Honestly, the worst effect of the xz/sshd exploit is the evaporation of trust in #OpenSource.
There's this new prolific contributor. I haven't looked in great detail, but they're seemingly doing great work. All pull requests are nicely annotated as to ease review. Really, everything you could wish for. But what if it's a bad actor trying to quickly build trust?
Then this contributor kindly pings assignee a week after filing the PR. Well, nothing wrong with that. It makes sense. But then, what if it's a bad actor trying to pressure maintainers?
Or perhaps it's just a great, well-organized #Gentoo contributor.