potential security breach in syncthing-fork (#3712) · Issues · F-Droid / Data · GitLab

2 min read Original article ↗
potential security breach in syncthing-fork
<!-- ======= PLEASE READ THIS BEFORE FILING THE ISSUE ======= If you are looking to report an app, please check the corresponding metadata first. If the latest version is added and not disabled, then just wait. It takes anywhere from 2-5 days to finish the build & deploy to index/website. Metadata are stored in this repo itself. Direct link for a published app's metadata is accessible from the corresponding package's page on f-droid website. Look here for more details: * https://f-droid.org/en/docs/FAQ_-_App_Developers/#ive-published-a-new-release-why-is-it-not-in-the-repository * https://gitlab.com/fdroid/wiki/-/wikis/FAQ#how-long-does-it-take-for-my-app-to-show-up-on-website-and-client Optionally, you can also use a third party app to track build status: https://f-droid.org/packages/de.storchp.fdroidbuildstatus/ --> Hello, a few weeks ago the original maintainer of the syncthing-fork app 'catfriend1' suddenly disappeared. His account in GitHub was deleted. No one had contact with them since then. Shortly after the repo was moved to a brand new account 'researchxxl' who was not able to properly explain how or why the repo was handed over to them nor why the original maintainer handed over the release key to them. Or why the original maintainer did not bother communicating this to the community in advance. The worst case scenario is that the original maintainer was hacked and the repo taken over. The new maintainer already pushed new software versions to f-droid. The app is used to synchronize data across devices and thus has full filesystem access. A breach would be very dangerous for its users. The release key should be invalidated to avoid releasing potentially malicious code in the future. The current release v2.0.12.1 seems to be free of malicious code. The latest "trusted" release by the original maintainer is v2.0.11.2 from mid of November. Community member nel0x offered to take over maintenance of the package since he also maintains the Google Play Store package. This is not yet agreed upon by the community but he is a likely successor. For now, the package should be reverted to the latest trusted release and frozen/keys invalidated to avoid misuse. Thank you! Resources: * F-droid app: https://f-droid.org/packages/com.github.catfriend1.syncthingfork * syncthing forum discussion: https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/144 * new (untrusted) repo: https://github.com/researchxxl/syncthing-android/issues/16#issuecomment-3618898346 <!-- ❤️ Thank you for filling in a new report, we appreciate the help! ❤️ Please be patient while we try to find the time to look into your issue. Remember that F-droid is developed by volunteers in their spare time, we'll try our best to respond to all reports. -->