Monitor Bodhi for security updates

[bgilbert]

We should have automated tooling which monitors Bodhi for:

1. security updates,
2. for packages in Fedora CoreOS,
3. which have a larger NEVRA than the corresponding package at the head of one or more production or development branches,
4. which have not been fixed by a backport, and
5. which have not been explicitly ignored for that branch,

and notifies us. We can then

1. update branch lockfiles to accept the package, optionally performing an OS release,
2. backport the fix and update lockfiles to accept the backport, optionally performing an OS release, or
3. explicitly ignore the update with respect to certain branches, e.g. if it's not important enough to fix out-of-cycle.

The tool should complain periodically until we do one of those things.

We'll need a way to record that a backport includes the security content of a particular Bodhi update, and to record that we're ignoring certain security updates. I think it makes sense to create a new file for that in each fedora-coreos-config branch.

To support the next stream, the tool will need to monitor multiple Fedora releases. For maximum advance notice, we'll probably want to recognize an update from the moment it's created in Bodhi, even before it's pushed to updates-testing.