Post · bonfire.cafe

Post

@surfhosting@mastodon.pirateparty.be · 4 weeks ago

@nazokiyoubinbou @fdroidorg yes, I was referring to linsui's response on the ticket. I don't know what their position within F-Droid is but they and Licaon_Kter are acting as the de facto face of F-Droid in that Gitlab issue. IMO it's worth noting these are the same two who responded flippantly and dismissively in a major controversy about F-Droid marking Bible and Quran apps "NSFW" and hiding them from search a couple months ago, and they are now responding dismissively here. their pattern of behavior does not help build trust in F-Droid.

anyway, my interpretation of what's going on:

1. #Syncthing does not maintain an Android app which most people use, and instead leaves this up to random enthusiasts for better or for worse

2. Catfriend1 was the random enthusiast who maintained the Android app Syncthing-Fork; nel0x is the random enthusiast who maintains the Android app on Google Play

3. A couple weeks ago Catfriend1 seemingly disappeared without a trace and a brand-new entity named researchxxl popped up controlling the Syncthing-Fork Github repo and claiming that Catfriend1 had passed the development torch to them, while providing no evidence that this was true beyond their control of the signing key

4. When people started raising concerns given Syncthing-Fork's direct access to user data, researchxxl got defensive, provided a number of non-answers, locked Github issues, and did not join the Syncthing forum despite repeated requests

5. When people started raising concerns given Syncthing-Fork's direct access to user data, #FDroid contributors were dismissive and stated that waiting for evidence that malicious code had been shipped was their preferred approach

6. Some users as a result have understandably decided that the Syncthing-Fork app on F-Droid can't be trusted

7. Some users as a result may be questioning the judgement of F-Droid contributors

Nazo

@nazokiyoubinbou@urusai.social replied · 4 weeks ago

@surfhosting @fdroidorg Thanks for the great summary. I think you cleared up the stuff I was most confused about.

This definitely sucks. F-droid is currently the most trusted distributor for most non-appstore software on Android, so this is bad. (Yes there are a couple of alternatives, but they hardly have anything actually in them. Plus I really liked F-droid's mechanisms for a few things.)

I really hope they go down a better route because people need them to be trustworthy right now. (And I hope someone also uses this as a cue to make a good alternative...)

selfhosting.couchsurfing

@surfhosting@mastodon.pirateparty.be replied · 4 weeks ago

@nazokiyoubinbou @fdroidorg there's also IzzyOnDroid but my take on that one is that it would be considerably easier to push malicious code out in an app from that source.

absolutely nothing against IzzyOnDroid btw, and I could also be wrong about this - I'm just an enthusiast and haven't looked deeply into it yet - all I'm saying, based on vibes, is that it feels like there's even less vetting with IzzyOnDroid than with F-Droid.

I'd appreciate anybody who has looked closely at how both app stores are run commenting, because I haven't done so.

I think the real issue goes way beyond Syncthing and is the much MUCH bigger problem of "how do we trust the software we put on our devices?" ... and nobody has solved that, not F-Droid, not IzzyOnDroid, not Google Play, and not Debian or Ubuntu or Node or PyPi (see also the xz issue and a ton of Node and Python disasters) 🤷

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.1-alpha.44 no JS en

Automatic federation enabled