@kravietz @jakub
@bookwar
@Conan_Kudo

Upstreams should know what lib versions they tested with. Why shouldn't there be a simple manifest for upstreams to fill out that the distros' package management software then verifies with the source and installs? (not rhetorical) This makes it easy for upstream,s to "package" for all of linux and gives distros helpful info, but still lets distros do whatever they want/need to do to install the software. In the xz case, or similar, a new dev/signing key could automatically flag a review downstream and/or probationary period.