The repository of the popular Syncthing fork for Android disappeared from GitHub and reappeared under dubious circumstances – is this an open-source hack?
Yes. It’s very very hard to read the source and know there’s no security bug in it. That’s 10x truer when the security bugs are potentially on purpose, and carefully hidden.
I really don’t see why there are so many people around saying “it’s probably fine”
Because there is currently no direct evidence of anything amiss. From the linked article:
Technically, the changes made so far have been reviewed by some people and no obvious malicious modifications have been found; F-Droid also builds the app reproducibly and verifies whether the published code matches the binaries
Granted, someone could be playing a long game here. Get control, wait for the controversy to die down while playing nice, then do then rug pull when no one is watching anymore. That’s possible. It’s also quite possible that the previous maintainer got tired of doing a hard and thankless job for no pay and wanted to shed the whole thing. They found someone to hand it off to, and the new maintainer is just shit at open communications. That happens and is also possible. Whether or not it makes you change your usage of the package is down to your risk appetite. But, jumping at every shadow gets old quick and at some point you have to accept some risk. So, unless and until there is more evidence to backup the claim of foul play; or, if you have a really low risk appetite, this is one of those things which falls under “keep an ear open, but it’s probably fine”.
Because there is currently no direct evidence of anything amiss.
You don’t need direct evidence of a problem. It’s the other way around — In order for the software to be trustable with private data you need steady, ongoing evidence that the authors are trustworthy.
National spy agencies are out there, right now, and recently in the news, trying to suborn open source project maintainers. This is a known risk.
I really don’t see why there are so many people around saying “it’s probably fine”
In my personal opinion shit like this is probably not fine at all.
For me that’s an uninstall unfortunately and looking for another solution at the moment.
is it because it’s onerous to read the source?
Yes. It’s very very hard to read the source and know there’s no security bug in it. That’s 10x truer when the security bugs are potentially on purpose, and carefully hidden.
i would run a diff on the previous version compared to the current one.
Because there is currently no direct evidence of anything amiss. From the linked article:
Granted, someone could be playing a long game here. Get control, wait for the controversy to die down while playing nice, then do then rug pull when no one is watching anymore. That’s possible. It’s also quite possible that the previous maintainer got tired of doing a hard and thankless job for no pay and wanted to shed the whole thing. They found someone to hand it off to, and the new maintainer is just shit at open communications. That happens and is also possible. Whether or not it makes you change your usage of the package is down to your risk appetite. But, jumping at every shadow gets old quick and at some point you have to accept some risk. So, unless and until there is more evidence to backup the claim of foul play; or, if you have a really low risk appetite, this is one of those things which falls under “keep an ear open, but it’s probably fine”.
You don’t need direct evidence of a problem. It’s the other way around — In order for the software to be trustable with private data you need steady, ongoing evidence that the authors are trustworthy.
National spy agencies are out there, right now, and recently in the news, trying to suborn open source project maintainers. This is a known risk.