I read in xz Package Backdoor / Announcements, Package & Security Advisories / Arch Linux Forums :
“The xz PKGBUILD needs to be updated again, because it won’t work anymore as it goes to the dead Github repository. Preferably replaced by an older version before Jia Tan took over; something in the 5.4.x series… as to how you get access to that? Not sure which mirror.”