Remove `DEPENDS_ON` relationship

[tsteenbe]

See https://github.com/spdx/spdx-spec/issues/439#issuecomment-656055242 having DEPENDENCY_OF and DEPENDS_ON is confusing users.

As new DEPENDENCY_OF is more expressive and easier to understand I propose we remove DEPENDS_ONin SPDX 3.0 and amendDEPENDENCY_OF` to be a generic dependency relationship regardless how it was defined.

[zvr]

Aren't these relationship directed to opposite ends?

I mean, expressing the same thing would be curl DEPENDS_ON zlib and zlib DEPENDENCY_OF curl. If you remove one of them, how can you express the dependency when you only have one side?

If we can express any relationship regardless of direction, then we should also delete one of CONTAINS / CONTAINED_BY, PREREQUISITE_FOR / HAS_PREREQUISITE (and possibly others that I don't remember right now).

[goneall]

I recall in the 2.0 spec discussions we decided to add relationships for both directions. The reasoning behind this was if the right side of a relationship was in a separate SPDX document, we may not be able to edit the related SPDX element to add the opposite direction. Also, on the use case, the SPDX document author may only be interested in providing information on one direction but not the other.

This decisions seems to have led to much complexity and confusion.

In a discussion with the OMG SBOM team yesterday, @iamwillbar suggested a structure that would allow an SPDX document to express external document references on either side of the relationship. If we implement this, we could remove the reciprocal relationships and simplify the spec. It would definately be a 3.0 change as it would be a change to the object model.

[goneall]

This is resolved with the restructuring of the Relationship property in 3.0.

If you disagree, please open a more specific issue.