Key handover in the dark: Syncthing fork community raises alarm

Controversy surrounding Syncthing fork: The GitHub repository of the project, a popular Android variant of the Syncthing file synchronization software, was initially unavailable and then reappeared under dubious circumstances. As users in the official Syncthing forum report, the project by developer Catfriend1 suddenly disappeared. The maintainer himself has been unreachable since then and has set his profile to private.

Syncthing enables decentralized synchronization of files between different devices without a cloud provider. Since the application has full access to the file system, the sudden disappearance of the repository is causing considerable uncertainty in the community.

Three repository resets

According to statements in the forum, this is not the first incident of its kind. A user reports that there have already been three repository resets in 2025. Syncthing co-founder Jakob Borg explained in the forum that there was a similar outage in July where the repository history was rewritten to remove inappropriate content. The repository had returned correctly at that time.

However, the situation is different now: a new GitHub account named researchxxl has apparently taken over the project. However, there is no publicly traceable, verifiable handover by Catfriend1 – at least nothing of the sort can be found in known channels. And this, even though the new maintainer could theoretically now push arbitrary code under the previous signature to a large number of devices. In the community, the communication of the new project manager is perceived as at least evasive, appeasing, and not very transparent. Concrete questions about the handover and more disclosure remain largely unanswered or are downplayed.

Technically, the changes made so far have been reviewed by some people and no obvious malicious modifications have been found; F-Droid also builds the app reproducibly and verifies whether the published code matches the binaries. However, the fact that "nothing malicious has been found so far" is explicitly not a long-term proof of trust – for example, future commits could be controlled less precisely after the controversy subsides, and the new key holder has far-reaching rights permanently.

In a GitHub issue, organizational questions, such as setting up build processes, release via F-Droid, and the possible renaming of the project, can be traced publicly. The already known developer and Play Store administrator nel0x also registers there, wanting to help with further development – several Syncthing developers and parts of the community state that they trust his builds more and hope that, for example, F-Droid will move there in the future.

Signing keys and security concerns

Particularly problematic from a security perspective: it is unclear whether the new account has access to the signing keys of the original app – this question is being intensely discussed in the community. However, the mere possibility raises questions about the security of the app, as it is unclear how these keys came into the hands of the new maintainer. Without an official statement from Catfriend1, it cannot be ruled out that the developer account has been compromised. This evokes bad memories of the xz vulnerability in 2024.

The community is intensely discussing the situation. Some users hope for a return of the original repository as in previous incidents, while others are concerned about the lack of transparency. Added to this is an age-old problem of free software: Borg pointed out in the forum post that maintaining open-source projects is a largely thankless task and someone else might take the opportunity to offer a mirror.

For users of the app, the situation means uncertainty: updates may not be forthcoming, and the trustworthiness of future versions is questionable. Anyone who has installed Syncthing-Fork should closely monitor developments and, if necessary, familiarize themselves with alternatives. Finding them is currently difficult for Android users, as the official Syncthing-Android app was discontinued in December 2024 and the repository archived. As a possible solution, nel0x has announced that he will continue to develop his version – the community hopes that F-Droid will switch to this version in the future.

(fo)