Port contents of Documentation/PackageSecurity.md to DocC

[bripeticca]

Fixes #8591

Ports the contents of Documentation/PackageSecurity.md to our DocC catalog in Sources/PackageManagerDocs/PackageSecurity.md.

[bripeticca]

@swift-ci please test

[bripeticca]

@swift-ci please test

[bripeticca]

@swift-ci please test windows

[heckj]

@swift-ci please test windows platform self hosted

[heckj]

Suggested change

	Learn about the security features that SwiftPM implements.
	Learn about the security features that the package manager implements.

(I've been taking to removing SwiftPM and replacing it with "package manager")

[heckj]

Suggested change

	SwiftPM records **fingerprints** of downloaded package versions so that
	Package manager records **fingerprints** of downloaded package versions so that

[heckj]

Suggested change

	That is, when a package version is downloaded for the first time, SwiftPM trusts that
	That is, when a package version is downloaded for the first time, the package manager trusts that

[heckj]

Suggested change

	compromised and SwiftPM will either warn or return an error.
	compromised and the package manager either warns or returns an error.
	Control the choice of warning or error using the build option `--resolver-fingerprint-checking`, which defaults to `strict`.
	Set the value to `warn` to not error on a mismatched fingerprint.

[heckj]

Suggested change

	All version fingerprints of a package are kept in a single file
	The package manager keeps version fingerprints for each package in a file

[heckj]

Suggested change

	- For a Git repository package, the fingerprint filename takes the form of `{PACKAGE_NAME}-{REPOSITORY_URL_HASH}.json` (e.g., `LinkedList-5ddbcf15.json`).
	- For a Git repository package, the fingerprint filename takes the form of `{PACKAGE_NAME}-{REPOSITORY_URL_HASH}.json` (such as `LinkedList-5ddbcf15.json`).

[heckj]

Suggested change

	- For a registry package, the fingerprint filename takes the form of `{PACKAGE_ID}.json` (e.g., `mona.LinkedList.json`).
	- For a registry package, the fingerprint filename takes the form of `{PACKAGE_ID}.json` (such as `mona.LinkedList.json`).

[heckj]

Suggested change

	For packages retrieved from a registry, the package manager expects all registries to provide consistent fingerprints for packages they host.
	If registries have conflicting fingerprints, package manager reports that as an error.

[heckj]

Everything from line 30 (heading included) is replicated content from above - I made some suggestions to cherry pick a few details in the content above, and I think everything below can be deleted. Give it a read through and verify though.