Automate CVE assignment for renamed/branched/forked packages

Automate CVEs assignment for renamed/branched/forked packages.

Examples package sets:

• gnutls26 gnutls28
• golang golang-1.7 golang-1.8 golang-1.11 [golang is the jessie full package, not the newer meta-package]
• lynx lynx-cur
• php5 php7.0 php7.3 php7.4 php8.0
• python2.7 python3.4 python3.5 python3.7 python3.9
• unbound unbound-1.9

E.g., if a CVE is assigned to python3.4, it likely affects python2.7 too, so the script should mark it so e.g. in data/CVE/list. One way to track such package sets is to maintain a renamed-packages file.

History:

• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738172 - Track renames of source packages (2014) - secteam agrees
• https://lists.debian.org/debian-lts/2017/03/msg00177.html - Dealing with renamed source packages during CVE triaging (2017) - suggests preparing - package <removed> entries
• https://lists.debian.org/debian-lts/2021/02/msg00083.html - Tracking related source packages (2021) - conflicting feedback from secteam (jmm/carnil) (caution: the thread then mixes this up with #2 and dies)

Do not confuse with #2 (tracking embedded code copies) which warrants a different workflow, has much more false positives, and tends to stale efforts on this task.