so someone uploaded a .apk package to the main #postmarketOS, with instructions to use the "--allow-untrusted" flag to install it. That flag disables package signing in apk, which is *really* bad idea.
Turns out, this package that was posted seems like it was almost certainly malware.
Follow
@craftyguy should we instead distribute our malware with instructions to add our own key for easier updates?
