xz update produces a different tarball hash

I recently updated by Debian packages and got xz 5.6.2 (sans backdoor). I don't know what version I had before, but now all contrib tarballs created from a git (producing a .tar.xz) have a different hash than the ones we expect.

After some investigation I can see that xz 5.2.5 produces the same compressed file we expect. I tried different compression levels with the newer xz 5.6.2: 6 (default), 7, 8, 9 all produce the same binary with the non matching hash. Compression level 5 produces a bigger file (so not the same hash). The header and tail of the file seem to differ from our original hash. The rest is identical.

I'm not sure how we can solve this. We could tell users to downgrade their xz (with backdoor?). When we update our Docker images there's a chance we'll also pick an incompatible version.

Or we could switch to something else than .xz for the tarballs we generate. But gzip and bz2 may have the same problem between versions... Or we just don't compress these tarballs (10x bigger). They are not really downloaded from videolan.org and normally created locally anyway.