I would like for application/x-xz to be added to the list of known MIME types

Could you share your motivation?

Absolutely :)
The Golang-native http.DetectContentType function uses this library to detect MIME types,
and defaults to application/octet-stream for everything not included here.

Therefore we now need to vendor in another dependency into openshift/installer#3160 to properly support application/x-xz, which is suboptimal.

The use-case for that is downloading Fedora CoreOS images which are xz encoded

This is not a library, but rather a standard for when user agents are to perform sniffing in the context of the web and for safety reasons it's best not extended.

Unfortunately Golang seems to direct people for feature requests of that functionality here, but this really isn't the place for that.

Unfortunately Golang devs point here for their list of supported MIME types (which doesn't make much sense, as this is clearly a browser focused spec). Feel free to close :)

Well, it's also focused on servers. If browsers and servers sniff differently that could lead to issues (and has in the past), but that also really depends on the context and what is being sniffed.

That makes me wonder, what would be possible security implications when sniffing out e.g. the xz type?

I think one angle is user-supplied files, e.g., if the server thinks it's X and the browser Y, there might be an issue.