so someone uploaded a .apk package to the main #postmarketOS, with instructions to use the "--allow-untrusted" flag to install it. That flag disables package signing in apk, which is *really* bad idea.
Turns out, this package that was posted seems like it was almost certainly malware.
was it a snek game?
@kop316 heh, I'm not sure. @martijnbraam saw it was statically linked to glibc, which is suuuuuper awkward for Alpine/pmOS 😅
N00b question derived from my lack of experience with APK, that command is the equivalant of installing a package locally, from outside the repos? Or was this package uploaded to the repos?
@martijnbraam @joao @kop316 yeah basically someone posted the equivalent of "hey folks, run this: curl <foo> |sudo sh"
@joao @craftyguy @kop316 it's installing a random .apk from the internet, not from the repository.
this is equivalent to sudo dpkg -i virus.deb