Ensure per-package blank imports for vendoring are easy to maintain

[dagood]

go/patches/0002-Vendor-crypto-backends.patch

Lines 210 to 223 in dddedbf

	+import (
	+ _ "github.com/golang-fips/openssl/v2"
	+ _ "github.com/golang-fips/openssl/v2/bbig"
	+
	+ _ "github.com/microsoft/go-crypto-darwin/bbig"
	+ _ "github.com/microsoft/go-crypto-darwin/xcrypto"
	+
	+ _ "github.com/microsoft/go-crypto-winnative/cng"
	+ _ "github.com/microsoft/go-crypto-winnative/cng/bbig"
	+)
	+
	+// This file is here just to declare the external dependencies
	+// that are used by the backend package. This allows to track
	+// their versions in a single patch file.

It looks like we have to import each package to make sure go mod vendor picks it up, but I don't see this documented. (I'm also not 100% I have the reason right, didn't get a chance to poke around locally.)

If that's right, it's a little concerning that the vendoring patch has to "predict" what packages will be used by later patches--not a practical concern most likely (we have very few, pretty consistent, packages), but I want to understand better how a mistake is detected and make sure this is as maintainable and documented as necessary.