ExtractLicenses adds invalid "+" to -or-later SPDX license IDs

[ma-ble]

Hi

while using ExtractLicenses(), I noticed that license identifiers like GPL-2.0-or-later are returned with an added + suffix, resulting in:

["GPL-2.0-or-later+"]

This is surprising, as GPL-2.0-or-later+ is not a valid SPDX license identifier according to the official SPDX license list: https://spdx.org/licenses/
The valid identifier is simply GPL-2.0-or-later.

Looking at the parser code, it seems this behavior is intentional:

if strings.HasSuffix(token.value, "-or-later") { lic.hasPlus = true }

Later, licenseString() appends the + if hasPlus is true.

Could you share the reasoning behind appending a + to -or-later license identifiers, even though the -or-later suffix already conveys the “later versions allowed” semantics defined by SPDX?

Is the + intended as an internal marker for multi-version compatibility (e.g. for use in compatibility checks), and has it unintentionally surfaced in public-facing functions like ExtractLicenses()?