For more info, see https://lwn.net/ml/oss-security/20240329155126.kjjfduxw2yrlx...@awork3.anarazel.de/ but, essentially, xz was backdoored and it seems like upstream was directly responsible for this.
Based on this, should we switch our distribution from bz2+xz to bz2+zstd or bz2+lzip? Thanks, Paolo