Review SPDX package

[tigarmo]

Looks like the spdx-license-list package is gone from PyPI. We use it to validate that the chosen license is valid.

168 replaces that package with spdx-lookup as a stop-gap to "unbreak" main, but as @lengau points out that one has a single release and an outdated license db. We should review this situation and come up with something more sustainable.

[lengau]

Here are the options I see:

1. Keep a copy of the licences file in our repo. If we do this, we should probably provide a way to update it (maybe an action that checks for updates regularly and makes a PR for it?)
2. Download the file at packaging time or at runtime.
3. Depend on SPDX's package - in order to do this, however, we'll probably need to do some work on the package ourselves (update their outdated licenses.json file, perhaps provide a better interface for looking up a licence by identifier, etc.)

Option 3 is probably the most community-focused way to do it, but it also comes with extra responsibilities we might not be able to take on and the possibility of the maintainers being unwilling to include changes we make, so it's also the riskiest.

My preference would be option 2 for the medium term with a long-term plan to move to option 3.

[JJMC89]

I recreated the spdx-license-list package on PyPI after seeing another project run into this issue. I've automated updating it from upstream, and you should be able to use it as a drop-in replacement for the original one.

[lengau]

Thanks @JJMC89 ! Based on the repo I think it'd be reasonable to revert #168 and use this package. What do you think @tigarmo ?

[dotlambda]

Any update?