this post was submitted on 17 Nov 2025
422 points (99.5% liked)

Selfhosted

60409 readers
247 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Overview here

https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/39

The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.

Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.

you are viewing a single comment's thread
view the rest of the comments
[–] pulsewidth@lemmy.world 10 points 7 months ago* (last edited 7 months ago) (1 children)

Sounds like a really good reason not to use Obtainium, if any repo you have tracked for updates can just redirect you to a completely different repo If they have the keys - and throw no complaints when updating to an entirely different apk.

With F-Droid they at least have to have the same signing keys, and the code is built by F-droid from source - meaning the code for the supplied APK always matches the code on the repository for the build. Whereas Obtainium will just offer you any APK the dev releases on their GitHub/Gitlab/etc, this places much higher trust on the dev.

Edit:
my bad, I wrote earlier that all F-droid builds are reproducable. But that's not accurate F-droid does not enforce that all builds must be reproducible. They have been helping devs with the tools and assistance to do so since 2015, and all the apps that I use I'd checked in the past and are all using reproducable builds, so I wrongly presumed it was mandatory now. Eg, Syncthing-Fork from Catfriend has had all builds reproducible since v2: https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/

[–] WhyJiffie@sh.itjust.works 2 points 7 months ago (1 children)

and the code must be a replicable build by F-Droid's internal apk signature copying process

that's not a requirement. or was it already being built reproducibly?

[–] pulsewidth@lemmy.world 3 points 7 months ago

Every Catfriend build since v2 has been reproducable. Most apps on F-Droid are and they are encouraging it for all devs, to build trust.

https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/