chore(deps): Make Apostille Go-Gettable Again

[ecordell]

This PR kind of sucks.

I had switched over to using vendetta to manage dependencies (which just does a very simple thing - adds dependencies as submodules under the vendor directory).

Unfortunately, that made it so that go get wouldn't work for apostille anymore. go get understands submodules just fine, but you can't add any additional processing steps.

We have to remove the nested vendor directories in docker/notary and docker/distribution in order for apostille to build, because go doesn't deal well with nested dependencies. For details see: golang/go#12432

So we have to store all of the vendored files in the repo for realsies :(

[jzelinskie]

You should make sure this use case is represented in the design of the official go tool, dep.

[ecordell]

@jzelinskie I think this user story covers it:

US8 As a consumer, I want the option of including or excluding a dependency’s test code and its dependencies. [2x neutral] [2x positive] 2

also this:

US28 As a user of Go software, I want go get (or some new, similar command) to still work, but to transparently utilize lock information as needed in order to produce exactly the compiled binary/ies the author intended.

[charltonaustin]

I don't have a lot of context, but LGTM