So… Github in their wisdom has "disabled" the #xz repository.

They did this before with the "everything" JavaScript package.

Unfortunately they don't seem to realise that this HINDERS the community's ability to respond to this mess by HIDING key information such as issue trackers.

I think the heavy-handed approach executed by @github is doing more harm than good.

If they want to HELP the open-source community clean up this mess, they should restore public access to the repository.

If they instead want to HELP the person who wrote this code hide their tracks… be my guest, keep it hidden.

At least declare which side you're on, because right now, it really seems like you're trying to protect the attacker not the community.

I'm giving serious thought to migrating my projects away from this service now.