Monitor packages that can't be upgraded for some reason

Prior to a recent Puppet monitoring code refactor, we had an APT "upgradable" packages check that ensured we noticed if there were packages that couldn't be upgraded for some reason, for example because of outdated APT pinnings.

We need to reimplement this check in the new monitoring code.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information