xz: switch to a working src URL, add warning

pkgs/tools/compression/xz/default.nix

@@ -11,10 +11,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "xz";
-  version = "5.4.6";
+  version = "5.4.6"; # Beware of CVE-2024-3094 and related risks!!!
 
   src = fetchurl {
-    url = with finalAttrs; "https://github.com/tukaani-project/xz/releases/download/v${version}/xz-${version}.tar.bz2";
+    url = with finalAttrs;
+      # The original URL has been taken down.
+      # "https://github.com/tukaani-project/xz/releases/download/v${version}/xz-${version}.tar.bz2";
+      "mirror://sourceforge/lzmautils/xz-${version}.tar.bz2";
     sha256 = "sha256-kThRsnTo4dMXgeyUnxwj6NvPDs9uc6JDbcIXad0+b0k=";
   };