[stusmall]

Nix might even make it worse. xz made it into unstable and it is part of stdenv. This means almost every package needs to be rebuilt which takes forever and limits the speed in which it can be reverted. They still have 5.6.1 in unstable and, to be honest, I'm not sure why. I don't know if they are still waiting for CI to chew through the tens of thousands package rebuild or there is something else.

[pxc]

Afaict they are in fact waiting for CI to do the big rebuild on staging, in part because the Nixpkgs builds of 5.6.x never pulled down the malicious m4 scripts that inject the backdoor into the output binary (as they never used the release tarball directly from upstream but built from GitHub sources).

See: https://github.com/NixOS/nixpkgs/issues/300055

and: https://github.com/NixOS/nixpkgs/pull/300028

It's also worth noting that Guix is different here, as the grafts mechanism is well-established, so they can get a security patch in for xz without waiting for the mass rebuild, even if it's also in their stdenv or equivalent.