this post was submitted on 07 Dec 2025
177 points (97.8% liked)

Android

32609 readers
82 users here now

DROID DOES

Welcome to the Android community on Lemmy. Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules

1. All posts must be relevant to Android devices/operating system.

2. Posts cannot be illegal or NSFW material.

3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.

4. Non-whitelisted bots will be banned.

5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.

6. Memes are not allowed to be posts, but are allowed in the comments.

7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.

8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.

Community Resources:

founded 2 years ago
MODERATORS
Rooki@lemmy.world
L3s@lemmy.world
L4s@lemmy.world
177
The Syncthing Android drama is exploding (mastodon.pirateparty.be)
submitted 3 weeks ago by solrize@lemmy.ml to c/android@lemmy.world
27 comments fedilink hide all child comments
 

@fdroidorg at this point is being used to push out an app with sensitive permissions that's been taken over by an unknown individual who refuses to engage with its large community of users and developers.

I STRONGLY recommend disabling updates from Fdroid, if not uninstalling and manually installing 2.0.11.2, or installing the Google Play version which has a different maintainer.

this is extremely shady and it's just looking worse as time goes on. I'll link to the Syncthing forum thread from about where I left off last time in a subsequent post.

you are viewing a single comment's thread
view the rest of the comments
[–] midribbon_action@lemmy.blahaj.zone 43 points 3 weeks ago* (last edited 3 weeks ago)

Yes. The relevant points are that Catfriend's repo was fully reset, no git history, multiple times this year, supposedly because of sensitive data that was mistakenly checked in. If that's the case, it might explain why shortly before Catfriend deleted his repo, he created an issue saying something along the lines of 'stop messing with my desktop', which could be read as a plea to hackers. The repo went dark, and someone else published it, with Catfriend's private signing key, which triggered automatic updates for some users, without them knowing the maintainer changed. They also claim to have Catfriend's github credentials. After staying quiet for a month, Catfriend recently posted on the syncthing forum saying that everything is dandy with the new maintainer, without addressing major concerns. Meanwhile, the new maintainer has made large changes to the codebase without public comments. The last two updates from the new maintainer have been reviewed independently, and reproducible builds are enabled to ensure the apk matches the sources. However, that is assuming that Catfriend's repo was safe to begin with. In the case of ongoing blackmail, malicious code could have been added during one of the repository resets, or in a large refactor commit.

The sad part is that Catfriend picked up this repo after Syncthing deprecated it, just for his friends and family. I don't think he is a professional developer, and he very obviously was overwhelmed by the project. Syncthing is a very juicy target for malicious state actors, and trust is crucial. I feel awful to say that I no longer trust Catfriend or his replacement, but the circumstances don't inspire confidence.