Adds basic license check

[mikesol]

@thomashoneyman I have a draft PR with something along the lines of what we talked about in the registry meeting, but as I was putting it together I realized that the solution may be more simple than what we had discussed. This PR is my attempt to do that simple thing. If it is missing something, then let me know and I can add more logic.

[f-f]

One of the recommendations in #251 is the following:

Finally, he recommended that -- even though it isn't strictly necessary -- when new packages are submitted to the registry in the future, we should reject packages that specify multiple licenses (MIT in package.json, BSD-3-Clause in purs.json) and ask them to join those licenses with a proper SPDX conjunctive like AND or OR.

..which means that we'd still need something like this check, right?

[thomashoneyman]

Yea, we still want to have a check in the package upload pipeline that just verifies that the SPDX identifier you've asserted in your package manifest checks out against other manifest files / LICENSE files present. We won't fix it for you, but we'll reject packages that have an identifier in their purs.json that doesn't accurately represent the licenses in their repository.