CNCF license allowlist should replace Python-2.0 with either PSF-2.0 or Python-2.0.1

[richardfontana]

The SPDX license list currently lists a few Python-related licenses, historically related to the Python (CPython) project, certain past employers of Guido van Rossum, and the Python Software Foundation and Python community:

• Python-2.0 : This is the version of the CPython "stack" license that was approved by the OSI, possibly in error, as it was apparently not used in any actual release of CPython or at least no releases in recent memory
• Python-2.0.1 : This is a corrected version of the CPython "stack" license that is actually used in known releases of CPython
• PSF-2.0 : This is the top license in the CPython stack
• CNRI-Python
• CNRI-Python-GPL-Compatible

We can ignore those legacy CNRI licenses for purposes of this issue.

PSF-2.0 has been used by a number of non-PSF Python projects (following the time-worn if questionable FOSS tradition of using the same license as the language implementation), despite the fact that it is not really suitable for use by non-PSF licensors. So for example some PyPI packages use this license.

Python-2.0.1 would probably only be appropriate to add if there's a CNCF project that is for some reason shipping a whole CPython release, unless there's a case where some project is copying code from CPython and it is not practical to tell whether that code is covered solely by PSF-2.0 or additionally one or more of the legacy licenses in the CPython stack.

For the gory details on Python-2.0.1, see spdx/license-list-XML#1200.

There is probably no reason why any CNCF project would be using Python-2.0, other than in an erroneous application of SPDX identifiers.

[krook]

This was reviewed by the Legal Committee and approved by the Governing Board. The approved license list has been updated to include PSF-2.0 and Python-2.0.1.