Allow defining project {black,white}list policies

[sdboyer]

One of the things that organizations may want to do internally is define policies for either allowing or disallowing projects - perhaps projects as a whole, or just some subset of their versions. There are many possible reasons for doing this:

• Exclude versions of dependencies that have not yet been audited to meet with internal or compliance-required standards
• Exclude software from an untrusted party
• Centrally enforce alignment on certain "blessed" versions of dependencies across an organization

If there are other needs folks have that seem like they might fall under this "policy" heading, please do speak up!

These things all require some additions to gps, though nothing horribly bad. Excluding particular versions amounts to additional constraints. Excluding whole import path structures isn't something gps supports now, but it's not terrible to add.

[sdboyer]

There's at least one question, though - should the policies be incorporated when computing the memo value (run dep hash-inputs to see the raw inputs to the hasher for a given project)? Probably yes, but that could also get pretty annoying to develop if policies are updated regularly.