It’s a bit more subtle than that because part of the chain is present in the Git repository in “fake” test fixtures: Tests: Update two test files. · tukaani-project/xz@6e63681 · GitHub
The issue can only be triggered when using the official release tarball because it requires a change to a Makefile that is not present in the Git repository.
To the current knowledge of the community for packages using the xz nixpkgs package:
- even with the backdoored tarball the script injecting the backdoor does not work in our build context. Basically the script injecting the backdoor runs but it exits without doing anything because the required conditions do not match: the backdoor is not injected in the built binaries
- the backdoor itself has a certain number of conditions that are not met in a NixOS environment and as such is not effective
Note that the situation is evolving and more knowledge is being acquired thanks to people looking more closely to the backdoor itself but if you rollback to a nixpkgs unstable pin from before the upgrade to xz 5.6.x you need to consider, according to your threat model, that other security issues have been fixed in the meantime.