profile::tails::jenkins::iuk_builder: pin src:squashfs-tools-ng to the version from Bookworm

Impact

Without this, the build of IUKs from isoworkers running Trixie probably won't be reproducible.

What we need

tl;dr: please pin binary packages built from src:squashfs-tools-ng to the version from Bookworm on all Jenkins isoworkers, then ensure they're downgraded on isoworkers that were upgraded to Trixie.

And I would suggest adding a comment next to the pinning in Puppet code, to explain why it's there, and why it should not be removed next time it looks like it's superfluous (which is the case most of the time — except when we really need it, such as right now):

All binary packages built from src:squashfs-tools-ng must have the same version on Release Managers' systems and all isoworkers. Also, upgrades to newer versions must be tested to ensure they don't break reproducibility. To achieve this, we need to coordinate such upgrades, and to not upgrade these packages on our Jenkins isoworkers before the Tails Team asks for the upgrade.

Thanks in advance!