Monitor packages that can't be upgraded for some reason

Prior to a recent Puppet monitoring code refactor, we had an APT "upgradable" packages check that ensured we noticed if there were packages that couldn't be upgraded for some reason, for example because of outdated APT pinnings.

We need to reimplement this check in the new monitoring code.

Note: For S11, this fits in:

• B.2 - Keep our infrastructure up-to-date and secure: Sometimes manual intervention is needed to perform the upgrade of some system packages, and we currently don't have enough visibility on that.