I'm going to be honest, I'm getting a little tired of hearing everyone's thoughts on the xz backdoor. It's discouraging and sucks when every detail of the project which, keep in mind, was maintained by one person who fell victim to a social engineering attack, is scrutinized. It makes me concerned about anyone depending on any of my projects.
Especially the comments on things such as the build scripts, which this kind of article seems to gravitate towards. If the build scripts were tiny and checked then the attack vector would have just been different, I'm not even too sure the language mattered. The attack was social engineering, after that it was pretty much project agnostic. xz was targeted cause the maintainer was done working on it and it was heavily depended on.