chapters/3: Explicit external-reference ABNF

[wking]

This section has never been particularly tight. For example, the old:

`<type>` is an [idstring] that is defined in Appendix.

was probably intended to reference the old Appendix VII (removed by this pull request). This pull request ties external-references strictly to generic URIs (see discussion in #53). That breaks compatibility with the old form, but since the old form was unclear, I think that's ok.

The cpe entries are already URIs in their own right, although they aren't registered with IANA. You can resolve them here (like this). There are also other currently-unregistered schemes for referencing packages, e.g. package URLs. But managing all of that complexity isn't something that SPDX should handle. Instead, folks interested in providing stable packaging and security references should work on registering their URIs with IANA (or on establishing them in the SPDX ecosystem despite their not being registered).

Fixes #53.

[wking]

I've pushed 849b91a → 6e8b3bc, addressing Yev's concerns from #58 (except for PACKAGE-MANAGER → PACKAGE_MANAGER). The rdf:resource relationship is now clearer, and I've dropped OTHER in favor of allowing authors to supply their own extension categories (which I recommend they describe in the SPDX file and submit to us for future standardization). I've also added semantic docs for the SECURITY and PACKAGE-MANAGER values.

[wking]

Rebased onto master (around #8) with 9c2b5b7 → 5ecc05d.

The rebase also adds a CONTRIBUTORS.md update for the shifted CC-BY-3.0 reference (although the old reference was stale anyway, #73).

[kestewart]

Closing this as stale. If disagree, please reopen.