A backdoor in xz

This is exactly why I use a dm-verity to verify my rootfs (built with verity-squash-root). I can get compromised temporarily while online, but I only rebuilt and sign my image while offline on a fresh reboot. Ok, it would have saved me here, but probably not on a different compromise of a package, when already built into my system. Also secrets decrypted while compromised would also be compromised, but at least I can revert back to a secure system.