@lcamtuf One change you might want to consider is to point out that liblzma is not a dependency of OpenSSH but rather a dependency of a systemd code which is pulled in by OpenSSH on several Linux distributions. It is an important difference and means that an attack, if went undetected, could have been extended to other components.