We implement this by giving a list of permitted licenses, and then
using cargo-license to dump everything's actual license. Since
packages list their licenses as "x OR y OR z", we permit any package
that is available under at least one license on the allow-list.
This is a somewhat obnoxious change in its scope and requirements,
but it makes it easier to understand what the real public and
private parts of our APIs are.