Check for patched packages

This makes sure we don't end up with broken images pulling newer versions from Debian than we have by checking against a fixed list of packages that "need" pureos in their version number indicating they are patched.

This would ideally be checked in separate test step but until this is there let's put it here rather than shipping broken images.

This will not prevent people from dist-upgrading into breackage (enough rope to hang yourself) but avoids hand maintaining verstion lists until we switch over to pureos build infra.