On a more serious note… yes, nation-state attacks on infrastructure like xz-utils do exist, and as Stuxnet has shown, they are also being used against high-profile targets like Iranian nuclear faculities..

Such attacks against infrastructure are to be taken serious. But the xz-utils case and Stuxnet also have shown a few things:

• Such attacks are incredibly time-consuming and expensive to mount.
• Once sn attacker hits such a target, they have blown their powder - they can’t continue to use it.
• The xz-utils case shows that open source’s many-eyed principle works astoundingly well.
• xz-utils also confirms that in open source software, you can close a detected backdoor within hours - even if the maintainer of the software does not want that, since you can fork it in seconds. (And using Rust only makes this easier).

So, this topic of foreign state-actor backdoors is less a thing for individuals to worry about. (I agree that lawmakers of democratic states should absolutely worry about this, here a good article be Bert Hubert on the topic.)

However what is actually dangerous is the erosion of privacy and the rising amount of mandated surveillance. But if one is worried about that, one should not use closed-source software in the first place.