sources: Track -security and -updates in dedicated branches
On a development release, -security and -updates end up in the same place.
On stable releases, -security and -updates may diverge and thus target
different apertis branches (apertis/$RELEASE-security
and
apertis/$RELEASE-updates
respectively).
Given that, keep the mapping 1:1 between what's in the upstream repositories and the git branches, and encode policies elsewhere.