Clarify what must be retained during source migrations

[TomHennen]

          verified timestamps are provided by the SCP, so when I migrate the source to a new SCP, I think this means that the org must keep the original repo around to keep the "true" timestamps. 

Or else, we may be saying that SCPs must provide a way to export the verified timestamps somehow. We should consider making that clearer here, and I'm not sure which way is better! I'm not sure SCPs would import timestamps like that.

Originally posted by @zachariahcox in #1037 (comment)

[TomHennen]

See also this discussion

[zachariahcox]

I think we are strongly leaning towards attestations being "from the perspective of a specific authority."

Migrating a repo between two servers will be inherently lossy.
If a repo moves from github to gitlab, gitlab will not trust the timestamps issued by github, but github might still verify an attestation it issued in the past.

It is not clear if gh would continue to host attestation for repos that have been taken down (almost certainly it would not under normal circumstances), but the signed attestations can be downloaded and migrated (and served) if desired by the new host.

[zachariahcox]

I propose we add:

"SCPs are not required to export any information during repo migration. All provenance attestations are issued from the perspective of the SCP and are based on knowledge that may or may not be publicly available."

[zachariahcox]

we have removed most of this related text from the source-requirements doc. marking closed for now.