@nel0x ping

Hi @researchxxl,
I initially thought this might be Catfriend1’s new account, but apparently that’s not the case.

Yesterday I also set up a syncthing-android repo for continuing development
Do you by any chance have an account on the Syncthing Forum for a direct chat? My user there is 'nel0x' too

EDIT:

setup build and release: use old maintainers signing allowed? can we play sign? setup build and release: use old maintainers signing allowed? can we play sign?

That's one of the biggest challenges I think for getting started. It's not about if we are allowed to, but if you don't already have Catfriends1 key, we probably won't have any way of obtaining it :/

@nel0x if you'd like to continue development I would welcome this as I feared the app would go away else for my infra. just thought the same 🙂.

i got the key when the repo was transferred to me.

we could do it in one place if you like to that's why I added you as a collaborator here.

I suggest we make plans on the issue as people are redirected here by catfriend and might want transparency who takes on what.

wouldn't it be possible to reattach fdroid here and build play as well?

myself came for maintenance so if you'd like to do official development feel free to take on here. afaik you were a trusted contributor and in touch with Catfriend for a long time before he was gone?

I've not joined the forum yet but yes if we find a way to work the thing out.

if you'd like to continue development I would welcome this as I feared the app would go away else for my infra. just thought the same

This was my same motivation when I started the GPlay flavor which was at risk of being deprecated.
I would totally be down to expand my GPlay repository for generating and publishing for the other release channels too.

myself came for maintenance so if you'd like to do official development feel free to take on here.

But that's something I'm currently quite unsure about. I'm interested to continue maintenance & releases but (at least currently) I couldn't guarantee to do active (feature) development on the project myself.
Maybe other external contributors and PRs can be a (temporary) solution for that? Depends on how many are interested.
On the other hand currently the app is working fine, without any major issues. But a lot can break with any new major Android version ...

I suggest we make plans on the issue

Yes, totally. Any public information and public "announcements" I would definitely post here, too.
But honestly I'd be quite interested to have a short chat with you about how the transition took place and/or any background details you may have; maybe be can complement each (if not too invasive :).

I've not joined the forum yet but yes if we find a way to work the thing out.

If it's a fresh account I'm not sure you will be able to send direct-messages immediately, but if your username there is researchxxl too, I could initiate a conversation.

@nel0x I'd get back to you shortly because I'd like to check if environments would be a solution to do everything in one place and then decide where/what to continue. there wasn't anything exotic. Catfriend was on the lookout for a successor and I already knew him from another OSS project they did a while ago. we agreed and I was asked to create a new account after I got keys and creds to their original account. it turned out to be a bad idea to reuse their name so I created a new one.

Do you have knowledge about key management on gh actions? In a perfect world imo you should not access their key directly but be able to do official releases here or load your own key into a safe place to trigger your workflows.

@nel0x the environments dev and prod are now working fine. they allow us to sign a debug and release build properly using the keys. builds triggered by push are currently not running without review - still need to figure out how to do this reusing the existing workflow or if we need a separate workflow using the public debug key for this which may run without approval.

if you'd like you're welcome to pull request your preferred workflow for the play release with a non production test key which can be disposed later. or we start with an unsigned bundle release so you can sign the output artifact yourself for publishing?

Hi! Sorry for taking it in a slightly different direction and not responding to your last message directly:

Is it possible to open this issue for external contributors or at least add @imsodin the chat?
(If needed, we can moderate unconstructive messages.)

Alternatively, if you have an account on the Syncthing forum, that might be an even better place to coordinate. The repo is developing very quickly, and we need a space where we can openly communicate with the community.
In the Forum it's also possible to make a non-public topic, with "only" the Syncthing contributors.

@researchxxl Have a look at:
https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/56

We should (at least for the time being) take down the releases here asap, as they lead to unintentional auto-upgrades for Obtainium users.

EDIT: I just found a non-invasive temporary workaround to prevent Obtainium from auto-updating without deleting your current releases. I marked them as pre-releases - hope that’s okay for you researchxxl.

@nel0x I don't see why here is anything malicious. sure it's a rough start to fill the gap but a release takedown? Honestly I don't agree with that but let you proceed as a collaborator. gpg signing was removed because we have immutable GitHub releases now with an attestation plus I see no point signing with Catfriend's key. Could make up my own if required. Apk unsigned? Then we should go fix the build process, I thought it fits the signing as my phone was able to update. The signature is important to avoid every user setup from scratch again. There were no code changes except those links. From my point of view the discussion is just heated and not about some imminent security risk. We can surely add more collaborators, as long as they don't vote for going back instead of forth. It's like git, there's no way back so blocking to move on doesn't help us all. As I already said: the environments should protect the signing material if we let more people in here to maintain the app when the heat is over. Let's be patient. Btw builds are still reproducible. If someone, not especially you, likes to check the new outputs, please reach out and let fdroid build as well. I kept in mind keeping this for later that they can point here and it should work just like before. Everyone can build and compare, but needs to strip the signature or do an unsigned build on both sides solely for this purpose.

We can open the discussion for everyone but it's too early right now. People are checking through the changes, so we should slow down and merge new ones with a review. On schedule the next Syncthing release should be our day to make pull requests of what we have and review it together for the next release. The rebuild release is not urgent to roll out. It should just be correct.

@nel0x If there's anything you consider we really need to take immediate action or have a user complaint about something critical, feel free to open an issue here so we can fix. Imo first aim is that we can do maintenance on the app and release monthly. If that works fine I'd suggest we care about publishing, translation, gpg, ...

F-Droid is starting the reproducible build and verification, that's good news. https://gitlab.com/fdroid/fdroiddata/-/commit/6e3692e041dd5ca0ee043cd15b2e46b354ac170a

@nel0x could you please compare the two release apk v2.0.10.2 and v2.0.11.2 of the weeks ago to their fdroid versions and mark one as the latest release back again if they match?

communication is now open to collaborators and contributors.

@nel0x according to https://monitor.f-droid.org/builds/log/com.github.catfriend1.syncthingfork/2001103#site-footer the build looks good. could you please review latest code changes and if there is nothing to disagree set the release back to latest then so we can continue with the next steps?

https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/

we agreed and I was asked to create a new account after I got keys and creds to their original account. it turned out to be a bad idea to reuse their name so I created a new one.

is there a reason to not set up a gh organisation that would keep the repos? both users could be added there and clearly visible as the members, which might work better than creating a separate github account

well one or two people is not organization do they??

researchxxl If you want to discuss this in a less noisy environment with people involved in the syncthing project, android and beyond, I'd recommend you follow @nel0x's earlier suggestion to register on the forum. I can create a topic with limited visibility or we can use DMs there. As you got to experience, with the popularity of the app comes a lot of engagement that's great in principle, but not always in practice ;)

The concern that's expressed in the forum thread @nel0x linked isn't about the content of the repo or latest releases nor anything that can be solved by reviewing your changes. The issue is that nobody can verify that Catfriend1 did intentionally hand over maintenance of this app and the release key to you. Again, this is not an accusation towards you of anything malicious. It's the other way around: People need to trust you with the ability to push arbitrary code onto their device with access to all their data - only a lack of malicious actions isn't helping trust a lot. I (and others) were hoping for Catfriend1 to reach out (privately) on existing trusted channels and confirm the handover or otherwise shed light on it - if you can facilitate that, that would help of course. Otherwise engaging not just dismissing the concerns raised by previous contributors or maintainers like @nel0x would be good. Personally I'll likely use whatever he ends up publishing or contributing to, as I already have some level of trust based on his track record of google play releases and open communications so far..

Any ideas why the comment and suggestions posted by imsodin, are being completely ignored by researchxxl?

I totally understand people out there like to get something more which I do not provide because I do not have anything more atm for you :/

we agreed and I was asked to create a new account after I got keys and creds to their original account. it turned out to be a bad idea to reuse their name so I created a new one.

is there a reason to not set up a gh organisation that would keep the repos? both users could be added there and clearly visible as the members, which might work better than creating a separate github account

well one or two people is not organization do they??

a github org allows multiple maintainers to be part of a single 'group' with repos associated with the org. this allows folk to come and go as contributors while retaining any trust the project has built. it also allows a single place for folk to go for announcements about the state of the project and similar.

for example: if catfriend1 had created a github org, added you to it then removed themselves there would be visible hand off as well as provide a place for any announcements about the hand off via a github issue or similar.

its about trust and continuity, not 'number of folk who comprise an org'.

@mcrosson thanks for your heads up explaining the gh org. i'll consider it at the time we got more collaborators

@mcrosson thanks for your heads up explaining the gh org. i'll consider it at the time we got more collaborators

it may be best to set it up 'from now'. thatll prevent a sudden repo shift in the future, prevent a similar situation happening (lack of trust) in the future and it will show some folk that you're committed to the project for the longer term.

it also opens up @nel0x to become a more visible contributor (if they desire) as well as facilitating faster and simpler onboarding of contributors in the future.

having a github org will have a lot more pros than cons and, as much as us devs dont like admin work, now is a very good time to focus on things like a github org, release processes, etc.

I totally understand people out there like to get something more which I do not provide because I do not have anything more atm for you :/

@researchxxl
The community wants to know how and why the repository was transferred to you, especially since the previous maintainer left mysteriously without explanation and you have no prior history with the project(s). The Syncthing fork is widely used, so people are understandably curious. Open communication and addressing community questions will help build trust.

i'm nobody in this project, but I am a user. While i fully agree on the transparency, for me, the best way to find out if somebody is trustworthy is by diffing the changes.

This can be done easily via the github web ui: v2.0.10.2...researchxxl:v2.0.12.1

I have spent 20 mins looking to the last changes between what was the last commit of catfriend1 and researchxxl, and besides a good cleanup (like the removal of the support of root) i don't see YET any malicious commit.

This tho, does NOT validate the released files as i only have checked the sources.

I want to mention, that this is not a message to vouch the new developer (researchxxl), but to just say that there are people looking at the changes at each release (or at least one person, i.e. me)

This tho, does NOT validate the released files as i only have checked the sources.

to quote from the repro docs:

The point of reproducible builds is that the developer’s signature (from the APK they publish) guarantees that our build is identical to theirs (and thus doesn’t contain anything it shouldn’t) and at the same time our build server verifies that the developer’s build matches the published source code (and thus doesn’t contain anything it shouldn’t either).

Sorry for the delay in getting back to you @researchxxl. I took some time to really think this through because I initially wanted to give this collaboration a genuine try.

However, the communication (or lack thereof) over the last few weeks has convinced me otherwise.
To be clear: disregarding the understandable community concerns by simply stating "there wasn't anything exotic." is just plain wrong and a massive understatement.

Without wanting to imply anything nefarious, this transition couldn't have been handled in a more unprofessional and sketchy way.
In a critical project like this, a transition of ownership woud have required complete upfront transparency.

Appearing with a new account and no prior track record, backed only by vague connections to Catfriend1 is a major red flag.
Instead of pausing to shortly introduce yourself, addressing fundamental concerns on the Forum, or build necessary trust, you chose to rush out releases. If this is how the collaboration starts, I am not interested.

I do appreciate the invite, but I want to focus my passion on this great project itself, rather than spending any more time worrying about the legitimacy of the project or dealing with this friction.

Therefore I am extending my repository to build general Syncthing for Android releases - going beyond just GPlay - and continuing my work there.

Which project users decide to use is ultimately up to them.
On my end, community contributions are always very welcome (especially from Catfriend1 of course, should they ever decide to make their comeback)

@nel0x well said.

I would like to add that just because the code that came from this new account so far was not malicious is neither a proof of trustworthyness nor a guarantee that nothing fishy will come from it in the years to come. And people will stop paying close attention to code changes at some point. I would give it no privileges over the code base whatsoever.

Thank you for stepping in.

I agree with @nel0x on this. Everything from the repository simply vanishing for a few days before suddenly coming back owned by someone no one knows is just incredibly sketchy. Many people have already voiced their opinions on the forum about security concerns, especially since some users use the app to transfer sensitive data between their devices. A break in the chain of trust like this makes it hard to continue believing that this repository can be fully trusted. I am not insinuating that the new owner, @researchxxl is an untrustworthy person, but I am saying that they are not a trustworthy one. A proper transparent repository handoff would have prevented many of the concerns that have been created through how everything was handled. The main kicker in my opinion is that even now the communication is incredibly poor. Many important questions have been asked and yet barely any have been answered, with most of the answers also being a nothingburger.

All in all, I am happy to hear that you @nel0x has decided to extend their repo. From everything I have read on the forum, and from in general seeing how they have maintained the gplay fork, they seem like a much more trustworthy person with good communication towards the community and the syncthing team. Personally I am hoping that the F-Droid release will be switched to nel0x's repository, once the migration and setup of it has been finished of course. I also hope that the issue tracker there will be enabled so that all the issues that have been lost from the original repository could be at least recreated by the users so that people with experience in the codebase, or the languages of the app, are able to propose pull requests to resolve them.

@nel0x i hope we can at least share our knowledge and improvements as time passes and code diverges.. have not see a java code commit from your side yet so i appreciate your courage to tackle this as a new app. looking through your repo history shows you regularly pulled the code from the forks upstream repo which now landed here.

lets now focus on real work for the app