Don’t trust. Verify. I could not resist making a fake book cover Here follows a brief description on how you can detect if the curl package would ever make an xz. xz (and its library liblzma) was presumably selected as a target because it is an often used component and by extension via systemd it often used by openssh in several Linux distros. libcurl is probably an even more widely used software component and if infected, could potentially serve as an effective vessel to distribute evil into th...