so someone uploaded a .apk package to the main #postmarketOS, with instructions to use the "--allow-untrusted" flag to install it. That flag disables package signing in apk, which is *really* bad idea.
Turns out, this package that was posted seems like it was almost certainly malware.
was it a snek game?
@kop316 heh, I'm not sure. @martijnbraam saw it was statically linked to glibc, which is suuuuuper awkward for Alpine/pmOS 😅
@craftyguy @kop316 @martijnbraam
They should've at least made an effort to link against musl!
OTOH, are you not happy that their laziness makes it easier to spot them?
@craftyguy @joao @devrtz @martijnbraam
So it turns out the username in gitlab wasn't even registered....so I am squatting on it now
@joao @devrtz @kop316 @martijnbraam well I mostly meant this to be a PSA to folks that disabling package manager signing checks to install binaries from randos on the internet is a bad idea