[8fingerlouie]

I'm not too worried about the client being closed source, especially not when the server is open sourced.

For Syncthing there is of course the potential problem of the client leaking the secrets to the author, giving them unauthenticated access to the server.

Thanks for the pointer, i'll check it out, though i've had a "lifetime" license for Resilio for years, and it scratches my itch, so there's no pressure to switch.

I have used syncthing in the past for server to server synchronization, a task it performs extremely well, but previous attempts at creating a "road warrior" setup from iOS (with f:sync) all ended in clients taking minutes to connect to the backend, where Resilio would do it in seconds. I'll give it another try.

[cha-d]

> I'm not too worried about the client being closed source, especially not when the server is open sourced.

> For Syncthing there is of course the potential problem of the client leaking the secrets to the author, giving them unauthenticated access to the server.

Yes, that is the risk. It is significant because the credentials entered into the closed source Mobiussync app (that wraps the open source Syncthing node) would allow the author (if malicious, which I have no reason to believe they are) to access all of your files (even if your other nodes are behind firewalls, by design).

Now, I’d like to believe Mobiussync is doing the right thing. It aligns with their economic interests to not steal credentials, since nothing would kill their app sales faster if found out. I imagine it also would be easy to detect if the app was exfiltrating credentials by monitoring app communications. I’ve also read the announcement post: https://forum.syncthing.net/t/isyncthing-ios-client-for-sync... and appreciated the way the author engaged with the Syncthing community here: https://forum.syncthing.net/t/mobius-sync-ios-client-now-in-... . Based on my assessment of their conduct and the factors above, I feel almost certain Mobiussync does the right thing by its users.

But economic incentives change, authors change, bugs in code happen, and a good feeling is not the same as verifiability. The risk may be small but at stake is all your data.

I’d certainly pay more than the (very reasonable) price the authors ask for, for the additional peace of mind given by open source.