I searched the archives and didn’t find a mention of this even though it’s a little old.
TL;DR /etc/machine-id is a way of identifying the host. If you are concerned about that I believe that you can safely regenerate it with the following command:
It is unclear whether this is really an issue. If all your source is open and you have verified that all programs either don’t use the value or use it in the approved manner ( sd_id128_get_machine_app_specific or equivalent ) then maybe it’s OK.
Needless to say that it may not be safe to regenerate the value on the fly if software is actually using the value.
Reading the man page, it may be viable to force /etc/machine-id to be an empty read-only file. Then you will automatically get a new random value at each boot.