Kevin Fenzi wrote:
Branched enables updates-testing... so if you installed f40 anytime, you will have it enabled and if you then applied updates it would be in them
Yet another thing I always said was a bad idea, and this incident proves it. This would have been filtered before reaching most people if we made people only test what actually ends up in the composed Beta and Final images, i.e., updates that made it out to stable. In addition, having updates-testing enabled makes it unsafe to upgrade a Beta installation to Final because suddenly updates-testing gets disabled, but people still have packages from updates-testing (such as the backdoored xz, but also tons of untested packages or ones that explicitly failed testing) installed.
Kevin Kofler