I had some thoughts on the XZ backdoor implications - feedback very welcome: https://beny23.github.io/posts/xz_backdoor_is_not_the_end_of_open_source/ (and hope it's ok posting here)