[noirbot]

It's definitely pretty nice, but the ergonomics of it for someone that's not that good with computers can be a little hard. I've gotten synced folders into bad states before that took a long time to fix. It's also kinda awkward having to send over a nominally private and very long ID string to set up the share in the first place.

[Cyphase]

That's not how Syncthing keys/IDs work.

That device ID you have to send to someone is not nominally private; it is in fact explicitly the public key of a key pair. If you use the public discovery servers (which is the default), that key is sent there so people who'd want to connect to you can look up your IP address with it.

https://docs.syncthing.net/users/security.html#global-discov...

https://docs.syncthing.net/users/faq.html#should-i-keep-my-d...

> Should I keep my device IDs secret?

> No. The IDs are not sensitive. Given a device ID it’s possible to find the IP address for that device, if global discovery is enabled on it. Knowing the device ID doesn’t help you actually establish a connection to that device or get a list of files, etc.

> For a connection to be established, both devices need to know about the other’s device ID. It’s not possible (in practice) to forge a device ID. (To forge a device ID you need to create a TLS certificate with that specific SHA-256 hash. If you can do that, you can spoof any TLS certificate. The world is your oyster!)

[noirbot]

Ah, thanks for the clarification. I guess I just saw a key larger than an IPv6 address and assumed it was something I couldn't share openly. It does seem weird that it's that big then. 50+ characters that can be A-Z0-9 feels like an insane amount of entropy for something that's essentially a proxy for a 12 digit number. It's longer than Windows product keys or the SSH public key I use for Github!

Additionally, I don't necessarily want a key sitting out there that will let any random person who finds it a dynamic way to look up my current IP address. It's not the worst thing in the world, but it's definitely not something I'd publish publicly.

[Cyphase]

> 50+ characters that can be A-Z0-9 feels like an insane amount of entropy for something that's essentially a proxy for a 12 digit number.

That's not all it is. It's your cryptographic public key.

> Additionally, I don't necessarily want a key sitting out there that will let any random person who finds it a dynamic way to look up my current IP address.

Sure, that makes sense. How else would you propose that it work?

Just to mention, you can use a private, self-hosted discovery server.

[brnt]

Having the whitelist all peers on all peers is a chore.

I stick with Resilio for this reason. For over a decade now it had been a 100% reliable fire and forget tool.

[Cyphase]

> Having the whitelist all peers on all peers is a chore.

You don't have to do that with Syncthing. See https://docs.syncthing.net/users/introducer.html

> The introducer feature lets a device automatically add new devices. When two devices connect they exchange a list of mutually shared folders and the devices connected to those shares. In the following example:

> Local device L sets remote device R as an introducer. They share the folder “Pictures.” Device R is also sharing the folder with A and B, but L only shares with R.

> Once L and R connect, L will add A and B automatically, as if R “introduced” A and B to L.

> Remote device R also shares “Videos” with device C, but not with our local L. Device C will not be added to L as it is not connected to any folders that L and R share.

[brnt]

Thats not the same. It means to designate one device as 'primus inter pares', and what I like about Resilio and p2p that there isn't a 'server'. I don't have one!

So then I could make all my devices introducers, which is really the same amount of work, plus adviced against because then no device can ever leave your network (remove it from one then all others will re-introduce).

Dealing with devices is really not what I want. I understand that Resilio is a bit too basic on security, because the share key is the deencryption key (in most cases), but Syncthing isnt quite it either. I think it's suited for few devices and a knowledgeable person, but not my use cases.

[noirbot]

This is mostly where I am. Syncthing is a great replacement for something like Dropbox for me to share things between my own computers and not have to care about file size or the like. It's not really a reasonable P2P file sharing option unless the other person already uses Syncthing for their own use case, or you can just get it set up for them and then hope it never breaks. Even then, it's only really reasonable if it's someone you plan to regularly need to send larger files to. For smaller files or one-time sends, there's better options.

[martinbaun]

Resillio is working in the same way? what's the pros/cons?

[brnt]

Resilio was there first actually, created by the Bittorrent company of old. The main con is it is closed source and less secure, depending on your threat model. Pro is it works really well, and is compatible with less skilled users.

[jasperry]

I also came here to put in a word for Resilio. It's the fastest and most hassle-free thing I've found that doesn't require a server. SyncThing was always very slow to reconnect and update for me.

[martinbaun]

hey Noirbot, I haven't used it for long. Can you tell me thei ssues you had a little in depth?

[noirbot]

Let's say I want to share a file with a friend internationally. First off, while there are some reasonable UXes for Syncthing, a lot of them are pretty basic, or rely on running a daemon and then connecting a web browser to Localhost to see what's up. Once they get it set up, then I have to actually set up the share with them. To get them hooked up to my share, I have to send them a 50+ character ID string somehow, which they then have to input into a UI that's far from easy to use. The key is much too long for me to want to read over the phone, and putting it in a chat somewhere means that if that chat ever leaks, my private key for my shared folder is out there. They offer a way to send a QR code, but that has the same leak risk, and scanning a QR code on the computer you're already on is awkward.

In short, it's a great tool, it works well in general, but the initial setup is pretty cumbersome if all I want to do is send a couple files to someone.

Additionally, I've had a couple time where even just syncing between my own devices broke. I think it was something where files were changed on both sides and the reconciliation algorithm got confused, but it was hard enough to debug for me, with direct access to both devices, and decades of experience running and programming computers, that I'd never want to try to debug that over the phone with a friend.

[Cyphase]

On the ID security points, see my other comment: https://news.ycombinator.com/item?id=38986966

tldr: They're not private keys, or sensitive.