I was talking relative to closed-source projects, not about how easy it is in general. It could very well be that both are unfortunately easy to do 
This cannot be assumed.
The full scope of the payload is still unknown.
It very well can target any other program that links it such as systemd, grub, dracut, browsers, programs depending on libxml, etc.
If you were on a system with the package you should consider it compromised.
Even Red Hat’s advisory says the same:
PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity.
They don’t predicate on SSH usage.
Arch is being too loose in theirs.
2 Likes
Even the Freedesktop flatpak runtime could be impacted xz: Revert to 5.4.6 (!18707) · Merge requests · freedesktop-sdk / freedesktop-sdk · GitLab
Looks like master merged 5.6.0 on Feb 28, so essentially it was in master all March.
However, none of the release tags seem to have merged versions >5.4.6.
Good that this was posted here too! I was busy, well with this haha. But glad to see that these alerts are now also shared here. Happy Easter! 