Both the behavior of the software and the properties of the file format have been designed to work similarly to those of the popular Unix compressing tools gzip and bzip2.

The XZ Utils source distribution additionally includes some optional scripts and an example program that are subject to various versions of the GNU General Public License (GPL).

[1] The resulting software xz and liblzma binaries are public domain, unless the optional LGPL getopt implementation is incorporated.

A number of Linux distributions, including Fedora, Slackware, Ubuntu, and Debian use xz for compressing their software packages.

On 29 March 2024, Andres Freund, a PostgreSQL developer working at Microsoft, announced that he had found a backdoor in XZ Utils, impacting versions 5.6.0 and 5.6.1.

He started his investigation because "After observing a few odd symptoms around liblzma (part of the xz package)" as he found that ssh logins using sshd were "taking a lot of CPU, valgrind errors".