cross-posted from: https://lemmy.world/post/38929150
Overview here
The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.
Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.
The new repo has two releases in it now. GitHub is silently redirecting to the new repo, even in Obtainium, meaning it’s possible that if you had this previously installed via Obtainium and updated now, you may have apks installed that may or may not contain the changes in the repo.
This is a mess. I deleted the repo from Obtainium (luckily I don’t auto install updates) and will wait to see what happens over the next few months. Might just save my notes in a network share instead of using syncthing from my phone. Idk, notes are all that I was using it for.
You must log in or register to comment.
Based on that thread, I might just use syncthing from termux from now on. The handling of this situation really does not inspire confidence…
Doesn’t Android prevent updates with a different key than is already installed?
It does, I think I’m a bit confused here. I think the apks may be signed with the original key from the previous repo, but that key doesn’t necessarily have to line up with what’s in the GitHub repo since a lot of the repo tasks were removed or changed. I’ll edit my post, but this kind of highlights how messy this handover was, and how confusing it is to users (myself included).
This isn’t something you’d really want to mess with, since typically it has full filesystem access.
