Note, this is being addressed and the guidance provided in the link above should be followed.
I will be speaking with Fedora Leadership for on guidance going forward next week.
In meantime, please continue to use Fedora 39 (this is my daily OS) if you are using Fedora 40 and Rawhide (41).
And because folks will ask, this is something that can happen to other distros. So working with a distro that gets ahead of events like this is a mark of transparency and proper process.
“ISO as released had the old version. The bad update was only there for a few days in testing and is pulled. There’s a minor caveat that there’s a chance that some mirrors may have synced the bad updates-testing but not updated to remove it. Unlikely, but possible. I would recommend disabling the updates-testing repo before updating as a precaution.”
Hello Matt!
Fedora now has an official communication on the backdoor, I noticed that comments are disabled on that thread, it may prove helpful to include this communication in the post.