dkg has updated his key so the previous image does not match anymore.

Mount a dedicated tmpfs on /run/initramfs instead of trying to remount /run with the "exec" option (refs: #16097).

My previous approach, i.e. "let's remount /run with the exec option via a unit
file started as part of the shutdown procedure", worked just fine for clean
shutdown. But it does not work for emergency shutdown, i.e. when the boot medium
is physically removed: for some reason (possibly missing bits in the memlockd
configuration), this service is not started, and then systemd-shutdown won't
return to the initramfs because /run/initramfs/shutdown is not executable.

So let's instead disregard /run and extract the initramfs into a dedicated
tmpfs, that we mount on /run/initramfs (where systemd-shutdown will look for
it), and that we mount without the "noexec" option.

Also, remove manual calls to eject(1):

 - They increase chances that the shutdown process breaks due to missing
   files locked in memory by memlockd.

 - Their sole benefit is to ensure we physically eject the DVD. It's unclear if
   this code is still needed nowadays. Regardless, starting with Tails 3.12, the
   only supported use case for ISO and DVD is virtual machines, which are not
   targeted by the emergency shutdown feature, which is about removing the
   *physical* boot medium.

Remounting /run with the "exec" option in /lib/systemd/system-shutdown/tails
does not work anymore with systemd v239, while it worked at least until systemd
v237. I could not find out why by reading systemd's NEWS file.

So let's instead do this there:

 - For clean shutdown: in a new, dedicated service, started immediately before
   final.target, which itself is a synchronization point that ensures this
   service is started before the transition to systemd-shutdown and in turn to
   the initramfs, where we finish the unmounting and other clean ups needed to
   erase the memory.

 - For emergency shutdown: in the udev watchdog script, before calling the
   unclean shutdown code, which bypasses final.target and thus won't run
   tails-remount-run-exec.service. Too bad we have to duplicate this mount
   command but it seems that both instances will become unnecessary quickly
   enough, once systemd DTRT™. Another way would be to manually start
   tails-remount-run-exec.service from the udev watchdog script but I'm
   concerned it will be unreliable when the boot medium has been unplugged.

Merge branch 'bugfix/15107-specify-APT-snapshots-serial-to-build-with' into devel (Fix-committed: #15107)

Refs: #16177

Fix-committed: #15428

This reverts commit 535a2d38.

On this devel (= non-frozen) branch, we would like to get rid of the
freeze exception that was granted to linux 4.18.20-2. So besides the
revert-the-revert dance explained in 535a2d38, this commit simply
lifts the freeze exception that was granted for the 3.11 release.

Conflicts:
	debian/changelog

This reverts commit 04970143.

I failed to capture the post-release instructions; let's keep the freeze
exceptions on this stable/frozen branch. Sorry for the confusion and the
revert-the-revert dance…

Conflicts:
	debian/changelog

This reverts commit c55d08e9.

Requested-by: goupille (for frontdesk).