Yes, you was right. He said that the backdoor was inside (partially?) such tar files .. what is confusing me now is that he said also that it get triggered at configure and so at compiling time ... And probably I don't fully know the process from where other distros (fedora and Debian) use xz source to build distro packages .. So probably I would need to look at such stuff .. Were such tar files sources or binary ready compiled files ? .. Need to give a look into ...