Overview here
The new owner of the repo has a fresh github account and apparently has the signing keys from Catfriend1 too.
Time will tell if they are trustworthy, but for the extra paranoid it might make sense to pause updates for a while.
You must log in or # to comment.
The new repo has two releases in it now. These releases are not signed with the original key as far as I can tell. Further, GitHub is silently redirecting to the new repo, even in Obtainium, meaning it’s possible that if you had this previously installed via Obtainium and updated now, you may have unsigned apks installed that may or may not contain the changes in the repo.
This is a mess. I deleted the repo from Obtainium (luckily I don’t auto install updates) and will wait to see what happens over the next few months. Might just save my notes in a network share instead of using syncthing from my phone. Idk, notes are all that I was using it for.
Maybe it’s actually true that catfriend1 knows the new owner in real life but… this is not a calculator app, this is something that has complete access to the phone storage… handing the keys without any communication is concerning…
And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo
And the issues are locked so if something nefarious happens, discussion will only occur somewhere else instead of the repo
people shouldn’t count on that anyways because the repo owner can delete issues, comments, also edit them
