Update systems that regularly distribute updates for installed software systems to end users are an essential part of modern security. Problems arise when the update system is misused and malicious updates are sent to a small set of end users only. Such situations can occur if the software supplier has been successfully attacked or is coerced by government agencies to distribute hand-crafted updates to a set of suspects containing promiscuous functionality like back-doors. In this paper, we define a set of general security requirements for update systems that encompass protection against malicious updates. We then introduce the design of an update system that satisfies all requirements and present an implementation as an extension to the advanced package tool (APT) for the Debian operating system. We evaluate the strengths and weaknesses of the system and discuss its large-scale applicability with respect to security and performance overhead.