Yeah...this looks like a "big" issue...wonder what the resolution is?....removal?...or
just hunker down and wait for a patch/update from the devs?...
If you are one of few who installed the "bad" version, you don't have to wait, updates
that replace the "bad" version have been released.
It could have been a big issue, but a just in time "accidental" discovery means few
systems were affected, a detection script is available, and bad packages have been
removed from repositories and updating will remove install "bad" packages. A few
people may need to "clean" affected systems and regenerate keys.
This episode does, however, highlight underlying weaknesses of the open source
ecosystem. Many open source projects are widely used but rely on unpaid developers.
Some of the original developers are getting old or have other demands on their time.
It appears to have been easy (perhaps too easy) for a well-funded and resourced
entity to assume the role of an opensource developer.