Completely disagree. Every project that has xz/liblzma added as a dependency should be looking at the source, compiling from said source and making sure their binaries that they shipped with their software match this. For example, homebrew should do this. If the attacker configured the backdoor for the server to enable a universal master key, who's to say they didn't engineer a backdoor for the Homebrew version to export private keys from the current user's .ssh folder?
That's my second point. Just checking for version <= 5.6.0 is not safe either and is exactly what the original article has done.
But if all you use as the basis of the vulnerability analysis is the version constraint and what we currently know about the backdoor, then, unless you are a distro building a liblzma distro package, you will not be vulnerable no matter the version (which was my point 1)
