Kinda important side-fact on the #xz story:

The #xz fiasco could have been prevented if #openssh just included/implemented systemd-notify as a simple protocol, which apparently would have been easy…

Instead, distros all implemented the patch to include a dependency which eventually included xz…

See github.com/openssh/openssh-por

That said, *of course*, the attacker could have found other packages/ways/deps to include the malicious package/code, but still sad to read…

@cadey @AndresFreundTec