macOS
brew install xzlocal Homebrew formula metadata
sudo port install xzMacPorts ports tree · archivers/xz/Portfile · source: api.github.com
brew
General-purpose data compression with high compression ratio. Version 5.8.3 via Homebrew; verified from local package data.
install
brew install xzlocal Homebrew formula metadata
sudo port install xzMacPorts ports tree · archivers/xz/Portfile · source: api.github.com
sudo apk add xzAlpine Linux edge package indexes · xz · source: dl-cdn.alpinelinux.org
sudo dnf install xzFedora Rawhide package metadata · xz · source: dl.fedoraproject.org
nix profile install nixpkgs#xznixpkgs package indexes · xz · source: raw.githubusercontent.com
sudo pacman -S xzArch Linux sync databases · xz · source: geo.mirror.pkgbuild.com
sudo zypper install liblzma5openSUSE Tumbleweed package metadata · liblzma5 · source: download.opensuse.org
sudo apt install lzmaDebian stable package indexes · lzma · source: deb.debian.org
scoop install main/xzScoop official bucket manifest trees · bucket/xz.json · source: api.github.com
overview
General-purpose data compression with high compression ratio
history
XZ Utils is the standard free-software implementation of the .xz container format, the LZMA2 compression method, and liblzma. It matters to package ecosystems because .tar.xz release archives, source packages, initramfs images, distribution payloads, and build systems rely on xz and liblzma for high-ratio lossless compression.
XZ Utils comes from the Tukaani Project and the earlier LZMA Utils lineage maintained by Lasse Collin. The project generalized Igor Pavlov's LZMA-family compression ideas into the .xz format and liblzma API used by Unix-like systems.
The 5.0.0 release on 2010-10-23 was a major packaging milestone because the NEWS file marks liblzma API and ABI as stable and bumps the shared-library soname to 5.0.0. From a distro perspective, that turned xz from a promising compressor into a dependable system library.
The project continued to evolve around multithreading, build-system support, portability, translated documentation, and platform coverage. The official site lists support across GNU/Linux, BSDs, macOS/Darwin, Solaris, AIX, Windows, DOS, and several more specialized systems, which explains why package managers treat it as base infrastructure.
The 2024 CVE-2024-3094 backdoor is now part of XZ Utils history. Official Tukaani pages state that XZ Utils 5.6.0 and 5.6.1 release tarballs contained a backdoor inserted by a malicious co-maintainer and discovered by Andres Freund before broad stable distribution. The incident made xz one of the central examples in open-source supply-chain security discussions.
XZ adoption followed its compression ratio and Unix-friendly tooling. The familiar xz, unxz, xzcat, xzgrep, xzless, and compatibility aliases made it a drop-in neighbor to gzip and bzip2, while liblzma let package managers and applications decode .xz streams without shelling out.
Distribution adoption became especially visible through .tar.xz source releases and compressed package artifacts. Many upstream projects now publish release tarballs as .tar.xz, and free operating systems commonly install xz or liblzma because so much source distribution and packaging machinery expects them.
After CVE-2024-3094, adoption history also includes a trust reset: project infrastructure moved back under Tukaani-controlled URLs, GitHub repositories were restored, and clean XZ Utils releases were made on 2024-05-29, according to the official backdoor page.
Command-line users compress and decompress files with xz, unxz, and xzcat, inspect streams with xz --list, and use xzgrep/xzless style helpers for text workflows inside compressed files. It is common in source-release workflows as tar -cJf or tar.xz packaging.
Developers use liblzma directly or via bindings in languages such as Python, Perl, Haskell, Delphi, and Free Pascal. Package builders care about xz because archive format support, reproducible source distributions, and decompression availability can affect bootstrap chains.
XZ Utils is package-manager bedrock: small enough to be invisible most days, but important enough that a bad release can shake the whole distribution world. It sits in build roots, source tarball handling, package extraction, and language runtime bindings.
The backdoor incident made xz historically significant beyond compression. It showed how a low-glamour maintainer package can become a high-value target precisely because it is everywhere, and why tarball provenance, release signing, maintainer access, and distro staging matter.
security posture
broad file, network, media, or database tool signal.
blue risk · medium confidence · tool
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
lzcat | cli | global executable | |
lzcmp | cli | global executable | |
lzdiff | cli | global executable | |
lzegrep | cli | global executable | |
lzfgrep | cli | global executable | |
lzgrep | cli | global executable | |
lzless | cli | global executable | |
lzma | cli | global executable | |
lzmadec | cli | global executable | |
lzmainfo | cli | global executable | |
lzmore | cli | global executable | |
unlzma | cli | global executable | |
unxz | cli | global executable | |
xz | cli | global executable | |
xzcat | cli | global executable | |
xzcmp | cli | global executable | |
xzdec | cli | global executable | |
xzdiff | cli | global executable | |
xzegrep | cli | global executable | |
xzfgrep | cli | global executable | |
xzgrep | cli | global executable | |
xzless | cli | global executable | |
xzmore | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/tukaani-project/xz
install metadata
| Package key | brew:xz |
|---|---|
| Version | 5.8.3 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/xz |
| Homepage | https://tukaani.org/xz/ |
| Repository | https://github.com/tukaani-project/xz |
| Upstream docs | https://github.com/tukaani-project/xz#readme |
| License | 0BSD AND GPL-2.0-or-later |
| Source archive | https://github.com/tukaani-project/xz/releases/download/v5.8.3/xz-5.8.3.tar.gz |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sequoia, sonoma, tahoe, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | xz |
| Version Scheme | 1 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
xz
nix profile install nixpkgs#xzxz 5.8.3-r0
Library and CLI tools for XZ and LZMA compressed files
sudo apk add xzxz-dev 5.8.3-r0
Library and CLI tools for XZ and LZMA compressed files (development files)
sudo apk add xz-devxz-doc 5.8.3-r0
Library and CLI tools for XZ and LZMA compressed files (documentation)
sudo apk add xz-docxz-libs 5.8.3-r0
Library and CLI tools for XZ and LZMA compressed files (libraries)
sudo apk add xz-libsxz-static 5.8.3-r0
Library and CLI tools for XZ and LZMA compressed files (static library)
sudo apk add xz-staticxz 5.8.3-1.fc45
LZMA compression utilities
sudo dnf install xzxz-devel 5.8.3-1.fc45
Devel libraries & headers for liblzma
sudo dnf install xz-develxz-libs 5.8.3-1.fc45
Libraries for decoding LZMA compression
sudo dnf install xz-libsxz-lzma-compat 5.8.3-1.fc45
Older LZMA format compatibility binaries
sudo dnf install xz-lzma-compatxz-static 5.8.3-1.fc45
Statically linked library for decoding LZMA compression
sudo dnf install xz-staticxz 5.8.3-1
Library and command line tools for XZ and LZMA compressed files
sudo pacman -S xzliblzma5 5.8.3-1.2
Lempel–Ziv–Markov chain algorithm compression library
sudo zypper install liblzma5liblzma5-32bit 5.8.3-1.2
Lempel–Ziv–Markov chain algorithm compression library
sudo zypper install liblzma5-32bitliblzma5-x86-64-v3 5.8.3-1.2
Lempel–Ziv–Markov chain algorithm compression library
sudo zypper install liblzma5-x86-64-v3xz 5.8.3-1.2
A Program for Compressing Files with the Lempel–Ziv–Markov algorithm
sudo zypper install xzsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.