@fdroidorg at this point is being used to push out an app with sensitive permissions that’s been taken over by an unknown individual who refuses to engage with its large community of users and developers.
I STRONGLY recommend disabling updates from Fdroid, if not uninstalling and manually installing 2.0.11.2, or installing the Google Play version which has a different maintainer.
this is extremely shady and it’s just looking worse as time goes on. I’ll link to the Syncthing forum thread from about where I left off last time in a subsequent post.
The app being SyncThing, if I correctly understand.
But there is a suspition that the FDroid app is under control by a malicious agent?
It is not Syncthing. It is Synchthing-fork for Android, which was specifcally forked from Syncthing for Android to improve over it.
The real Syncthing team then some time ago decided to discontinue their Syncthing for Android app, not the other versions! Then Syncthing-fork became the only way to connect to Syncthing on Android (aside from running the original Syncthing via something like Termux).
Just want to be clear on this. Syncthing is not compromised in any way. Syncthing-fork for Android might be, might be not.
Yes. The relevant points are that Catfriend’s repo was fully reset, no git history, multiple times this year, supposedly because of sensitive data that was mistakenly checked in. If that’s the case, it might explain why shortly before Catfriend deleted his repo, he created an issue saying something along the lines of ‘stop messing with my desktop’, which could be read as a plea to hackers. The repo went dark, and someone else published it, with Catfriend’s private signing key, which triggered automatic updates for some users, without them knowing the maintainer changed. They also claim to have Catfriend’s github credentials. After staying quiet for a month, Catfriend recently posted on the syncthing forum saying that everything is dandy with the new maintainer, without addressing major concerns. Meanwhile, the new maintainer has made large changes to the codebase without public comments. The last two updates from the new maintainer have been reviewed independently, and reproducible builds are enabled to ensure the apk matches the sources. However, that is assuming that Catfriend’s repo was safe to begin with. In the case of ongoing blackmail, malicious code could have been added during one of the repository resets, or in a large refactor commit.
The sad part is that Catfriend picked up this repo after Syncthing deprecated it, just for his friends and family. I don’t think he is a professional developer, and he very obviously was overwhelmed by the project. Syncthing is a very juicy target for malicious state actors, and trust is crucial. I feel awful to say that I no longer trust Catfriend or his replacement, but the circumstances don’t inspire confidence.
No, it’s not Syncthing itself. That’s owned and maintained by a completely different team. This is regarding Syncthing-Fork, which packages Syncthing into a neat Android app.
From my understanding the project Syncthing-fork changed owners. The original owners GitHub repo went down, and no announcement that it was changing hands. So it comes off as shady. Bit I may be missing some things here.
Okay, that plays as odd but how does it connect to the entire FDroid being under suspition?
Not the entirety of F-Droid being suspect, but the package available in the default repo on F-Droid is being updated by this dodgy person while the other versions are not. If they are uploading malware or making dodgy changes anyone who previously installed Syncthing-Fork could get this new version from the dodgy dev without notification.
If you open the versions drop down in F-Droid it has a ‘suggested’ tag next to the 2.0.12.1 version, so they’re aware of the issue, I’m not sure if that means if you just click install that’s what you get as I pinned it there when this all started and don’t want to uninstall reinstall just for this post, but I’m guessing it’ll just install the non suss version.