go_vendor_archive: plan for security updates

Add a config option to override dependencies for security updates or other reasons and then run appropriate go get -u commands before go mod vendor.

---

From Matrix today:

daMaestro

while mulling this over i wondered about two things (and have not yet read the full code of go-vendor-tools to understand it well enough yet):

• are we going to be able to set a bundled version? that would be needed for CVE scanning and automatic rebuilding (understanding that in the golang ecosystem that might only be a commit ID)
• how are we going to verify upstream source vs what's in the vendored tar?

gotmax23

The vendor tarballs created by go_vendor_archive are reproducible. There's some tar metadata normalization code in there.

For security updates, it will be possible for packages [packagers] to regenerate the archive with the new library version

Prodsec files a bunch of bugs against all affected packages after library vulnerability. These used to be unactionable, as the change needed to be made in the library package itself.

Now, packages will have a relatively straightforward process to regenerate the archive and then they can submit a new build.