- make virtual packages work again
- make apk del (for non-empty packages) work again

allow also overriding old (possibly bad) world dependency.
hopefully it's more bullet proof now.

accept also pkgfile in addition to pkgname. make also the signature
verification stuff work properly again with non-repository files.

this makes the database package entry smaller, and we propbably
get more fields to installed_package later too. this cleans up
the way scripts are stored and is a preparation for supporting
triggers. some parsing for trigger meta-data. ref #45.

also have the output stream support writing to temporary file
and do renameat/unlinkat on close depending on if all writes
succeeded or not.

and take checksums for symlinks too.

otherwise, non repository files present in cache are not
considered for installation (e.g. when booting from cdrom).

fixes #127

some hooks to package verification code were missing causing the
verification to not be done (causing pre-script to be not run).
fixes #124, #126.

so do not skip it even if it's no longer available.

otherwise old world deps are used and unintended results will
happen.

instead enforce world dependencies when the package name
is first referenced upon.

this helps boots sequence when network is not available.

so user can override trusted keys directory and repositories file.

it's a warning not an error to have non-existant repository.
bad signature means tampering; but we might want to just ignore
those. this is especially important if we have http repositories
and we are bootstrapping (without network).

they are not needed, and cause errors if signing keys are not
present.

over the ones in config file. also remove the apk_root == NULL
check as this cannot happen anymore. a valid root is always
required.

usually we are interested on the actual file's length. but
audit is interested about the link. so add a flag for this and
use it in audit.

so do not choke on it.

so initialize db with a root, but avoid loading state or
repositories.

it will allow to overwrite files owned by some other packages
to get upgrades right (e.g. when splitting or renaming packages)

also makes it possibly to upgrade package without adding it to
top-level deps. fixes #69.

previously they might have been skipped on certain situations.
this also fixes some other reverse dependency enforcements and
implements new "pending" state for locked name.