Security of adding support for 5.6.0 and 5.6.1 to the workflow?

[robrwo]

The Changes for 2.211 say:

• Add xz 5.6.1 to workflow
  Sat Mar 9 14:56:51 2024 +0000
  953082d
  ...
• Add xz 5.6.0 to workflow
  Sat Feb 24 10:37:19 2024 +0000
  bb252c8

But those versions are associated with the backdoor CVE-2024-3094

So do you want those versions in the workflow?

[pmqs]

Thanks @robrwo, already aware of the upstream issue and I do intend to remove those versions from the workflow. For now it isn't an issue because that workflow is broken while the upstream xz repo is disabled.

[pmqs]

My reading of the issue is the problem is only associated with the release artefacts. My workflow don't use those - it clones the xz repo & builds from source.

Regardless, prudent to remove them from the workflow regardless.

[pmqs]

workflow updated in #12