add clarity around distros' use of aliases

docs/schema.md

@@ -460,11 +460,11 @@ databases, in the form of the `id` field. This allows one database to claim that
 its own entry describes the same vulnerability as one or more entries in other
 databases.
 
-Two vulnerabilities can be described as aliases if a potential patch that
-addresses one of the vulnerabilities (and no other vulnerabilities) will also
-address the other vulnerability, and vice versa. Aliases may be used for
-vulnerabilities affecting different packages or ecosystems as long as they
-follow this definition.
+Two vulnerabilities can be described as aliases if they affect any given
+software component the same way: either both vulnerabilities affect the software
+component or neither do. And, consequently, a potential patch that addresses one
+of the vulnerabilities (and no other vulnerabilities) will also address the
+other vulnerability, and vice versa.
 
 Aliases should be considered symmetric (if A is an alias of B, then B is an
 alias of A) and transitive (If A aliases B and B aliases C, then A aliases C).
@@ -475,6 +475,13 @@ vulnerabilities as `aliases` would mean that they are all identical (due to the
 symmetry/transitivity of `aliases`), not that one release fixes multiple
 (distinct) vulnerabilities.
 
+Aliases should **not** be used to refer to vulnerabilities in packages upstream
+or downstream in a software supply chain from the given OSV record's affected
+package(s). For example, if a CVE describes a vulnerability in a language
+library, and a Linux distribution package contains that library and therefore
+publishes an advisory, the distribution's OSV record must not list the CVE ID as
+an alias. (It should use the `related` field instead.)
+
 ## related field
 
 ```json
@@ -1613,4 +1620,3 @@ When a package in the `Android` ecosystem is the Linux kernel source code, its `
 - NVIDIA
 - Qualcomm
 - Unisoc
-