Man, there is a lot of concerning stuff there.
In particular, one person commented that the original xz maintainer was possibly subjected to a pressure campaign to hand over maintainership.
Another interesting data point: about 2 years ago there was a clear pressure campaign to name a new maintainer:
https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html
At the time I thought it was just rude, but maybe this is when it all started.
I don't know how many open-source project maintainers would be on guard for something that subtle, people coordinating to take over maintainership of a project.
I mean, xz isn't normally something you'd immediately think of as security-critical. I doubt that a maintainer knows or thinks about about all the potential downstream dependencies (in this case, not even a standard sshd depedendency, but one that came up because of a patch that Debian used to add some systemd functionality).
EDIT:
I mean, xz isn't normally something you'd immediately think of as security-critical.
On second thought, it actually is, given that Debian packages are xz-compressed.