Populate the LicenseConcluded field in the SPDX report

[pietroalbini]

This PR fixes #586 by adding the --add-license-concluded flag to the reuse spdx command.

When that flag is provided, REUSE will now calculate the LicenseConcluded field in the SPDX report rather than setting it to NOASSERT, by ANDing all the expressions related to the file. This will allow tools consuming the SPDX report to know the actual licensing of each file, rather than having to rely on the lossy/incorrect LicenseInfoInFile fields.

Passing the flag will result in a slightly noticeable slowdown in large repositories: on rust-lang/rust, without the flag reuse spdx takes 4.13s, while with the flag it takes 4.72s.

To ensure compliance with the SPDX spec, this also adds the --creator-person and --creator-organization flags to reuse spdx. Optional by default, at least one of the flags will be required when passing --add-license-concluded, as requested in the issue.

Since there is no consensus yet in #586 whether to make this the default behavior or not, populating the field and gating that behind a CLI flag are in two different commits, so if you all decide to populate LicenseConcluded by default we can simply drop the last commit. This PR does not change LicenseInfoInFile in any way.

Also, the first commit makes running tests bearable on my machine, since I configured git to require signing all commits with my gpg key, which requires a physical touch on my YubiKey every time a commit is created 😅

[tenzap]

Will it work also when there are exceptions like in

SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0

[pietroalbini]

Yes, this also works when there are exceptions! To be extra sure, I added an exception to the new test I added 🙂

[pietroalbini]

Added reuse spdx --creator-person=NAME --creator-organization=NAME as requested in #586 (comment). The command will continue working without the flags, but at least one of them will be required when passing --add-license-concluded.

[alpianon]

hi @pietroalbini we at Oniro Project just realized that we would really need this functionality, it's great that you are already developing it, thanks! :)

FYI I'm proposing to add another spdx-related feature (support for comments, conversion of comments from dep5 to spdx, and possibly other comment-related features), see #625 . If you have any idea or feedback on that, feel free to comment there

[mxmehl]

Great work, thanks for implementing all of @silverhook's suggestions!

[nicorikken]

2 small suggestions but overall great work! I can see this coming in handy in many cases, thanks for contributing it.

[nicorikken]

⚠️ Please don't merge this PR just yet, @carmenbianca has added some improvements on top if this work at #690

[pietroalbini]

@nicorikken added @carmenbianca's commits to this PR. Sorry about not being able to push directly to the PR, that's a limitation of my employer's GitHub organization.

[y0urself]

Is there any chance these arguments will get into a release anytime soon?

[linozen]

Yes, we're planning a release in the next two weeks.

[y0urself]

Thank you for the answer! :)