@tartley @andreiu I've definitely stopped installing #SyncthingFork updates from #Fdroid for now, and tbh @fdroidorg should probably have eyes on this
Discussion
Loading...
Post
@surfhosting @tartley @andreiu #FLOSS app with public code, verified reproducible builds signed with the same key as before. What's the fear?
@fdroidorg @surfhosting @andreiu The scenario I have in mind is that the original developer has been bribed or blackmailed into handing over the keys to a bad actor, who could now add code to exfiltrate, modify or destroy all our most critical files. I suppose you are saying that a competent bad actor could have achieved the same result without all the visible clues we've seen of the transaction. Does that mean we should just not worry about that scenario? I don't get it. Any insight appreciated
@fdroidorg @surfhosting @andreiu At the very least, previously I had to trust one person, who had demonstrated some good intention by creating the app, and who I chose to adopt. Now I have to trust a second person, who was not chosen by me, but by some process I have no insight into.
@fdroidorg @tartley @andreiu I suppose the main issue is that the key was transferred from someone with a long track record to someone with no known track record, no one knows who they are, and they have the ability to push updates to a lot of devices because of this
as to whether that's much different than the scenario that's been in existence, I don't know, but people are a bit leery I think in part because Syncthing often tends to be thought of as critical plumbing type infrastructure after you use it a while
bonfire.cafe
A space for Bonfire maintainers and contributors to communicate
Automatic federation enabled