I'm assuming you are aware of CVE-2024-3094 and didn't upgrade to 5.6.1 for that reason. Perhaps it is an overreaction at this point, but I'm wondering if we should consider completely removing liblzma from the wheels for the upcoming release. liblzma is only an indirect optional dependency via libtiff and users could just install from source if they need it.

Should we also switch to using the GitHub release instead of SourceForge?

Multibuild uses https://tukaani.org/xz/xz-5.6.2.tar.gz which is a redirect to the GitHub release:

C:\Users\Nulano>curl --head https://tukaani.org/xz/xz-5.6.2.tar.gz
HTTP/1.1 302 Found
Server: nginx
Date: Wed, 12 Jun 2024 18:51:24 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 262
Connection: keep-alive
Location: https://github.com/tukaani-project/xz/releases/download/v5.6.2/xz-5.6.2.tar.gz
X-Proxy-Cache: BYPASS
X-Powered-By: Zoner

Ok, GitHub does look to be the primary repository. I've pushed a commit.

My thinking on this: I don't see anything particularly urgent/important in the changelog to merge this right now, so maybe we hold off for another release or so?

Another release or so of ours, or of xz? I'm guessing you mean xz, as a way of increasing confidence that they have reviewed their code thoroughly.

Of ours, but that could also include of xz :)

Yeah, I don't think we're in a rush to upgrade, and it gives some more time for the dust to settle.

More time has passed and things have settled. Any objections to merging this for our release next month?