[dzaima]

A couple weeks ago anyone calling Jia Tan of xz untrustworthy (without having discovered the backdoor) would have been laughed at, but apparently we're in a world where long-time maintainers of open-source projects can be malicious. And here there are even actual ongoing red flags, and multiple of them. There's even an open issue on curl-ing[0], with no action for 6 months (and given that the "verified" version seemingly would fail to load anything at all if the script really updated, it's pushing users to not use it). Even if it's discernible from zsh, similarities can nevertheless provide a feeling of credibility/officiality.

It can of course all be unfortunate accidents (and still has a good chance to be such), but that means nothing - a malicious person would of course try to make all their actions seem as such.

[0]: https://github.com/z-shell/zi/issues/287, though it doesn't notice the double-curl in "verified" being a massive security issue which makes it worse than useless