Points for Collin for letting his holiday take precedence over this mess.<p>Don’t forget that he made xz for free, as a hobby project, and likely got duped by “Jia Tan” same as everybody else did. He’s not obligated to solve this on any particular timeline.<p>Xz is not a business, so if your business got in trouble because a single solo hobby dev was a bit too trustful, it’s your job, and not his, to mitigate the problem.
Lasse has been active and answering questions on IRC over the last day or so. He says he'll be sharing more information on the XZ site in the days or weeks to come.<p>He's doing fine, by the way, and mentions that the messages of support are appreciated but not necessary.<p>He's more focused now on figuring out what happened, how he missed it, and deciding a plan of action for cleaning things up.<p>(paraphrasing from conversations in the public channels)
Doesn't give much more information except that he wasn't immediately picked up by LEO.<p>Poor guy will go through more stress now even more than that created and imposed on him over 2 years by the attacker.<p>If anything we should encourage him to look back at his mental health as not being his fault and that we need to protect ourselves.
Signs of life from Lasse and a link to his web containing more information: <a href="https://tukaani.org/xz-backdoor/" rel="nofollow">https://tukaani.org/xz-backdoor/</a>