Looks like the `spdx-license-list` package is gone from PyPI. We use it to validate that the chosen license is valid. #168 replaces that package with `spdx-lookup` as a stop-gap to "unbreak" `main`, but as @lengau points out that one has a single release and an outdated license db. We should review this situation and come up with something more sustainable.