Looks like GitHub has suspended access to the repository, which while it protects against people accidentally compiling and using the code, but certainly complicates forensic analysis for anyone who doesn't have a clone or access to history (which is what I think a lot of people will be doing now to understand their exposure).
It looks like git clone https://git.tukaani.org/xz.git still works for now (note: you will obviously be cloning malware if you do this) - that is, however, trusting the project infrastructure that compromised maintainers could have had access to, so I'm not sure if it is unmodified.
HEAD (git rev-parse HEAD) on my result of doing that is currently 0b99783d63f27606936bb79a16c52d0d70c0b56f, and it does have commits people have referenced as being part of the backdoor in it.
That was me. I'm part of ArchiveTeam and Software Heritage and I'm one of the Debian sysadmins, the latter got some advanced notice. I figured archives of xz related stuff would be important once the news broke, so I saved the xz website and the GitHub repos. I regret that I didn't think to join the upstream IRC channel and archive the rest of the tukaani.org domain, nor archive the git.tukaani.org repos. Been archiving links from these threads ever since the news broke.
