XZ Utils
A high-compression archive utility.
XZ Utils provides the xz command and the .tar.xz archive format, based on the LZMA2 compression algorithm. xz typically achieves substantially smaller compressed files than gzip at the cost of slower compression — decompression speed is comparable. The algorithm is used for distribution package archives, kernel source tarballs, and any other large download where bandwidth costs more than CPU time.
Lasse Collin developed xz from the older 7-Zip LZMA SDK over several years starting around 2007. The xz codebase entered the spotlight in March 2024 when a sophisticated multi-year supply- chain backdoor was discovered in a recent xz-utils release; a contributor with a long-running collaboration history had inserted code that compromised sshd builds linked against liblzma. The discovery (by Andres Freund of Microsoft) was a significant moment in open-source supply-chain security.
xz remains widely used despite the incident. The compromised versions have been removed from distributions and the upstream project has reorganised governance and security review. Most distribution maintainers continue to ship xz, though many have added additional review for new contributions to small upstream projects after this incident.
Install
Debian/Ubuntu: sudo apt install xz-utils Fedora/RHEL: sudo dnf install xz Arch: sudo pacman -S xz macOS: brew install xz
Authors
- Lasse Collin (creator)
- XZ Utils developers