[dchanm]

"It would be a much better design if it worked the other way around: Aggregate recent security patches into a database and send those to the servers, and have them do a local compare of vulnerabilities. You could charge for the database access and still keep your business model."

There is definitely value in having an aggregate database with recent security information. We agree that there are certain customers who would prefer / require an on-premise solution. Selling database access is something that we have considered, but haven't looked into deeply.

There is no restriction that the data must come from your local machine. You can integrate with our API to create a machine that has ``all'' packages for Ubuntu version X. We will then notify you when packages are outdated and you can act on that locally. Granted this still leaks the version of Ubuntu you are running, but we will have no insight into what each of your machines are actually running.

Thanks for raising these concerns.