The xz package that has already entered the current F40 pre-release versions/variants and rawhide contains malicious code.  This does NOT affect users of the Fedora releases (F38, F39 are thus not affected), but all users who use already F40 pre-release versions/variants or rawhide shall read this:  Article:   CVE details:  https://access.redhat.com/security/cve/CVE-2024-3094  Be aware that this is CVE criticality 10: this is the highest risk factor.  Also be aware that the header of the RH arti...
And the one main issue with FOSS rears its ugly head – freedom of contribution also means freedom of bad contributions.
This happens in close source software too. You just don’t find out about it until it gets bad enough.