Policy needed for external software that is not packaged

Following on from this thread.

The general question is whether external software should be packaged rather than pulled in from GitHub, for security reasons:

• Having a package maintainer delegates responsibility for threats such as unnoticed/unpatched CVEs and supply-chain attacks.
• If the software is not packaged, we take this responsibility on ourselves.

The specific case is jwt-cpp, a header-only library only available in GitHub.