Torrenting security patches

[Steve Cotton]

Hi,

This may have been raised before, but I couldn't find a discussion
in the archive or Wiki.

I'm worried that DebTorrent could be used to select targets for
remote-root exploits.  By joining the swarm shortly after a
package is updated, an attacker will find out which peers have
downloaded the vulnerable version of the package, but not the new
version.

A machine that can be compromised this way would still be
vulnerable without DebTorrent, but DebTorrent means the attacker
doesn't have to scan IP addresses for vulnerable machines.

Steve