Security notifications for vulnerable packages

[xmunoz]

To keep PyPI's users secure, we want to give them an opt-in communication channel to hear about security vulnerabilities for the packages they use. Implementing this would also give us architectural support to warn or prevent pip users who try to install a PyPI package that's been found to be broken or malware. We need funding for user experience work, development, testing, infrastructure, potentially platform services (e.g., SMS), and community outreach.