounds eerily similar to what happened to Lasse Collin in the XZ Utils incident.
Yeah, this. Whatever kind of handover this was, doing it in the maximally disruptive manner with zero communication and absolutely no effort to build trust is hardly the work of a smooth operator. I’d just consider it another fork and let it prove itself (or not) on its own merits over time. If anyone else (or a group of anyones) want to maintain the app in a different manner, this might be an opportunity to step up and do so.
The October one, after which an issue called “This is my desktop - please do NOT put things on it” was created?
While you might be right but there are other possibilities:
The attacker/attackers might be of a different culture or social sphere. Imagine a group of North Korean hackers living under informational blackout and having troubles understanding what is normal/expected for people living in the regular world.
The attacker might be just young or socially inexperienced/awkward
The attacker might have issue with the lingo or language in general. Considering more than half of Gen-Z/A can’t properly read/write is not that far fetched.
The attacker might be under bureaucratic pressure from employer who is not familiar with modern sensitivities especially in opensource.
P.S. No offense to anyone belonging to the above listed groups.
If there were an attacker, @Catfriend1 could just say so.
Sorry, I don’t know about that incident. What I was talking about happened in July of this year. I unsubscribed from most repo notifications after the PR conversations with a coding chatbot got overly verbose.
Hey. Sorry to be antagonistic, but this is missing some important possibilities. Catfriend could be being bribed or blackmailed to hand over the keys, or else did it willingly but without having ever known what the new owner’s actual intentions are, and now is AWOL due to being burned out. Innumerable scenarios like these are perfectly possible, have actually happened to other projects, and would explain the bizarre lack of communication through this episode better than anything else I’ve heard.
Would it by any chance be possible to get an official syncthing dev. recommendation on which version number, from where (f-droid?) and how (turn off auto updates?) average non-code reading users can safely without concern install syncthing-fork on android?
This would be greatly appreciated. This thread is a tad overwhelming.
Thank you, best wishes
The app versions published by @Catfriend1 (and @nel0x on the Play Store) are what we used to officially recommend here.
Until the fog clears up a little, I think you can safely install Syncthing-Fork 2.0.11.2.
To install and turn off auto updates just go inside the F-Droid app, search for Syncthing-Fork, open it, go down to versions, install the aforementioned one and then check ignore updates inside the three-dot-menu in the upper right corner.
Hope that helps.
Just FYI: you can set apps to “track only” in Obtainium. Alternatively, you can delete the app entry, and Obtainium will ask you whether you want to remove the entire app from the system or just from Obtainium.