Comment by joshstrange

I use Syncthing and have for many years but I don’t use it on Android so feel free to dismiss my opinion.

I’ve read through a number of the GitHub/Gitlab/Forum threads and while I’m not saying anything new:

You couldn’t script a more suspicious transfer [0]. That fact is maybe the most compelling reason to assume it’s actually above board, if there is malicious intent, it’s being poorly disguised. To make matters worse, both Catfriend1 and researchxxl appear to be very bad at communicating (both in language and speed). Yes, Catfriend1 has surfaced and says they did transfer the repo/signing keys. Why that couldn’t have been posted at the start of this is beyond me. Researchxxl seems to not be a native english speaker and I tried to take that into consideration but I’m increasingly finding it difficult to give them the benefit of the doubt. They seem… immature, that’s the best way I can put it. They certainly don’t seem trustworthy nor have they made any attempt to address raised concerns. I wouldn’t touch their releases based on what I’ve seen, way too much access and way too little trust.

[0] Repo redirected to brand new account/repo with no notice/announcement from original owner. Furthermore, evidence that the signing keys were transferred and users might be at risk of malicious updates (see the many examples of Chrome extensions that were quietly sold and turned malicious).