xz-utils was backdoored by its upstream. Tracked as CVE-2024-3094 and thoroughly documented by vuln discoverer Andres Freund on oss-security@: https://www.openwall.com/lists/oss-security/2024/03/29/4
Follow
It sounds like it might make sense to deny access to testdata until the build is don (i.e.in nix terms, until the normal output is fully written out), because it's easiest to hide random cruft there.
Is this something that might be semi practical to do in nixos?
