I daily jumped into mine openSUSE mailing list folder and today was a very hot discussion about the Supply Chain issue and XZ itself. I found this specific fragment very amusing thought

It only shows that the Archlinux/Manjaro Maintainers are less than knowledgeable about their packages. Inspite if not building rpm or debian packages they claim to have "fixed" the backdoor while going from 5.6.1-1 to 5.6.2-2 [1]. The disassembly of liblzma didn't even change between those package versions.

https://archlinux.org/news/the-xz-package-has-been-backdoored/

I think as the conclusion we're dealing not with the vulnerability but rather with the maintainers guidelines.

I think in general this is a new reality, many open-source projects are talking about improving it's own security principles, including OrangeFox.

Should we consider this particular supply chain issue a very lucky case for us, that it never got a way into the most of distros, was quickly disclosed and patched as well as raised the general attitude to security?

I can't place this channel as my personal channel because it was created by another account which is deleted account now :(

I like xwayland

OpenSUSE pulished a Chad-long article about xz vulnerability, I didn't read it yet but later
https://news.opensuse.org/2024/04/12/learn-from-the-xz-backdoor/

Plasma 6.1 is finally released in Tumbleweed

Ok oh god it was KDE Framework 6.1, the plasma is still 6.0.3, I guess we would need to wait a bit