Check the model of an uploaded package

[certik]

Compare the package model of an uploaded package against the model in the registry to ensure no malicious code was added. Also for module naming conventions.

Details:

• The fpm builds a local package into a source tarball, and exports the model to JSON. It packages the JSON file with the source tarball.
• fpm uploads the source tarball with the JSON to registry
• The registry backend checks the JSON model against a model generated in the backend from fpm.toml from the uploaded source tarball

This check is not for security, but rather for consistency of the uploaded packages, it checks:

• checks for module naming conventions
• checking that fpm model can be built (so fpm.toml and all source files are consistent)

A separate feature to consider for a separate milestone is:

• Actually doing fpm build, that is, building the package using a Fortran compiler. This is effectively a CI. That's a huge milestone on its own.

[certik]

Let's not run fpm at all, in our first deliverable of the registry.

Instead, let's add several checks in the Python backend, implemented in Python itself:

• Unpack the tarball
• Load fpm.toml as TOML into Python
• Check that required sections are there
• Check that all dependencies exist in registry, with the correct version
• Check generated JSON has correct hashes with the Fortran files in the tarball (and that they all exist)

All the above checks must be just couple hundred lines of Python the most. If it requires more, then let's discuss. That way it will be maintainable for us.

Bonus:

• Check the module naming convention (let's do this after deliverable)