Hello Christoph,
I'm investigating an issue in 'debian-security-support' related to how
it includes/excludes packages by comparing the installed version and the
supported version, see:
https://bugs.debian.org/986581
At this point I'm inclined to drop all the version-based logic, because
when a package is added in security-support-ended.debX, that means there
is immediate concern about this package, and we already can distinguish
upcoming and effective end-of-support through dates.
We could not find a valid use case for this feature, while it is causing
some missing reports as with 'nodejs', as explained in the above BTS entry.
Did we miss something?
Cheers!
Sylvain