Revisit/fix/update SPDX SBOM output

[mxmehl]

The REUSE tool currently generates a SPDX software bill of materials only in the SPDX-2.1 format. As an example, I attached the output of reuse spdx of this repository. There are a number of issues:

1. SPDX-2.3 is the current version.
2. Somehow, the FileCopyrightText do not look right, especially when using the SPDX-FileCopyrightText tags.
3. It might make sense to follow the minimal set of requirements of the NTIA which officially accepted SPDX as one way to create SBOMs. @kestewart may help here.

It seems we generate this document manually in spdx.py and report.py. Perhaps there is some spdx library that we can use?

Also, generating an optional JSON/YAML version would be great.

[mxmehl]

If we want to use the SPDX python tools as a dependency, it'd be great to have them packaged for Debian first, as mentioned in spdx/tools-python#201.

[rpavlik]

I wouldn't wait for packaging, packaging a pypi module is quite easy. I'd volunteer if I didn't already have too many things to do... (And I'm not a DD so it would need a sponsor anyway). I'm any case, reuse itself isn't packaged I don't think, so no big deal.