About the #xz backdoor: please do *not* assume that if your SSH server is not affected, you are not affected by it at all.

A lot about this situation is still unclear, but what *is* clear is that this wasn't a drive-by attack - this was clearly a well-prepared long-term engagement, across many commits and messages by potentially multiple accounts.

That makes it very plausible that there are other backdoors that haven't been found yet, and that might affect you under different circumstances.

There's not much you can concretely do about that yet, but you should carefully watch developments around this situation.