I'm reading today that a backdoor is present in xz's upstream tarball (but not in git), starting at version 5.6.0. Source: https://www.openwall.com/lists/oss-security/2024/03/29/4

Guix currently packages xz-utils 5.2.8 as "xz" using the upstream tarball. Is there a way we can blacklist known bad versions? Should we switch from using upstream tarballs to some fork with more responsible maintainers?

Ryan