Drop FOSSA?

[200sc]

Every time FOSSA tells us anything about a PR, it's always wrong. Right now it's just alert fatigue and having to go in manually and tell FOSSA "no we aren't importing ffmpeg code" or etc makes our builds red when they aren't (like https://github.com/oakmound/oak/commit/5ba729bd62a02c9540f9385bc048f3d91a717de5, the current commit) and is a bad look.

[200sc]

@Implausiblyfun Thoughts? I'm inclined to just drop it.

[Implausiblyfun]

Per discussion we will drop FOSSA and go to a strategy where we pin dependencies and store a file with the hashes. That way we can make sure that we are manually checking.