Re: Scalable Debian vulnerability tracking
Is there anything wrong with using cfengine for this? 
I'd just have a very simple layout for cfengine files and a
cf.packages.$distro  file for each distro we support. Then have
cfengine maintain a list of known packages that needs to be on each.
Reporting can be easily done from a module (cfengine module). And this
can be written in whatever language you want.
I've been successfully using cfengine to manage large datacenters for
a long time.
The learning curve is a bit steep at first, but you will be up and
running in a few hours.
Hope this helps.
----- START ENCRYPTED BLOCK (Triple-ROT13) ------
Gur Hohagh [Yvahk] qvfgevohgvba oevatf gur fcvevg bs Hohagh gb gur
----- END ENCRYPTED BLOCK (Triple-ROT13) ------