Clarify distro qualifier per purl type?

[gernot-h]

The spec only briefly mentions distro as an example for a qualifier, but doesn't provide exact format.

In the purl types document, it's mentioned in several sections, but also not really narrowing down the format. This leads to some ambiguities already in the spec, I think:

• bitnami uses distro=debian-12 in the examples, while deb uses the codename, ie. distro=jessie. This might make sense as bitnami has a broader scope, but it's still confusing due to unclear scope if you just search for distro examples.
• apk mentions that the package repo shall be implied from distro or repository_url qualifier, but the examples use neither of both, so I'm unsure whether I should use only the branch name (alpine-3.20), which would be enough to know the repo, or the full release version (alpine-3.20.3) which is what e.g. Syft seems to use.

So my question is, should we have a general recommended format for this qualifier or better try to specify it only in the according sections? I personally think having a general format might be impossible, probably we could only state whether it should contain the namespace or type part or not. I could start by making a suggestion for deb and apk types, if we agree on that approach.

Or is the expectation that parsers should be flexible enough to accept different formats? I think this would be hard to reach, thinking of Debian, it could at least be "codename", "debian-codename", "debian-major", "debian-major.minor" etc.

[gernot-h]

Note that for many distributions using this qualifier is crucial as package release versions are per distro release, so pkg:apk/alpine/openssl@3.3.0-r3 is ambiguous as it refers to a different package (with different sources), depending if you use Alpine 3.20 or 3.21.