Ok I think that might be fair; considering the log of UUIDs as a possible toxic data asset which may be used against a wide variety of target servers.
But we should also frame this debate by comparing to the damage that release of a fairly normal server log might do in the absence of UUIDs. I don’t know what the package server will log currently, but let’s suppose it keeps:
- IP address
- Packages requested by that IP address
Now, suppose you get hold of those logs. You already have the information to attack servers in exactly the way you mention regardless of UUIDs being included or not. As others have mentioned further up the thread, the UUIDs are less valuable to an attacker than data which is already inherently known as part of normal package server operation.
(Side note: I’d point out that any well-developed workflow for server deployment would involve downloading packages to the build machine, not on production servers. So if anything, the UUID and IP would be associated to the build machines, not the public IP of a production server. Naturally some people will update their packages on production servers and we should consider that as an expected use case. But I’d generally discourage this and not expect to see it in a modern deployment scenario.)