A backdoor in xz

An example of this is darktable: "As always, please don't use the autogenerated tarball provided by github, but only our tar.xz file."

> and why not upload these scripts to GitHub

They pretty much always are, typically called something like "./bootstrap.sh" . But to generate the distribution tarball, you usually need additional dependencies or tools.

Another example of this is gutenprint; As well as the autotools stuff, the distribution tarballs have a lot of other auto-generated stuff (eg supported printer lists) that would otherwise cause major issues if you are trying to cross-compile things.

In both cases the CI systems auto-generates a release tarball after every commit.