On the short term, this allows us to get the mitigation against
Spectre (CVE-2017-5715).

While this could be done via our freeze exception mechanism, instead I chose to
bump APT snapshots and add APT pinning to install these packages from sid for
the foreseeable future: keeping CPU microcode up-to-date has become an important
factor in securing systems these days and such security updates land faster in
sid than anywhere else in Debian.