feat: setting to override trusted sites list

[Seb-MCaw]

Closes #814.

The alr publish and alr index --check commands currently require that Git origins use a URL with a host found in a hard-coded list of trusted sites, motivated by concerns regarding SHA1 hash collisions. Those using their own hosting arrangements (with private indexes) need to be able to configure this list.

This PR makes the list configurable, except when using alr publish without the --for-private-index switch.

PR creation checklist

• A test is included, if required by the changes.
• doc/user-changes.md has been updated, if applicable.

[Seb-MCaw]

Ready for review @mosteo.

[mosteo]

A minor refactor and a general comment:

I find using ' ' or whitespace in general to mean any domain is a bit hackish and won't be nice when printing settings with alr settings. What do you think about using some impossible domain, like '*' or "..." instead? (Probably the latter to avoid interactions with shell expansions at the time of setting.)

[Seb-MCaw]

I find using ' ' or whitespace in general to mean any domain is a bit hackish ...

Agreed. '*' was my first thought, but will definitely cause problems, and an empty list was the best alternative I could come up with. '...' is a good idea, though; thanks for the suggestion.

[mosteo]

Merged, thanks.

[Joebeazelman]

This feature needs to be documented for private indexes. I'm getting an error because dev.azure.com isn't a recognized one.

[Seb-MCaw]

This feature needs to be documented for private indexes.

It is already documented at the end of the second paragraph here, but it could stand to be better signposted; I have opened #1985.