Add security update versions to regex and distribution/version sanity checks

Currently we don't allow versions like 3.16.7-ckt9-3~deb8u1~bpo7+1 in
*-backports, but we should!  Add the security suffix as an option
before the backports suffix.

We also don't check that an upload to *-security or *-lts includes the
expected suffix and nothing else.  Add a check for that.

svn path=/dists/trunk/linux/; revision=22539

debian/bin/gencontrol.py

@@ -492,6 +492,10 @@ class Gencontrol(Base):
         if distribution in ('experimental', ):
             if not version.linux_revision_experimental:
                 raise RuntimeError("Can't upload to %s with a version of %s" % (distribution, version))
+        if distribution.endswith('-security') or distribution.endswith('-lts'):
+            if (not version.linux_revision_security or
+                version.linux_revision_backports):
+                raise RuntimeError("Can't upload to %s with a version of %s" % (distribution, version))
         if distribution.endswith('-backports'):
             if not version.linux_revision_backports:
                 raise RuntimeError("Can't upload to %s with a version of %s" % (distribution, version))

debian/lib/python/debian_linux/debian.py

@@ -139,14 +139,17 @@ class VersionLinux(Version):
         ~exp\d+
     )
     |
+    (?P<revision_security>
+        [~+]deb\d+u\d+
+    )?
     (?P<revision_backports>
         ~bpo\d+\+\d+
-    )
+    )?
     |
     (?P<revision_other>
         [^-]+
     )
-)?
+)
 $
 """
     _version_linux_re = re.compile(_version_linux_rules, re.X)
@@ -167,6 +170,7 @@ $
         self.linux_upstream_full = self.linux_upstream + d['update']
         self.linux_dfsg = d['dfsg']
         self.linux_revision_experimental = match.group('revision_experimental') and True
+        self.linux_revision_security = match.group('revision_security') and True
         self.linux_revision_backports = match.group('revision_backports') and True
         self.linux_revision_other = match.group('revision_other') and True