How to provide advisories in different parallel CSAF versions?

[sthagen]

During the CSAF Community Days 2024, 12.-13. December 2024 in Munich, it became clear, that providers often map directories directly served per HTTPS to SCAF format versions.

Examples: foo/v2/bar or baz/2.0/quux.

Other providers do not indicate any CSAF format version in the paths or the provider.json
resource.

All these use cases are plausible and fit the provider and consumer needs it seems,
but when CSAF v2.1 will be available there is the reasonable assumption, that for some
time out of control of the TC there will be many mixed format situations:

• Only CSAF v2.0
• CSAF v2.0 for older advisories and CSAF v2.1 for "fresher" advisories
• CSAF v2.0 for all advisories and CSAF v2.1 for "fresher" advisories
• Only CAF v2.1

Questions to seed the discussion:

• Do we need to adjust the provider json schema of CSAF v2.1?
• Do we need to amend also the CSAF v2.0 provider json schema?
• Do we lack informative text in our CSAF v2.1 prose to guide and support the communities?
• Would the CSAF eco system profit from FAQ entries providing solutions for these scenarios?