Add grouping to product objects #192
Description
This is what I propose:
Here, we keep the meaning of Product to what we originally had in the OpenAPI spec. We introduce Product Release which is actually a packaged box and that has references to the actual Components available to the consumer (either fixed or established via Componentref).
One important note is that the Discovery mechanism points to Product Release and not Product.
A clear benefit of this model is we clearly define what Product Release is - an actual box or software package that the user gets and what Product is - a logical grouping of related Product Releases. This will ensure implementations are not adding their own meaning that may be inconsistent with other implementations.
Now, for folks who don't want to use the concept of Product, we make that optional. This should be fine because Product is no longer an entry point of Discovery. I hope this can satisfy Apache requirements and my requirements across several OSS and COTS projects where we do need a separate Product category as well as Dependency-Track maintainers' requirements not to keep a separate Product category.
Again, I would suggest to have another 1 hour workshop on this to discuss - I believe we had 2 workshops scheduled originally for this, so that should be reasonable to have the second one.
Originally posted by @taleodor in #186 (comment)