Annotate packages which are only referenced by built-using

[fmoessbauer]

These packages are sometimes not found in the apt-cache, as they are from the past.
However, people seem to be surprised why we get the "imprecise lookup" warning on them.

For details, please also see https://lists.debian.org/debian-snapshot/2025/10/msg00004.html, mainly:

Source packages referenced in built_using only have name and version
information, but no checksum (and they often cannot be found in the apt
cache)

Yeah, that feels bad in the abstract. A lot of .buildinfo and built-using information (and the signature!) is only valid at the point in time of building/ingestion.

[Urist-McGit]

Apparently one should be able to identify packages by their name, version, arch triplet (or name, version tuple for source packages), see here. If that is the case maybe we should omit the warnings, since that imprecision would be a bug in the snapshort mirror.

And thinking about the implementation: this would be hard to implement, as the download command, where this warning is emitted, takes either an SBOM or a package list. We would have to get the information from there, and this is only possible in SPDX SBOMs right now, as we can be clever with the relationships and find out which packages are only referenced by Built-Using.