Clarify why aliases should not be used in vulnerability bundles (#197)

@Roo4L from AlmaLinux suggested we explain why aliases shouldn't be used for bundling. I've added a sentence based on their suggestion. Signed-off-by: Michael Kedar <[email protected]>
ossf · Sep 15, 2023 · 21659be · 21659be
1 parent 8974fa5
commit 21659be
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/docs/schema.md b/docs/schema.md
@@ -413,7 +413,10 @@ Aliases should be considered symmetric (if A is an alias of B, then B is an
 alias of A) and transitive (If A aliases B and B aliases C, then A aliases C).
 
 Aliases should **not** be used in records that bundle many different
-vulnerabilities in one patch of a distribution of a package.
+vulnerabilities in one patch of a distribution of a package. Listing multiple
+vulnerabilities as `aliases` would mean that they are all identical (due to the
+symmetry/transitivity of `aliases`), not that one release fixes multiple
+(distinct) vulnerabilities.
 
 ## related field