Ensure we don't install unwanted packages even if they become "Priority: standard" again

368b038b1ef887d2a85a7b2a1504ef6163d4c169, 4685644525247a16840b5e52ff43372dfdf5a084 could lead to these packages being installed again, e.g. in case of override discrepancy between the Debian security archive and the regular Debian archive. This has bitten us a few times in the past, e.g. with exim and mutt. So instead of simply doing what these commits do, we should do the same thing as for procmail and mutt (when the package name is a fixed string) or for geoclue (when we need a regexp).

And while we’re at it, mostly off-topic here but batching these two tasks together will save us time: let’s ensure we never ship policykit-1-gnome (#16947 (closed)).

Feature Branch: bugfix/16949-avoid-unwanted-packages-coming-back

Related issues

Related to #16950 (closed)
Blocks #16209
Blocked by #16822 (closed)

Original created by @intrigeri on 16949 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information