Why assume that Lasse Collin will do anything at all in response to the attack? Yes, he put up the xz-backdoor page now, but I don't think we should expect him to do more. We already know he was burnt out in 2022; that's why Jia Tan was able to step in to begin with. I'm not sure what the exact solution is, but the project needs a new, trustworthy, funded maintainer or maintainers.

Or at least, if we expect Lasse Collin to pick the project back up now, then someone should hire him to do that, with generous pay, assuming he's free to quit his current job. Unfortunately, I'm not in a position to do that.