metapackages that use these provides. If the original intent for
creating the provides is solely for internal auditing needs, is it
appropriate to expose to everyone in this way?
Actually it's to assert that we're providing a backported patch for a
security issue in a package. This is incredibly useful to end users,
especially those who have to respond to auditors (we get many requests
along these lines, where a customer wants to be able to show an auditor
that the old version of, say, OpenSSH, contains a fix for some particular
named issue).
Cheers, Mark