Add RFC for upstream package source handling

Add an RFC that proposes choosing transparent sources by default and
adds guidelines for the handling of cryptographic signatures for Arch
Linux package sources.

Signed-off-by: Robin Candau <antiz@archlinux.org>
Signed-off-by: David Runge <dvzrv@archlinux.org>