This commit message is gold: <a href="https://github.com/tukaani-project/xz/commit/e93e13c8b3bec925c56e0c0b675d8000a0f7f754">https://github.com/tukaani-project/xz/commit/e93e13c8b3bec92...</a><p><pre><code> While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:
- The executable payloads were embedded as binary blobs in
the test files. This was a blatant violation of the
Debian Free Software Guidelines.
- On machines that see lots bots poking at the SSH port, the backdoor
noticeably increased CPU load, resulting in degraded user experience
and thus overwhelmingly negative user feedback.
- The maintainer who added the backdoor has disappeared.
- Backdoors are bad for security.</code></pre>
I'm relieved that the GitHub repo has finally been restored. I was just about to make a commit to fix our liblzma dependency, which would have required a vcpkg overlay to use a different upstream repo.
The security policy was also updated: <a href="https://github.com/tukaani-project/xz/commit/780d2c236de0e4749655696c2e0c26fb7565afd3">https://github.com/tukaani-project/xz/commit/780d2c236de0e47...</a>